Adam Gordon is an IT educator and cybersecurity consultant with almost four decades of experience. In his work for ITProTV, the IT industry streaming education platform, he features as an energetic on-camera cyber authority. And as a hands-on IT and cybersecurity consultant, he helps governments, security agencies, and Fortune 100 companies around the world build and secure infrastructure.
Adam sat down with 4i-mag’s Mark Swift to shed some light on the cyber industry’s most pressing challenges.
4i-mag: Increasingly, executives and managers indicate concern about struggling to hire the right staff. Is there a skills shortage in the cyber industry, and if so, how can we tackle it?
AG: There definitely is a gap or a shortage. I don’t think anyone would argue with that, but I think what you often hear from people in the media, and in general, is that there’s this massive shortage.
Let’s start from the perception gap: we have a shortage, but we are addressing the shortage by training and skilling people.
The real challenge is that many of the HR functions that are trying to onboard people have not caught up with the language and the technology. Job descriptions and job roles are not well-defined in what is a dynamic, emerging, and changing field. We’re not effective because we’re trying to find things that don’t exist.
4i-mag: Can you give some examples?
AG: You see job descriptions that ask for people to have 10 plus years of experience working with a technology that may only have been around for 3 to 5 years. The people who invented that technology wouldn’t even meet the criteria.
CISSP, which is one of the gold-standard credentials for information security, you need to have been in the industry for probably 5 to 10 years to gain that credential. But what we’re seeing more and more is that entry-level and mid-level information security jobs are asking for CISSP.
We’re telling stories that eliminate the possible pool of candidates because of inappropriate experiential requirements. I’m not saying that, that happens everywhere, but I think it’s fair to say that it is one of the key symptoms driving misconceptions around the skills gap.
4i-mag: We see this in other industries too. The pandemic has transformed how businesses and entire sectors operate. In your opinion, what are the most pressing cyber industry challenges right now?
AG: Aside from the skills gap, perceived and actual, the continuing evolution of risk and how we frame and discuss what risk is in relation to a business. And this goes back to issues associated with the cyber supply chain and cyber threat management. I think the inability to specifically define and address risk in relation to supply chains, through a third-party perspective, has been a shortcoming for decades.
You have crime-as-a-service that has now become the de facto way that we interact with headlines around breaches. Criminal syndicates that are nation state-backed are attacking critical infrastructure and critical supply chains.
We are essentially fighting a cold war: it never really ended. We’re no longer fighting a politically, ideologically driven cold war. We’re fighting through proxies in the digital space. And we have been for some time.
Most average people just go through their lives. It’s not affecting them. But when I can’t get masks. I can’t get hand sanitiser. I can’t get a vaccine because it isn’t developed — you begin to see that these things are still there.
So, I think the key risks that we face are really in the space around supply chain and risk management. They’re in the space around critical infrastructure and our ability to secure it. And they’re in the space of resource management.
4i-mag: With issues from cyber spilling over into other domains, what do governments need to be anticipating, five or maybe ten years from now, to ensure ongoing security?
AG: Some of the things we’ve just touched on, like global supply chain management. Where are we sourcing from? How’re we securing those resources?
The next war that we fight, God forbid, the next major battle — is going to be over resources. We’re going to be fighting over the resources that we need to be able to continue evolving our technology. Strategic minerals are going to be one of those areas where we’re going to see a lot of conflict.
But then there are issues around privacy. What do we do around information and information management? The flow of information today knows no boundary. Trans-Atlantic cables, fibre optic transmissions don’t stop at borders.
This is why most companies, most countries, and most cloud providers today, have geo-preferencing built into their service models. You can say I want a fence around my data, and I only want it to reside within the geographic boundary of data centres that are governed by laws that I want to be bound by. GDPR is a good example of that, in relation to the EU.
4i-mag: We have started to see some changes in how countries deal with regulations around technology. What’s your take on the Biden administration’s Executive Order on Cybersecurity? How successful do you think it will be in improving security going forward?
AG: It’s long overdue. It’s definitely a huge foot forward. I think it’s going to have three effects at a high level that we can already see or anticipate.
We’ve seen huge shifts and churns inside the space already, over four to five months. We’ve seen new versions of existing frameworks being revised and updated, made available for public comment. We’ve seen new information standards emerge for initial public draft, like the software bill of materials, the SBOM. And we’ve seen shifts in the hierarchy and the management of infrastructure in the federal government and the military.
The second thing that’s going to come out of it, and that’s really interesting, is the broader implications for the private sector. The way that this becomes a kind of umbrella policy has great implications for risk management. And ultimately for cyber security and the supply chain space — if that momentum continues.
The last area is that I think it’s having an additional impact beyond the borders of the United States, in the digital domain. It’s put our adversaries and our partners both equally on notice: we have finally decided to get our house in order and we’re going to take these issues seriously.
I think it’s going to be very interesting in the broader landscape of geopolitics to see what the impacts will be in the coming years.
(This is an edited extract of a conversation held via video call)