The Talent Shortage Epidemic in Cybersecurity

by Terry Vahey
The cybersecurity shortfall in the workforce remains a critical vulnerability for companies and nations, according to Intel Security.  In a report called Hacking The Skills Shortage, 82 percent of IT professionals confirm a shortfall in the cybersecurity workforce in companies and nations.

The FBI has predicted that cybercrime will be a massive crime wave and a national security problem unlike anything the world has ever seen.  Today, the IT security skills shortage is occurring right as the volume of sophistication of cyber attacks continues to rise.  This battle means that companies might be in danger of losing simply because they lack the manpower to deal with it.

There are several reasons for this problem.  One is the changing nature of cyber attacks.  The sophistication of the technology and tactics used by online criminals have outstripped the ability of IT and security professionals to address threats.  Another phenomenon is the expanding attack surface.  More things are connecting to the internet than people.  Last year, there were 5 billion cell phones, 2 billion broadband connections and 1 billion people who are on Facebook and Twitter.  By 2020, there will be 50 billion devices connected to the network.

The skills gap is so large it can’t be closed in a year or two.  Some experts estimate we are already 1 million security professionals short just this year.  In the U.S. alone, 209,000 cybersecurity jobs went unfilled in 2015.  By 2020, we expect the global cybersecurity talent shortage to reach 2 million.  It requires a multi-year effort, innovative approaches, and collaborative efforts across industry and academia.  Higher education plays a critical role in solving this difficult challenge.

CyberGirlz Silicon Valley
Only 10% of information security professionals are women, and that needs to change. Offered by SJSU’s Jay Pinson STEM Education program, in collaboration with Facebook and local schools and afterschool programs, CyberGirlz Silicon Valley is a project that encourages girls in grades five through eight to participate in cybersecurity and computer programming activities during their afterschool programs. The project culminates with the CyberGirlz Silicon Valley Summit  – an exciting event held at SJSU where girls from local schools showcase their Cyber skills, engage in panel discussions with STEM professionals from local industry such as Facebook, Anomali, and Cisco, and test their cybersecurity, hacking, and team work skills in a Capture the Flag competition.

Virginia Lehmkuhl-Dakhwe PhD is director of the Jay Pinson STEM Education Program in the College of Science and leads the CyberGirlz program.  According to Lehmkuhl-Dakhwe, “We listen to the girls and adapt our methods based on what we’re hearing.  The girls come prepared as contributors, not attendees.”

Collaboration, ongoing funding, and partnership are key to the success of programs like CyberGirlz.  In addition to funding the program, partners like Facebook put skin in the game and provide bus transportation, chaperones and hands-on assistance with applications.  But sustaining a program for the long-term requires that cybersecurity becomes core in the educational curriculum in schools, afterschool programs, and at SJSU.  “We need more advocates and champions and a career path now for people who pioneer innovation in cybersecurity education,” said Lehmkuhl-Dakhwe.

The Silicon Valley Center for Big Data and Cybersecurity
Part of the College of International and Extended Studies, the Silicon Valley Center for Big Data and Cybersecurity was established in 2014 to provide interdisciplinary training to our students in the emerging fields of big data and cybersecurity, and to provide exciting and sustainable career paths into these fields to students with a wide variety of skill sets and interests.  According to Dean Michael Parrish of the College of Science, “SJSU has received a clear message from many of our corporate and government partners that the biggest unmet need in the coming decades will be in the areas of cybersecurity and big data science.”

Currently, a number of certificate and degree programs at SJSU are in various stages of development, most notably in Software Engineering, Computer Science, Computer Engineering, Management Information Systems, and the School of Information.

The global search for a skilled cybersecurity workforce requires unique strategies as organizations face shortages, and encounter stumbling blocks ranging from performance issues to the political climate.  Innovation and collaboration will be key to creating a new generation of cybersecurity professionals.

