Predictions for Cyber Security in 2016

TEAM:

Art used on the cover by Jack Moreh

Publisher

Software Press Sp. z o.o. 02-676 Warszawa ul. Postępu 17D Phone: 1 917 338 3631 www.eforensicsmag.com www.hakin9.org

All trademarks, trade names, or logos mentioned or used are the property of their respective owners.

The techniques described in our articles may only be used in private, local ne-tworks. The editors hold no responsibility for misuse of the presented techniques or

Dear readers,

We are approaching the end of the year, so it is time to think

about the future and the year ahead. We are pleased to present

you our very special project created by joint forces of eForensics

and Hakin9 Magazines – “Predictions for cyber security in 2016”.

This special edition was based on interviews with representatives

of companies that had agreed to participate in our project.

We would like to give our most sincere thanks to all the

partici-pants of this project. You made this possible and without you

we wouldn’t be able to make this unique edition.

Additional and very special thanks to the Proofreaders who

helped with this issue. Your involvement and support of the

creation of this magazine is invaluable. Thank you.

The cyber security field is evolving at a rapid pace, constantly

changing and influencing our lives unnoticed. Will year 2016

be revolutionary for cyber security? How will recruitment in IT

change, what new threats will appear in the new year, will

Internet of Things influence cyber community? In search of

answers to these questions, our guests went on an unexpected

journey through thirteen different sections. Armed only with their

own experience, they confront the most difficult questions

tormenting experts on cyber security.

Do you want to find out if they succeeded? Uncover secrets

of cyber security and prepare yourself to face new year! Read our

new issue and get all the answers you were looking for!

As this is our last issue in 2015, we would like to thank all of our

readers for their continuous support for both our projects.

Without you we wouldn’t be here, doing all this amazing work to

bring you the best content we can. We hope we will be able to be

even better in 2016, and with that we wish you all the best in the

coming year.

Thank you for all the support.

Page Section Questions

6 Top 2015 events  What were the most important things that happened this year?

14 Recruitment  What will change in the talent pool?

 Will talent shortage in the industry continue to grow?  What new challenges will recruiters have to face in 2016?

 What new challenges will people looking for work in cyber security have to face?

29 Training  What role will formal education play in 2016?

 Will certification keep its role as the main tool to confirm skill and expertise?  Will we see a more unified standardization of education and skills?

 Will online courses influence the level of education in security field?

40 Threats  What threats that emerged in 2015 will remain relevant in the next year?  Which threat group will see the biggest growth in 2016?

 Can you see any old and forgotten threat coming back in the next year?  Will threat landscape be affected by international efforts to combat terrorism?  Will cyber security in healthcare remain a relevant topic?

 Will security in automotive industry keep on causing trouble?

63 Mobile  Which mobile phone will be the most secure one?

 What kind of vulnerabilities will affect mobile phones in 2016?

 What security measures we should use to protect our mobile phones in the next year?

 What risks will mobile industry face in 2016?

76 Internet of Things  Will IoT force the industry to change?

 What kind of challenges will IoT face in the next year?  How will IoT influence cyber community?

 Will we see the security for IoT emerging along new IoT solutions, or will we have to wait?

91 Tools of the trade  How will tools evolve in 2016?

 Will the trend to eliminate passwords continue?

Page Section Questions

100 Areas of security  What are your predictions for network security in 2016?  What are your predictions for software security in 2016?  What are your predictions for hardware security in 2016?  What are your predictions for cloud security in 2016?

109 Industry  Will 2016 belong to start-ups or big cyber security corporations?

 Will cyber security events remain an important part of influencing the deve-lopment of cyber community and companies?

 Will we see more state-level cooperation in 2016?

 In which industry will we observe the biggest demand for cyber security services?  What do you think will change in the cyber security market in your country?

122 Cyber security awareness  Will the cyber community influence the level of cyber security awareness?  How can we work towards improving cyber security awareness in 2016?  What obstacle in awareness will remain unsolved?

 What role will awareness play in corporate cyber security?

133 Miscellaneous  Predictions for cybersecurity

140 Advice  What advice would you give to fellow cybersecurity professionals going into 2016?

143 Contributing companies

Wade Johansen, CouriTech LLC: C&C Botnets go public - DorkBot and the like have become a business mod-el; they cost only $50 to buy in • The Anthem and EBay hacks - along with Target, Home Depot, JP Morgan, etc. • The implementation of private peer-to-peer social networking clouds with unbreakable encryption •

TOR has 5% or more of the exit nodes hacked and infiltrated by the NSA • VTechs hack - stealing children’s identities. C`mon ? This will have consequences we can’t even measure yet.

Amit Serper, Cybereason: We’ve been seeing massive data breaches pretty consistently for the past few years, so really, 2015 was just more of the same. However, if I had to pick specific breaches that stand out, the ones that come to mind are, first and foremost, the Hacking Team breach • Aside from the irony of a “surveillance” company getting hacked (and learning how lax their own internal security was), the fact that State-of-the-Art hacking tools and several Zero Day attacks were released into the wild have and will con-tinue to have long term consequences. One of the Zero Days effectively killed Flash, and of course, having all these resources available for consumption lowered the (technical) skills bar for potential cyber criminals to enter into the game • Next comes the Ashley Madison hack - aside from it being one of the highest pro-file ransomware attacks, it shows the impact that a data breach can have on people's lives - suicides oc-curred, jobs were lost, families and reputations were ruined. Most companies approach cyber security from a cost-benefit perspective - is it cheaper to fix the security problem or deal with the fallout from it? In this case, how do you quantify the damage done to Ashley Madison customers? Is that something you can even attach a number to?

