If you look under the hood of modern security software, you will see a truly impressive feat of engineering. For at least the last three decades, the companies creating this software have been making impressive and truly innovative technology. Yet we still have security incidents that are growing in number and severity, such as the Equifax, Facebook and Yahoo breaches.
What cyber skills do we, as security practitioners, need to bring to the equation to continue improving products and protecting people?
5 Cyber Skills You Need on Your Team
While I feel confident that the technology aspect of security will continue to improve, it is the human aspect of security that we most need to address to meaningfully decrease the impact of cybercrime. The skills that will be most important in the industry as we move forward are those that address the way the general public uses security products.
Here are five cyber skills that will be essential for the future of security.
1. Understand How to Teach Security
Few people would argue with you if you stated that humans are the weak point in most security systems. Computers and connected devices are currently designed for ease of use more than they are designed for security. Security concepts can be complex, and recommendations for best practices are constantly evolving. As such, people need to be trained how to use devices safely.
Many businesses have little to no existing security training in place, and even in those that do, it may be suboptimal. Some companies cobble together their own educational materials without necessarily having much security or education expertise. Those organizations that choose ready-made security awareness training programs may not know how to determine which of these products are actually effective in helping employees prevent security issues.
This industry needs educators who understand current best practices for helping people learn, at least as much as they understand security best practices. Providing effective security awareness training will be a business differentiator in the coming years.
As more and more legislation requires businesses to have security training, more businesses will be required to purchase these services. The training programs that prove their utility as a cost-effective way to decrease the impact of security incidents will no doubt be highly sought-after.
2. Make Technology More Accessible
Most security practitioners will tell you that everyone needs to be protecting themselves online, and that we all need to be using some sort of security software. And yet, the products themselves are not always designed as if this were the case. There are millions of people who have issues making effective use of security products, including those with hearing or vision impairment, dyslexia, or colorblindness.
If customers have a hard time purchasing or using your products because your company has not designed for people with these needs, you’re simply leaving money on the table. This market segment is only growing more rapidly as the computer-using population ages. While many security vendors are more worried about adoption from the general public, those who come to market with effective and fully accessible products will have a major advantage over their competitors.
3. Improve Usability in Security Products
Perhaps because, historically, only the most technologically savvy consumers used security products, user interfaces in security products have been rather unapproachable for the average user. Successful user interface design is a mix of behavioral science, art and technology. This is an unusual intersection of skills, which is perhaps why it’s such a problem for so many technology products.
Good usability practices can greatly increase security and privacy all on their own. But improving usability in security products could also significantly improve adoption of these technologies. We can probably all bring to mind a product that we use that is truly a joy, because interacting with it is so natural and seamless. The more security technology can become a natural and painless part of people’s computing lives, the safer we all will be online.
4. Communicate Persuasively About Security Needs
There are certain things in life that are not fun, but totally necessary, such as paying taxes, getting a medical checkup or flossing your teeth. The consequences for not paying taxes tend to come swiftly, so most of us are pretty diligent about taking the time and effort to make sure they get done in a timely fashion. Until we hit a certain age, getting a checkup and flossing our teeth seem like things that are fairly low-consequence if we’re not as diligent as we should be. Many of us put these things off until the consequences scare us into action.
Security best practices, for most people, are a bit like flossing. Most of us know we should, though some people may not be totally clear on how important it is or how to do it properly. A growing number of us are having experiences with the consequences of a lack of security, but the message still does not seem to be sinking in.
While companies may not usually hire security practitioners explicitly for their ability to communicate persuasively, this skill is absolutely essential to getting the job done. If you’re the person who saves a company from a costly breach or embarrassing vulnerability because you managed to persuade the right people to allot the time and resources to fix problems — and appropriately communicate your success — you’re more likely to have a long and fruitful career in this industry.
5. Behave Ethically to Avoid Causing Harm
Because security practitioners deal with sensitive information and powerful tools, ours has always been a very trust-based industry. In most areas of this industry, behaving ethically has always been crucial to gaining the good reputation that’s needed to get a start. Now, we need ethics that go further than not directly causing harm to others; we need ethics that look forward and avoid introducing products or features that may harm others in the future.
Technological developments are never neutral, they are intended to cause change. Often, they’re meant to cause disruptive levels of change. Indeed, the current market demands we move fast and break things. But we’re starting to see how harmful and damaging that mindset can be. It may seem like a ridiculous idea to slow down enough to get a broader perspective and consider the potential ramifications of new features, but to be successful in the long term, we need to do exactly that.
Moving Into the Future of Security
The nuts-and-bolts level of security technology is rather impressive: Products are incredibly innovative and constantly improving. But there is only so far we can go to reduce cybercrime with these impressive and powerful tools. Much like the full power of computers was not realized until they evolved from complicated and massive machines into devices we willingly keep in our pockets, a sea change will not happen with security until the concepts and devices can be made a seamless part of our daily lives.
Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She watched as the internet grew from small, loc...