We speak with Dr Eric Cole, one of the world's leading cybersecurity experts and Faculty Fellow at the SANS Institute, who explains the reasons for Asia's cybersecurity gap and how to fix it.
Three messages currently dominate the media on the topic of cybersecurity: the number of cyber-threats is increasing exponentially, the impact from these attacks is growing too and organisations are ill equipped to counter them. In regards to the final point, this is often attributed to a cybersecurity skills gap across the region. Whilst universities and professional training courses are trying to close this gap, the growing demand for cybersecurity skills suggests that the gap will likely remain.
Yet there is one man who sees things differently. He is Dr Eric Cole, one of the world's leading cybersecurity experts and Faculty Fellow at the SANS Institute. He argues that whilst there is a gap, it's not necessarily a gap in tactical cybersecurity skills, such as vulnerability scanning and patching, the kind of skills which are most commonly taught on training courses; instead it's something more fundamental.
Dr Eric Cole
"From my perspective it's more of a gap in a consistent framework in what it actually means to be secure," posits Dr Cole. "I bet that if we grabbed five cybersecurity experts and asked them to give us a one sentence definition of a secure organisation, we would probably get five different answers, and this is something I'm really focused on. What we really need to win in cybersecurity are consistent metrics that give us the visibility on what the risks are in our organisations and which risks are and are not acceptable."
That's where the problem lies. If cybersecurity experts themselves cannot agree upon a definition of what makes an organisation secure, how can an organisation's CEO or board level agree upon what is acceptable or not?
"What I see as I go around the world is that there are a lot of smart people that understand cybersecurity, but the problem is that most of their understanding is very tactical driven. To me, the big gap is how to do you take the technical, tactical language of security and translate that into strategic executive metrics that the CEO and the board of directors can understand in order to make the right decision. What a lot of people don't recognise is that if you are not getting the security budget, the training, or the resources you need then there's a simple explanation: the executives do not view that as a high priority."
Dr Cole's point is that if IT security is communicated on the basis of the number of vulnerability scans performed, or number of patches installed, CISOs will find themselves little influence. "I do a lot of work with senior executives and they really could care less about patches; they don't even know what they are!" Furthermore, without a clear understandable metric, executives are left with questions such as whether the absence of a cyber-attack means that the head of IT security is doing an adequate job, or when an attack does occur, should the head of security be fired?
1 2 3 Next Page