Mark Bennet, Blustor: The U.S. Office of Personnel Management (OPM) lost nearly 5.6 million fingerprint records in a cyber security attack in 2015. While this event went largely unnoticed by the general public, it highlighted the tremendous risks associated with biometric security when an individual’s biometric tem-plates are not properly protected. For the unfortunate employees impacted by this incident, they can nev-er replace their fingnev-erprints • Just recently reaching the awareness of the mainstream media, hospitals and medical device manufacturers are being shown to be woefully unprepared. A recent article in Bloomberg Business, entitled “It’s Way Too Easy to Hack the Hospital”, is one of many articles emerging in recent months that tells a rather bleak and frightening story related to the vulnerability of medical devices to re-mote hacking. It is clear that there is a high potential for catastrophic incidences that are likely to result in serious injury as well as large scale identity theft.

Paul Shomo, Guidance Software: RATs Ran Rampant: (Remote Access Trojans) evolved and proliferated to the point that they were seen in forensic investigations of some of the most high-profile hacks of the year,

C

YBERSECURITY

2015 TOP EVENTS

What were the most important things

that happened this year?

Leon Kuperman, Zenedge: 2015 RSA Conference where we introduced ZENEDGE to the world •

www.newbingobilly.ag - longest running DDOS campaign that we are aware of, lasting for almost one year; the attacker has failed at bringing down the site but continues to try on almost a daily basis • ZENEDGE in-troduces RapidBGP, which allows for sub 60-second DDOS mitigation in the cloud for network protection •

ZENEDGE launches Toronto Mitigation center, the first large scale mitigation center in Canada for customer adoption • Complex multi-vector attack by Armada Collective, hitting many companies with DDoS for ran-som Bitcoin. Our customer was hit with seven attacks in a one day period in Q4, key shopping season in-cluding: Chargen, UDP Flood, SSDP Amplification, NTP Amplification and Layer 7 application attacks. We have now seen Armada Collective on five separate occasions.

Shay Zandani, Cytegic: The OPM breach – because of the consequences to its management and the fact that it was a direct and public hit on a government entity • Anthem Breach (alongside Premera and Blue-Cross Blue-Shield) – because of the scale of the attack and how it emphasized the forecasted trend of PII and medical data theft • Ashley Madison Breach – because it is perhaps the most significant internal breach since Snowden – it emphasized the importance of the internal threat • The “Cyber-War” between Iran and Saudi-Arabia over Yemen – because it showed very clearly the correlation between physical wars and cyber wars, and the mobilization of hackers to support their governments • The US Military Kills the ISIS Hacker and Recruiter that Attacked Them – because it emphasized the fact that cyber-warriors are val-id targets for physical attacks and that they are an integral part of the war.

Mitchell Bezzina, Guidance Software: The Human Perimeter Remained Too Permeable: Human error opens more doors to hackers than technical shortcomings. Whether clicking on a phishing email, failing to install security patches on a regular basis, or leaving a laptop with patient healthcare records in a place where it can be easily stolen, humans regularly hand over the keys to the data kingdom—or leave them lying around where they can be readily obtained • Following suit is Australia, releasing a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 in December that affects any domestic or for-eign organization that deals directly with Australian consumers

Richard De Vere, The AntiSocial Engineer: The TalkTalk Breach! (and discovering it) helped place cyber se-curity on the radar for the average person. Infosec left the boardrooms and had free reign of the TV • Old issues making a comeback - Crossdomain Abuse, SQLi • BSIDES in London was my favourite event/con •

Software - The release of Kali 2.0 hasn’t changed the world but it’s nice to see the GUI updates • SE-TOOLKIT - Mr Robot Edition (In fact, Mr Robot was the highlight of my year).

C

YBERSECURITY

2015 TOP EVENTS

What were the most important things

that happened this year?

Irfan Shakeel, EH Academy: Helped more than 3000 people to become effective com-puter forensics examiners; training, certifica-tion and relacertifica-tionship with the industry have been provided to them.

Rajeev Chauhan, Cyber Oxen: Sony Hack and Retaliation • OPG Hack • Cryptolocker mal-ware • Identity Theft • Cyber Espionage.

Dennis Chow, Millar, Inc : Blue Cross Blue Shield Anthem Data Breach • New Cyber Threat Intelligence initiatives • WITCHCOV-EN Campaign • Remote Jeep Hack • FTC en-forcement of Cyber Security to companies.

Francisco Amato, Infobyte: ekoparty •

troopers • kiwicon • shakacon • chaos com-munication congress.

Amber Schroader, Paraben Corporation: En-Fuse 2016 • PFIC 2016 • Techno • HTCIA 2016.

Przemek (Shem) Radzikowski, Secbüro: Labs:

Ashley Madison Hack • Black Hat USA • First 400+ Gbps NTP reflection DDoS attack •

APT28 • TalkTalk hack by 15yo.