Cybersecurity Safeguards: How to Keep Your Identity and Your Information Safe Online

by Terry Vahey, Associate Vice President for IT Services, Chief Information Officer

While data breaches are a hot topic these days, most articles and statistics focus on “infiltration” – getting into a company’s network.  You may have heard about Target, Home Depot and other breaches in the past year.  There is very little information on how data is taken out – exfiltration. Just under 60% of data breaches are initiated by external actors – primarily hackers and malware authors. 40% of breaches are initiated by internal actors or are attributed to 3rd party suppliers and vendors.  Nearly half of those initiated by employees are reported to be intentional.

Common programs used to steal your information or identity – MS Office (Word, Excel, PowerPoint), CSV, and PDF – the formats we use most at San Jose State, are the most common data exfiltration formats. Information and identity stolen could also come from general web surfing to malicious websites, social media, and phishing. About 40% of all data breach incidents involve the use of physical media, with laptops/tablets and USB flash drives being the most prevalent. A technology that offers the convenience of accessing photos from any device anywhere in the world, Apple’s iCloud can also be used by malicious third parties to expose your most private moments.

How does it happen?  There are several ways.  Attackers use a mix of legitimate and malicious tools and techniques to extract specific data from the target’s perimeter.  “Back doors,” intentional or otherwise are mechanisms attackers can use to circumvent security controls. File transfer protocol (FTP) is a standard (insecure) network protocol used to transfer files and can be used to exfiltrate data. Attackers open their own browsers and can directly access information. Cybercriminals use this to easily gather these files for transferring data to which they don’t have legitimate access rights.

What can we do to protect ourselves?  There is no way to completely win the war on cybersecurity.  The bad guys and people with bad intentions are creative and will constantly find new ways to attack.  They generally have more time on their hands to poke at vulnerabilities most people don’t think about.  Sometimes the bad guys have full-time jobs trying to break into other systems.  Vigilance and precautionary steps are key to keeping you, your identity, and your information safe online:

  • Set strong passwords with numbers, letters, mixed case, more than 8 characters and one that doesn’t contain words found in a dictionary, and don’t share them with anyone. http://its.sjsu.edu/docs/security/SJSU_%20Password_Standard.pdf
  • Don’t use the same password for all web sites. Make your bank password different from your work password, your email password different from your credit cards.  Be creative!
  • Use a password safe to keep your passwords secure so you don’t have to write them down. Here is a review of some of the best password managers: http://www.pcmag.com/article2/0,2817,2407168,00.asp
  • Keep your operating system, browser, and other critical software optimized by installing updates regularly. You can do this in the settings so this is initially automatic for you…but you still have the ability to confirm when it’s started so it doesn’t disrupt what you’re doing.
  • Install anti-virus software: https://anivirus.sjsu.edu  Along with computers, smart phones, gaming systems, and other web‐enabled devices also need protection from viruses and malware.
  • Maintain an open dialogue with your family, friends, and community about internet safety.
  • Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.
  • Limit the amount of personal information you share online, and use privacy settings to avoid sharing information
  • When banking and shopping, check to be sure the site has security enabled. Look for the lock icon in your address bar. Look for web addresses with “https://” or “http://”, which means the site takes extra measures to help secure your information. “Http://” is not secure!
  • Be cautious about what you receive or read online—if it sounds too good to be true, then it probably is. If you are not expecting an attachment or a link from someone, don’t open it, don’t click on it!  Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
  • Report stolen finances or identities and other cybercrime to Internet Crime Complaint Center and/or the Federal Trade Commission.
  • Take a few minutes to take the phishing training and awareness quiz: https://phishingquiz.mcafee.com/
  • Visithttp://cyberaware.securingthehuman.org/ to access dozens of tools, videos and articles all related to security awareness and National Cyber Security Awareness Month.  Five of the most popular resources include:
  1. Securing Your Kids Handout –
    https://cyberaware.securingthehuman.org/securing-your-kids/
  2. Top 3 Takeaways from 2015 Security Awareness Report –
    https://cyberaware.securingthehuman.org/2015-security-awareness-report-takeaways/
  3. Phishing Planning Kit –
    https://cyberaware.securingthehuman.org/phishing-planning-kit/
  4. How to Use Mobile Apps Securely –
    https://cyberaware.securingthehuman.org/use-mobile-apps-securely/
  5. How to Use Social Media Securely –
    https://cyberaware.securingthehuman.org/use-social-media-securely/