Kelly Jackson Higgins is the Executive Editor of Dark Reading, a leading cybersecurity news site and community. She has been a journalist in the IT field for more than two and a half decades, specializing in security for the past 12 years. As Executive Editor, she is responsible for the day-to-day news operation, including assigning and editing stories, and reporting and writing content, which can be found here. She is also responsible for supporting content and planning and moderating sessions for Dark Reading’s parent company UBM’s online and live events, including Interop and Black Hat. Ms. Higgins was named one of the top ten cybersecurity journalists in the U.S. by the SANS Institute in 2012 and 2014. She holds a Bachelor’s degree from William & Mary.
[OnlineEducation.com] How do you define cybersecurity as a field within the tech sector?
[Ms. Higgins]: Cybersecurity no longer can be considered a separate feature or function of technology. There’s been an evolution in software development—albeit still a work in progress in many areas—where security is part of the development equation. The hard lessons of retrofitting or adding layers of security to software and systems over the past few years made it painfully obvious that security should be a key element of any technology that has networked functionality or can be connected to the Internet.
Some security experts consider this new generation of the Internet of Things (IoT) and the plethora of consumer products that come with network connections as a tipping point for security. There are profound, high-risk privacy and physical security ramifications when you consider a connected car being hacked, for example.
Cybersecurity for now basically remains a field of its own within IT and computer science (but unfortunately, not always an integral part of computer science undergraduate curriculum). You can have a career in cybersecurity today, but most every other technology that involves software and Internet connectivity should include and consider cybersecurity. That’s the goal, but we’re not there yet.
[OnlineEducation.com] You’ve reported on what’s next for network security, as cloud computing, mobile data, and the IoT impact the way we use digital technology. Does that change the way we’re training the next generation, and even the current generation of cybersecurity specialists?
[Ms. Higgins]: I touched on this a bit in the previous question, but I’ll say it again in a slightly different way: all new technologies and next-generation technologists, developers and technology users should be trained in security risks and best practices. Just like we do with physical security.
A recent example of how this is changing: Underwriters Laboratories (UL), which is best known for its safety testing and certification for consumer electric products, is now doing the same for the cybersecurity of networked products. You won’t see that familiar UL seal anytime soon, but they as well as other certification labs are setting up these mechanisms for this new generation of networked products.
The UL certification program is for IoT products. There are other similar certs in the works, including International Computer Security Association Labs (ICSA) program for IoT vendors and consumers. But, no single certification program has become the “standard” yet for IoT. This is still a new field and a new concern.
[OnlineEducation.com] You’ve also reported on cybercrime gang activity, data breaches in the healthcare industry, and a ransomware scheme inspired by the Saw horror films. Do you see these as all being symptoms of the same overall failings/weaknesses in our cyber defenses, our attitude toward cybersecurity, or are there different causal factors?
[Ms. Higgins]: Criminal and nation-state hackers are basically just going after where the valuable data, money, and intel reside today, online. There’s a saying in cybersecurity that the bad guy only has to be right once, but you have to be right (and protected) all the time. What that means is that there are so many potential security holes for cybercriminals and cyber espionage gangs to infiltrate—unpatched and outdated software versions, old and insecure technology still running (like Windows XP, which is no longer supported by Microsoft but found in some industrial systems and even ATM machines), and unknown or zero-day bugs in software that no one but the bad guys know about, for example. And in most cases, an attacker dupes a trusting human being, the end user, who falls for a convincing phishing email or scam, and opens an attachment or responds with his or her credentials, or unknowingly picks up malware on a website.
Some organizations try security awareness training, but it’s really difficult to prevent a user from making a dumb mistake or from being duped or socially engineered into breaking normal security measures. Cybercriminals and cyber espionage hackers all go for the weakest link in the chain, and that’s typically the user.
Speaking of users, they are also plagued by password problems. The reliance on websites, applications, and even companies on password protection for access is the underlying problem, but users are notoriously terrible at creating and managing strong passwords. They still create weak, easily guessable ones, and reuse them across many of their online accounts. When you hear stories about a celeb’s Twitter account getting hijacked, and then his Instagram, and then his Facebook: that means he used the same password for all three.
On the business side, when an attacker steals a user’s credentials, they suddenly have a legitimate-looking foothold in the organization, making it difficult to detect their presence or even stop them from stealing information.
Another systemic problem is that the traditional security product/tool approach of detecting known attack characteristics is not sufficient in today’s threat landscape. Many organizations still struggle with moving beyond these older firewall and antivirus technologies as their main means of securing their organizations.
Security technology is evolving beyond the “we stop the attack” fallacy to detecting signs of an attack or attack attempt early in the process, before the attackers get embedded and start stealing information out of the organization.
[OnlineEducation.com] What do you see as the most significant factors shaping education and employment in the field of cybersecurity? Government policies? The speed of technological innovation? Economic forces? Social dynamics?
[Ms. Higgins]: That’s a great — and difficult — question to answer. I believe that it’s all of the above. Tech innovation always outpaces government policy, but government policy can help expedite some security measures, especially when it comes to regulatory compliance or government procurement requirements. That’s also an economic factor, of course.
[OnlineEducation.com] It would seem that cyber attacks are constant and that there will always be another breach or vulnerability to address. How do information defenders stay sane? Are people on the front lines of this battle going to have to accept a certain amount of chaos as the norm?
[Ms. Higgins]: That statement is absolutely true and why cybersecurity is a moving target (and such a hot field, to be honest). There will always be vulnerabilities in software — humans write it, and humans are imperfect, and software is complex. Bad guys are motivated to make money, so they up their game each time we raise the security bar.
Cybersecurity is one of the most wide open and hot career fields, and most likely it will be for some time to come. The catch is there aren’t enough trained professionals for all of the job openings in cybersecurity, so the onus is on the academic and professional community to provide more training and programs to fill these positions.
[OnlineEducation.com] There’s concern about the number of women in cybersecurity, and there are professional organizations and initiatives aimed at attracting more women to the field. Is it merely a matter of creating more awareness among women about jobs in cybersecurity, or are there actual and/or perceived barriers to entry for women?
[Ms. Higgins]: This is a topic I’ve covered very closely over the past couple of years. Interestingly, the number of women in the field has remained static at a disappointingly low 10% for the past two years, despite more women in executive-level and leadership positions in cybersecurity. That data comes from a report last fall from the International Information Systems Security Certifications Consortium (ISC2) and the Booz Allen Hamilton security and consulting firm, which also found an increase in the number of women joining the industry; it’s just that their numbers aren’t keeping pace with the overall security workforce.
There are many theories on this gender gap, including the way jobs are advertised (more technical than real-world impact, for instance), discrimination on the job, and salary disparity, to name a few. Women make nearly 5% less than men in the one sector women dominate versus men, the governance, risk and compliance (GRC) sector. According to the ISC2, a woman’s average salary in a GRC gig is $115,779 and a man’s is $121,513.
As a matter of fact, I’ll be hosting the second annual women in security luncheon at Black Hat USA 2016 in Las Vegas in August, where a panel of distinguished and accomplished women in cybersecurity will discuss how to remove the roadblocks to diversity in the industry. It’s not just women who are underrepresented: minorities are as well. We’ll be attempting to hack this problem in our panel discussion. Here’s a link to this: https://www.blackhat.com/us-16/womens-panel.html