Nick Prescot, ZeroDayLab: Talk Talk breach – an obvious choice, but perhaps more than any other • Safe Harbour re-alignment • EU General Data Protection Regulation • Ashley Madison (mainly for the impact) • Sony Pic-tures.

BroadTech Security Team: A bit difficult to limit to five. Google Deceptively Tracks Stu-dents’ Internet Browsing • Pentagon Cyber Attack • Kaspersky Security Breach • Hacking Team Breach • $1 Billion theft from banks •

Ship Data Records Vulnerability • Kaspersky, McAfee, AVG vulnerabilities • Industrial Sys-tem Control Gateway vulnerabilities.

David Clarke, VCiso: Talk Talk Breach • Ran-somware • School Breaches • Mobile Vul-nerabilities • Mobile Security.

Stephan Conradin: Theft of sensitive data •

Privacy concerns with Windows 10.

Paul Hoffman, Logical Operations: Two Steps Ahead - Rochester. December 8th, 2015 •

ISSA Conference, October 2015 • Dispelled Rumor of MAC OS being safe, as it account-ed for the largest proportion of vulnerabili-ties in first quarter 2015 • The State Dept. is breached by Russian hackers.

C

YBERSECURITY

2015 TOP EVENTS

What were the most important things

that happened this year?

Roberto Langdon, Nicolas Orlandini, KPMG: As part of our Security Services to customers, we were dealing with networks with unappropriated protection, the Internet of Things is leaving really black holes in the information management and information gathering, people working so far from the existing standards such as ISO 27001 and ISO 27002 mainly, and the lack of security awareness implemented as a continuous process inside the organizations. Most of them are still reactive instead of being preventive. And most of them know nothing about ISO 270037 • Technology considerably helped the business and mainly the users interacting with it, and as one of the key issues is privacy, it is almost more frequent to find ethics codes violation and frauds carried out by people who understand that the digital equipment that they use can “protect” them against these types of investigations. Neither workstations nor smartphones are outside the scope of investigations, and they have key valuable information. • Increase in amount and depth of data breaches • Dark web, Mobile forensic, data encryption and IoT as challenges for forensic teams •

Cloud data collections • Black-Hat 2015 Las Vegas • Lack of Cyber Security/Cyber Forensic Investigators personnel.

Craig McDonald, MailGuard: Anthem. In March, this health insurance company suffered an attack that compromised 78.8 million customers’ records from December 2014 onwards. Data affected: names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employ-ment information, including income data. The data was not encrypted, according to reports • Although smaller than the Anthem attack, the attack on 21.5 million records in the database of the US Office of Per-sonnel Management (OPM) is significant because of the type of data accessed – personal information, background checks, names and addresses and a million fingerprints of US Government employees. It is be-lieved that Chinese hackers were responsible • UK telecom company, TalkTalk, suffered an attack that com-promised four million records, estimated to be the seventh largest attack (to September 2015), apparently through a third party call centre in India • Australian Bureau of Meteorology breach reported publicly in December this year. There is no clear picture yet how much the breach will cost to fix or how long it will take – but insiders estimate years and hundreds of millions of dollars. And the critical nature of the bu-reau's services means its systems cannot be switched off for repair.

Michael A. Goedeker, Auxilium Cyber Security: OPM Breach • DEASH (ISIL-whatever) using social media for targeting soldiers • Ukraine Hacks (our story on the „Fire Sale” hack) • The fight for balancing surveillance and privacy • The Beginning of IoT as mainstream (and additional security holes and lack of it) • Increasing vulnerabilities and attacks on global and national critical infrastructure

C

YBERSECURITY

2015 TOP EVENTS

What were the most important things

that happened this year?

Rick Blaisdell: Kaspersky Lab revealed in June that it had discovered an infiltration in several of its internal systems. The attack, also named Duqu 2.0, was believed to be a nation-state-sponsored attack, whose oth-er victims included events and venues with links to world powoth-er meetings, including negotiations for an Iran nuclear deal. The Moscow-based security vendor said the compromise included information on the company's newest technologies, such as Kaspersky’s Secure Operating System, Kaspersky Fraud Preven-tion, Kaspersky Security Network and Anti-APT solutions and services • LastPass got hacked - LastPass is a very well known provider of cloud-based single sign-on and password manager. Enterprise administrators around the globe use it to manage and secure passwords across their infrastructure. However, in June, LastPass CEO Joe Siegrist admitted in a blog post that a network compromise resulted in the theft of cus-tomer email addresses and password reminders. Even though the passwords were encrypted, and there was no evidence of customer data being exposed, LastPass required all customers to change their master passwords the next time they logged in • Pentagon failed to offer small firms cyber security resources - The US Department of Defense (DOD)’s Office of Small Business Programs (OSBP) has failed to offer cyber secu-rity options to protect the companies it does business with, according to a report from the US Government Accountability Office (GAO). Small businesses, including those that conduct business with DOD, are vulner-able to cyber threats and may have fewer resources, such as robust cyber security systems, than larger businesses to counter cyber threats • The breach at Harvard University, following in the footsteps of eight other education breaches this year, highlighted growing security concerns around the higher-education market. The breach affected as many as eight schools and administrative offices, though it remains unclear what information was accessed by the hackers • When it comes to the health-care industry, health insurer Anthem revealed a breach in February that exposed an astonishing 80 million patient and employee rec-ords. Anthem said the breach occurred over several weeks, beginning in December 2014, and could have exposed names, date of birth, Social Security numbers, health-care ID numbers, home addresses, email addresses, employment information, income data and more. It said it did not believe banking information was taken. The Wall Street Journal reported that Anthem had not encrypted the data that was accessed by hackers.

