A Cyber Vaccine
In medicine, vaccines are used to prepare the body to attack viruses and treat illnesses. Pharmaceutical companies do not develop, trial, and release vaccines for a single patient, rather opting for strains of diseases to treat. The time, effort, and resources in developing cures need to have an impact at scale—to treat the most people. In cybersecurity, with particularly limited professional resources, the need for scale also applies as we have both systems and people to protect against a growing and often inconceivable number of threats and attacks.
At the medical level, even the development of vaccines and modern medicine couldn’t stop the hoards of people (nearly 1 million) dying from diarrheal disease every year due to poor basic hygiene. In cybersecurity, despite the explosion of spending on defensive technologies and tools, there has been a push over the last several years to prevent a large percentage of cyber attacks through general employee awareness training. These programs, much like hand washing, ensure proper systemic hygiene by mitigating, to an imperfect extent, the human component of the risk and threat landscape.
A Baseline Compared to a Flatline
In medicine there is no confusion as to what constitutes a physician. There is a clear standard as to what constitutes a board certified medical doctor, and further one of 20+ specialties and subspecialties. In the relatively nascent field of cybersecurity, the absence of a standard baseline of competency is giving the industry a dangerous fever.
Having standards in place makes it possible for doctors to choose their specialties (in part) following rotations. Despite the constant evolution in the knowledge behind the medical industry, today’s crisp white lab coats still have a relatively predictable and navigable career paths.
Simultaneously, the cybersecurity industry struggles to hire, promote, and retain talent resulting in an astonishing skills gap expected to grow to 3.1 million worldwide by 2020. The fact that cybersecurity is a new field and that technology is constantly evolving are not reasonable excuses for why practical standards and definitions for the various roles have not been or cannot be properly developed. Cybersecurity has a great deal to learn from medicine in this vein.
Cybersecurity’s Bedside Manner
Over the last decade, medicine has had to adapt in some ways. One of the most pervasive examples of a recent development in the industry was a rapid increase in the value (or liability) of medical bedside manner. In the past, excellent bedside manner was a nice-to-have feature of any physician, but not necessarily one that changed patient behavior in selecting a physician.
It was often believed that the human side of medicine – connecting with patients, showing compassion, being a communicator were qualities that were unimportant and could not be taught. Fast forward to the 21st century, patients can share their opinions through online reviews. While expertise will never be overlooked, patients with a choice between Dr. Alice and Dr. Bob might make that decision based on a five-star review over a two-star review. Dr. Gregory House may be brilliant, but his abysmal bedside manner may prevent him from booking a single appointment in today’s environment.
Cybersecurity, is also viewed as a field of specific knowledge and skills in technical areas. While tech savvy engineers are in high demand, soft skills like interpersonal skills and team management are elevating in importance by the day. Practitioners with strong business and communication skills are advancing quickly into leadership roles. Consider Mr. Robot’s talented senior network engineer (and vigilante hacker), Elliot Anderson’s character — he’s brilliant — but no Fortune 500 would want him in a CISO or CIO role. He doesn’t have the bedside, or rather boardroom-side manner that it takes to excel.
The Never Ending Journey
Both doctors and cybersecurity professionals need to keep up their skills as there are constant advances in each field. As we’ve mentioned, all MDs have the same training, but as doctors advance in their fields, they are often required to pursue additional training. For example, a neurosurgeon requires a yearlong internship plus a 6-8 year neurosurgical residency, all after 4 years of college and another 4 years of medical school. Then, in order to stay current on medical and technological developments, he or she will attend industry conferences or review medical journals on a consistent basis.
Cybersecurity professionals acknowledge that skills in their industry require upkeep as well. There are always going to be new threats, new vulnerabilities, new technologies, and new requirements (read “regulations”). Not only are continuing professional education (CPE) credits required to maintain the most in-demand cyber certifications including the CISSP, CISM, CEH, or Security+, but also the new knowledge is paramount to professional success.
Maintaining the Health of Your Organization
In medicine, all roads lead to life expectancy and quality of life. For the cybersecurity industry, we have a similar ultimate goal. Ensuring every individual has a cyber education baseline, followed by specialized knowledge by role, will ensure resilience and ultimately the quality of life of every organization.