Kenneth C. Citarella, Guidepost Solutions: In no particular order, we cite these as the most significant cyber security events in 2015: The Office of Personnel Management intrusion • Cyber security talks between the U.S. and China, including China’s arrest of several men alleged to have intruded into U.S.-based systems at the request of the U.S. government • The Third Circuit Court of Appeals upholding the authority of the Fed-eral Trade Commission to sue over cyber security failures under its consumer protection powers. A compa-ny may be engaged in an unfair trade practice if it does not live up to its cyber security promises • The be-ginning of regulatory efforts to mandate cyber security standards in certain industries • Known weaknesses and poor security habits continue to be major attack vectors.

C

YBERSECURITY

2015 TOP EVENTS

What were the most important things

that happened this year?

Anthony Di Bello, Guidance Software: Breaches Abounded: Almost 90 million healthcare records were breached causing $272 million worth of losses to leading United States healthcare organizations. The les-son learned is that healthcare records are extremely valuable to cybercriminals • Emergence of Endpoint Detection and Response (EDR) security technology category — while technologies focused on providing security visibility and incident response capabilities for endpoint have existed for some time, 2015 marked a critical mass in both the need for and emergence of several start-up technologies focused on these capa-bilities. These vendors span established EDR players, such as Guidance Software, legacy security vendors coming into the space through acquisition, such as Palo Alto, and start up technologies, such as Cylance. These offerings fill a critical gap at the endpoint left by older technologies, such as anti-virus and host-based IPS • Data Notification Requirements – The US Government began the first steps in creating one Fed-eral breach notification law with the Data Security and Breach Notification Act of 2015 which received both public backing and some initial opposition. The US is not alone, the EU Council found common ground with Members of the European Parliament and put an end to fragmented requirements for minimum security measures and breach notification requirements across critical service organizations in resources, transport, finance, and health. This comes after the heavily publicized advancements in the EU General Data Protec-tion RegulaProtec-tion to enhance data protecProtec-tion rights of EU consumers for any organizaProtec-tion, worldwide, storing personal data.

David Coallier, Barricade: VTech's data leak • Ashley Madison's data leak • The iCloud leak • The rise of the internet of things and the internet of vulnerabilities • Ransomware and boot kits.

There were plenty more very important leaks, during this last year. What we find interesting is most of the attacks fall into common categories, such as people still using insecure passwords and executives that do not understand the current technological landscape.

The rise of ransomware and their exponential growth is interesting as it allows us to witness the evolution of computer viruses and criminal groups in near real-time. A new player in town, the boot kit, is promising an interesting turn of events for 2016 • Meanwhile, the Internet of Things is left very vulnerable because efficiency and simplicity of use took priority over security, leaving a lot of early and late majority of the tech adopters at risk. The so-called advanced persistent threat is still the industry's poster child and as state-sponsored attacks and cyber-espionage grows, we'll probably keep hearing a lot about APT in the next year alongside it's lack of security workforce.

C

YBERSECURITY

2015 TOP EVENTS

What were the most important things

that happened this year?

Wade Lovell, Simpatic: Revenge Porn – Hunter Moore “who operated the Internet’s best-known ‘revenge porn’ website was sentenced to 30 months in federal prison for hiring another man to hack into e-mail ac-counts to steal nude photos that were later posted on his website.” This seems a little like sentencing Al Capone on tax evasion charges, satisfying but incomplete link• Angler is an extremely capable and readily available exploit kit used by criminals to run choice cuts of the latest Flash, Java, and browser exploits tar-geting un-patched users. Hackers add exploit kit to article asking 'Is cyber crime out of control? “Hackers have hosed an article published by The Guardian using the world's nastiest exploit kit Angler to pop the machines of exposed readers. The attack firmly answers the article's headline, positing the question 'is cy-bercrime out of control', based on arguments in a book by one Misha Glenny.” link• VTech Breach – ac-counts of 2.9 million kids hacked. This is the type of hack no one seems to talk about because it doesn’t directly involve credit card and social security numbers • Georgia’s Secretary of State released confidential information to a dozen entities on 6 million Georgia voters, including driver’s license information, Social Security numbers and dates of birth, and didn’t notify anyone, according to a lawsuit. “The Georgia Secre-tary of State, Brian Kemp’s office is being sued by two Georgia women who claim that the SecreSecre-tary's office released personal information that involves 6 million Georgia voters. Mr. Kemp’s office has communicated that … due to what they are calling a "clerical" error, individual voters personal information was included in these files… According to the lawsuit, Mr. Kemp’s office never notified individuals regarding the breach, nor did they contact the consumer reporting agencies.” link• Organized Criminal Hackers stealing $1 billion directly from banks. “… a gang of international hackers have stolen as much as $1 billion from 100 banks across 30 countries by installing malware that allowed them to take control of the banks' internal opera-tions link.

Gerald Peng, Mocato: Anonymous taking down ISIS social media profiles, November - December 2015 •

Ashley Madison hack, July - August 2015 • In June 2015, US Office of Personnel Management (OPM) discov-ered that the background investigation records of current, former, and prospective Federal employees and contractors had been stolen. OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individu-als, was stolen from the background investigation databases • Stagefright Bug (all versions) for Android phones, July 2015 • International Conference on Cybersecurity, January 5 - 8, 2015, New York City, NY, United States.

C

YBERSECURITY

2015 TOP EVENTS

What were the most important things

that happened this year?

W

HO IS

WHO

Amit Serper

Cybereason Lead Mac OS X security researcher

Amit is an Information security re-searcher specializing in embedded Linux devices. His role at Cyberea-son is to develop novel methodolo-gies for identifying complex hac-king operations. For over a decade he led security projects for a government agency in Israel, spe-cializing in the security of embed-ded systems. Amit is known as for his "out of the box" thinking and is renown for his shell popping abili-ties on embedded devices such as routers, IP cameras and even home irrigation systems. He has won several Blackhat pen-testing chal-lenges.

Irfan Shakeel EH Academy CEO and Founder

The founder & CEO of ehacking group. An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital fo-rensics. With more than 7 years of professional work experience, he is creating new Infosec ventures and businesses around the globe.

Michael A. Goedeker Auxilium Cyber Security

CEO and Founder

I am passionate about technology, teaching and people! My interests, passion and research includes: Cyber Security, Operations, Lea-dership and Training up to DoD/Mil level (includes every aspect of IT). Author and researcher at the front end of Cyber Warfare, Espionage and Crime, researching in Acade-mia, Press and Security Professio-nals Globally. Entrepreneur with solid operations and financial bac-kground. Easy to work with, people person that sees talent, develops it and can establish rapport with al-most anyone.

Richard De Vere The AntiSocial Engineer Ltd,

Principal Consultant

Richard is the Principal Consultant for The AntiSocial Engineer Ltd, has an extensive background in penetra-tion testing and social engineering, including „red team” exercises and information gathering assess-ments.

Richard De Vere,The AntiSocial Engineer: As more and more people fill the shortage we have across the world for well trained and experienced security vendors and testers, we will start to see the number of inexperienced testers rise.

Michael A. Goedeker, Auxilium Cyber Se-curity: Skills needed and the way we look for people for „cyber” security space. Cy-ber security is dynamic, so we are looking for people that can think outside the box and make complex things simple.

Elizabeth Houser, Praesidio: As more peo-ple become aware of the ongoing trends in cybersecurity and the increasing opportunities the industry offers, we’ll see an uptick in people desiring a career shift. This will especially become noticeable as expansion of the IoT requires input from experts in other fields.

Wade Johansen, CouriTech LLC: Virtualiza-tion skills and multitasking abilities are (and will continue to be) a „must-have” talent. The days of specialization in one service domain alone seem to be rapidly coming to an end. Mobile device manage-ment and maintenance is also a skill every tech should start getting familiar with.

Kris Rides, Tiro Security: I think we will see larger companies moving internally / hi-ring people in alternative IT positions and cross training them into Security. So expect to see hiring of Infrastructure and Development staff to increase further.

Chase Cunningham, Cynja: Unfortunately, nothing. There will continue to be a vast lack of resources with respect to real cy-ber security operations personnel. This will continue for at least the next five ye-ars, probably much longer.

That’s why it’s important to encourage kids to be safe online and learn about technology. My hope is that if we start inspiring kids to join us in fighting the cri-minals online, that shortage will be non-existent by the time our kids move out of the house. Looking 20 years down the road, if one person says to me they chose cybersecurity as a profession because of me, then mission accomplished.

Dennis Chow, Millar, Inc: There will be increased requirements for new skills to help defend against modern attackers. Certifications and skills considered ‘advanced’ now will soon become stan-dard in the future, such as malware rever-se engineering and exploit creation capa-bilities.

R

ECRUITMENT

Rick Blaisdell: The increasing volume and detail of information captured by enter-prises, the rise of multimedia, social me-dia, and the Internet of Things will fuel exponential growth in data for the forese-eable future. At the same time, the rising demand for data scientists and the resul-ting pressure on the analytics labor mar-ket is increasing the need for analytics talent as more companies with more data to sift through discover they are trying to hire the same workers.

Mayur Agnihotri: Talent pool constrained on cyber security recruitment as cyber security (Information Security) budgets expand rapidly. “Cyber security (Information Security) industry is facing a new threat: hiring” - Worldwide situation. Company faces cyber security (information security) talent costs more than other IT positions.

Andrew Bagrin, My Digital Shield: There is already a lot of very average security ta-lent in the industry and very few great talent. We are running this industry so-mewhat handicapped. I predict it will only get worse as more talent is desperately needed and great talent is very hard to find.

Roberto Langdon, Nicolas Orlandini, KPMG: There is a shortage of professio-nals who can meet the specific require-ments to be an investigator. This will require professional knowledge about networking, security, IT infrastructure, plus “life” experience. And all of the above, under strictest ethical codes and confidentiality. A forensic investigator must be hungry for investigation.

In order to build qualified professionals, it is required to make more disclosures and training courses to motivate the IT securi-ty professionals to enter in this amazing world.

Przemek (Shem) Radzikowski, Secbüro Labs: Given the immediate requirement for cyber security professionals, many people will try to reskill and transfer from their existing professions to fill the gap.

Julie Herold, Kenny Herold-Odin’s Eye: Colleges are recognizing the value of IT Security Professionals; eventually we will see a drastic increase in the number of qualified personnel. Although there is a strong belief that acclimation to this type of profession in the field, it is worrisome at best.

R

ECRUITMENT

Paul Hoffman, Logical Operations: As bre-aches get more serious, companies will start to pay more for skilled people.

Wade Lovell, Simpatic: Some undergradu-ate programs have picked up the baton and are offering an emphasis in cyber se-curity. As students matriculate from these programs, the talent pool will increase at a pace slightly ahead of the churn rate.

Mitchell Bezzina, Guidance Software: In-formation security leaders will begin to see a new generation of fully mobile wor-kers coming into the workplace who have an instinctive understanding of privacy issues because of social-media hacks and problems they’ve all encountered, but who are not used to being restricted in their practices within large organizations.

Einaras Gravrock, Cujo: The demand will continue to outstretch the supply. An in-creasing number of IT specialists will re-purpose themselves to fit the demand.

David Clarke, VCiso: Audit will take a hi-gher priority as more and more cyber se-rvices are outsourced.

Paul Shomo, Guidance Software: Talent availability will increase, but be outwe-ighed by demand. Closely related careers, like computer forensic examiners and ne-twork specialists, will seek opportunities in Security as methodology, concepts and practices are closely related, however, they will require in-depth training and time to gather experience. We’ve seen this in other high velocity emerging mar-kets and cyber security is still three to six years away from having a “normal” ratio of availability vs demand.

Dotan Bar Noy, Re-Sec Technologies: Cy-bersecurity workforce shortage is expec-ted to reach 1.5 million by 2019 according to Michael Brown, Symantec CEO. While the growth in the need for talented experts in all sectors will drive an increase in professionals in the long run, we are still going to struggle in the next few ye-ars.

Amit Serper, Cybereason: In 2016, the shortage of skilled security pros will result in a more diverse workforce.

BroadTech Security Team: More people are going to go after certification rather than acquiring necessary knowledge and skill in hyped up technologies, especially.

R

ECRUITMENT

Anthony Di Bello, Guidance Software: Vendors and industry experts need to support the efforts of universities to crea-te and deliver the required curriculum for success in the ever-changing information security landscape. Through the provisio-ning of software, assistance in curriculum development, and support through indu-stry events and competitions the commu-nity can give back, and help create the next generation of infosec pros.

Ondrej Krehel, LIFARS: More talented people, as well as people going for the name. Overall, I see a dilution in talent as companies do not want to spend money on good resources.

Stephan Conradin: Security becomes mo-re complex because business and techno-logies change very fast, so real talent pool will become shorter.

Nick Prescot, ZeroDayLab: Existing consul-tants • New consultants will start on a different track-level, following the new known trends and identifying others in the emerging world of Internet of Things.

R

ECRUITMENT

Michael A. Goedeker, Auxilium Cyber Se-curity: I don’t see a talent shortage, just prices being ruined by big companies that overcharge for bad work. This does not allow smaller companies to earn enough to attract good people because for some illogical reason, customers „trust” big na-mes without verifying them (bad for secu-rity in general).

Richard De Vere,The AntiSocial Engineer: I think for the foreseeable future we will not meet the demand for information se-curity professionals. The need for these testers is clearly documented with global rises in cyber crime but we have been slow with training, especially in youth sec-tors.

Irfan Shakeel, EH Academy: The shortage of skillful people will increase, because the community failed to produce skillful professionals. Organizations are lacking in terms of training & development pro-grams. It will have a direct impact on se-curity; we will witness the rise of hacking attacks.

Einaras Gravrock, Cujo: Yes, absolutely. Given that inventory is growing by multi-digit CAGR, it will take a business cycle for the supply to meet the new demand.

Elizabeth Houser, Praesidio: Absolutely. The field is experiencing the same person-nel shortage as the medical industry con-tinues to face. Not only is there limited space in training programs but disparity also exists in the quality of these pro-grams. Also, a disconnect remains betwe-en what IT managers need and what HR is requiring in job candidates.

Kris Rides, Tiro Security: I think we will see an increase in requirements and if the industry doesn’t make changes to how it is currently recruiting, then the shortage will grow.

Wade Johansen, CouriTech LLC : Yes! Re-cruitment is starting early because there aren’t enough coders to go around, so schools that offer it are seeing benefits for their students.Unfortunately, there is a shortage of strong teachers, so this is cau-sing a shortage of classes, and students. This is the case with a lot of technology fields and not just coding.

Dennis Chow, Millar, Inc: Yes, even with new talent graduating with new Informa-tion Security focused degrees; many will lack the skills and experience that posi-tions are in demand will need.

R

ECRUITMENT

Will talent shortage in the industry

continue to grow?

Francisco Amato, Infobyte: I personally think that there is always talent floating around, but companies need to go out and find talented people in different envi-ronments, not just in traditional places. There are a lot of capable people, but it is necessary to properly promote and nurtu-re them. One intenurtu-resting way to find yo-ung blood is with competitions or challen-ges like CTFs, which are done in different events worldwide. Also, the rise of the hackerspace movement for me is an ideal training ground to find people with a lot of skills. Of course, one of the biggest things for these kinds of people is keeping them motivated. If IT sec professionals are only in it for the money and are not really passionate about what they are doing, they probably are going to find it hard to stand out in an intelligent and talented industry where you have extremely bright people (who love what they are doing) and these passionate people are the ones that are always going to be a step ahead.

Anthony Di Bello, Guidance Software: The talent shortage is expected to grow unless a top-down effort is made to create and stimulate interest in information security fields early on in a student’s education.

David Clarke, VCiso: Yes, almost certainly, as more and more skills other than cyber technical skills are required.

Przemek (Shem) Radzikowski, Secbüro Labs: For the foreseeable future, the ta-lent shortage will continue to grow for another two to three years (the average length of an undergraduate degree). Un-fortunately, the ripple effect from the shortage may persist for a longer period while professionals gain industry expe-rience.

Mayur Agnihotri: Yes, talent shortage in the industry continues to grow, demand is high and supply is low. Companies needs to attract and retain cyber security talent. Some elements for attract and retain cy-ber security talent•Provide training for staff on emerging technology•Companies must participate in different events, like hackathons and open-source community platforms• Companies must collaborate with universities / colleges in emerging technology, as well as cyber security ta-lent.

Mitchell Bezzina, Guidance Software: Yes, due to the demand generated by the unu-sual amount of potential business risk as-sociated with failed cyber security practi-ces, the proliferation of media attention, and time it takes to train security specia-lists. The talent shortage will continue until the emergence of the next genera-tion of qualified cyber security specialists.

R

ECRUITMENT

Will talent shortage in the industry

continue to grow?

Andrew Bagrin, My Digital Shield: Great talent shortage will, but we will see a bunch of new people in the industry. The-re aThe-re schools now trying to get people in the industry.

Dotan Bar Noy, Re-Sec Technologies: Yes, in the short term we will still have a talent shortage, and even more important is attracting the exceptional experts that are becoming very rare.

Paul Hoffman, Logical Operations: Yes, there will be a shortage for three to five more years, as people are trained in the industry.

BroadTech Security Team: There will be a shortage of usable people. Talent alone is not enough. Skill and Experience are also needed, which needs time to be acquired. Technology disruption and information overload is happening in such a rapid rate that time needed to understand, assimila-te, gain skill and experience is getting even more limited.

Ondrej Krehel, LIFARS: I believe so. Until companies become aware they need ta-lent and reward it, I believe people may not want to enter the field.

Stephan Conradin: Of course. More com-plexity, more needs, fewer people with wide knowledge.

Amit Serper, Cybereason: Yes, but will be offset by better and more automated tools.

Rick Blaisdell: Unfortunately, yes. More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years, according to a Peninsula Press (a project of the Stanford University Journalism Program) analysis of numbers from the Bureau of Labor Stati-stics. The demand for information security professionals is expected to grow by 53 percent through 2018. According to a recent report from the job board Dice, the demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million.

At the same time, according to a 451 Re-search recent study, based on responses from more than 1,000 IT professionals, primarily in North America and EMEA, security managers reported significant obstacles in implementing desired securi-ty projects due to lack of staff expertise (34.5%) and inadequate staffing (26.4%). Given this challenge, only 24% of enterpri-ses have 24×7 monitoring in place using internal resources.

R

ECRUITMENT

Will talent shortage in the industry

continue to grow?

Wade Lovell, Simpatic: Yes, while the ta-lent pool is expanding slightly ahead of the churn rate, the demand continues to grow.

Nick Prescot, ZeroDayLab: It depends what talent you’re looking for. Informa-tion Security continues to be both.

R

ECRUITMENT

Will talent shortage in the industry

continue to grow?

Michael A. Goedeker, Auxilium Cyber Se-curity: Becoming more knowledgeable in what makes a successful „cyber” security person. Understanding exactly what the value of certs and experience is. Paying the right money for demanded positions instead of pushing them down.

Richard De Vere, The AntiSocial Engineer: I think sorting the good from the bad will be harder than ever over the next year. Recruiters have to step up their game and rely more on personal bonds and careful research of their candidates and not just point and click recruiting.

Irfan Shakeel, EH Academy: The recruiters will get confused because of the formal education, infosec certifications without any central governance body and the skills. The recruiters have to develop a methodology to capture the right candi-date based on the skills, rather than a pie-ce of paper.

Dennis Chow, Millar, Inc Short: Being able to distinguish ‘paper certified’ professio-nals compared to ones with true hands-on experience that happen to have those same certifications.

Kris Rides, Tiro Security: Larger companies will look to hire more niche candidates as they break down their teams into further specialties. This will mean your average generalist IT agency will find it tougher to fill these people as they will need to be focused 100% in this area to build rela-tionships. Medium sized businesses will continue to have to a lot of competition with companies for their Security peo-ple. They will need to show the kind of flexibility on job requirements and bene-fits to really differentiate themselves and allow recruiters to fill their most urgent requirements. Recruitment companies will find it even tougher to supply contrac-tors in Cyber Security. High permanent salaries and the kind of benefits these people will be offered, matched with (at least in the US) the high cost of healthcare mean the benefits of being a contractor will no longer be worth the risk.

Wade Johansen, CouriTech LLC: There is a large pool of jobs and many of them just don’t pay enough, particularly the Government sectors. There are not enough highly skilled workers to meet the demand and private industry pays far better. Unfortunately, having a good be-nefits plan isn’t enough now - workers want work at home VPN options, higher salaries and employers that provide ongo-ing trainongo-ing benefits and perks.

R

ECRUITMENT

What new challenges will recruiters

have to face in 2016?

Chase Cunningham, Cynja: The continued lack of talent will increase the demand for real cyber operators and the starting sala-ries for those individuals will continue to rise. The men and women who are co-ming out of the military and intelligence communities will have their pick of priva-te sector jobs and roles and recruipriva-ters will have to outbid each other to win those candidates.

Amit Serper, Cybereason: Having to find the right soft skills, which will be just as important as the right technical skills.

Rajeev Chauhan: The vanishing line be-tween ethical and unethical behavior in the infosec community will be a matter of growing concern.

Mayur Agnihotri : Nothing new recruiters fail to attract and retain cyber security talent.

Przemek (Shem) Radzikowski, Secbüro Labs: Recruiters will find it tough to sift through a torrent of opportunistic but relatively unskilled candidates who want to jump aboard the rise in pay comman-ded by quality security experts.

Ondrej Krehel, LIFARS: They will have to deal with larger pools of applicants and finding talent among them.

Stephan Conradin: First; they should see and understand this growing complexity. Second: they have to reintroduce good sense when finding talent, not only check for some words in CV.

Paul Hoffman, Logical Operations: Diffe-rentiating between actually skilled wor-kers and ones with puffed-up resumes, but they may not care as anyone willing to fight cyber attackers is better than no one.

Wade Lovell, Simpatic: A growing percen-tage of entrants into the security talent pool will have absolutely no relevant job experience.

Andrew Bagrin, My Digital Shield: Separa-ting the true talent from the rest.

Nick Prescot, ZeroDayLab: Availability of experienced consultants because none of them are available.

R

ECRUITMENT

What new challenges will recruiters

have to face in 2016?

Anthony Di Bello, Guidance Software: A lack of practical experience. While educa-tion certainly provides an understanding of systems and how to secure them, all bets are off when they experience their first live cyber-attack.

Mitchell Bezzina, Guidance Software: Tho-se looking to place experienced cyber Tho- se-curity specialists will find it difficult mo-ving an individual into a new organization with career development or ancillary be-nefits being part of the decision process. It may well be easier to relocate teams who have an understanding of each other and efficient workflows. When looking to place candidates transitioning into cyber-security as a solution to talent shortage, a more rigorous culling process will need to be defined to ensure there is a great rapport between manager and the new candidate, this ensures a faster, more suc-cessful transition.

Elizabeth Houser, Praesidio: The realities of the field versus how popular culture continues to influence the perception of cybersecurity will continue to be an issue. CSI:Cyber isn’t likely to have the same impact on job candidates to the extent the CSI effect has impacted average citi-zens but there will be a definite ripple, regardless of size.

Dotan Bar Noy, Re-Sec Technologies: Costs of talents will continue to increase as demand is high and companies are re-cruiting less experienced talents and will need to invest in training etc. According to a recent report from DICE, a leading IT job board, the top five IT security salaries are: No. 1 – lead software security engineer at $233,333; No. 2 – chief security officer at $225,000; No. 3 – global information se-curity director at $200,000; No. 4 – chief information security officer at $192,500; and No. 5 – director of security at $178,333.

BroadTech Security Team: I cannot say for large companies. Startups like ours take freshers guide and train them.

David Clarke, VCiso: Recruitment is a vul-nerable 3rd party and they will need to apply cyber standards, as well as find the appropriate resources.

Rick Blaisdell: The need for more cyber-workers also explains why info security is considered one of the best jobs out there - for the next seven years. U.S. News and World Report ranked a career in informa-tion security analysis eighth on its list of the 100 best jobs for 2015. They state the profession is growing at a rate of 36.5 per-cent through 2022.

R

ECRUITMENT

What new challenges will recruiters

have to face in 2016?

Michael A. Goedeker, Auxilium Cyber Se-curity: Payment expectations vs. reality. Either you get more money working for a big company that likely uses you up, or you work for a startup and gain experien-ce and knowledge to grow. Become life-long learners or look for another job.

Richard De Vere,The AntiSocial Engineer: People new to the industry or people loo-king to find that new role will have to strengthen their knowledge of computing in general and not rely so heavily on auto-mated tools.

Irfan Shakeel, EH Academy: The hiring criteria, people are more likely to get con-fused and they will focus on gaining the certifications rather studying and practi-cing. This will get them hired but at the end, the organization will suffer the con-sequences.

Amit Serper, Cybereason: Not only are threats and the external landscape chan-ging, but given the rate of technology in-novation, security teams need to rethink how they structure their processes and activities because perimeter based appro-aches are obsolete, and penetration is inevitable.

Przemek (Shem) Radzikowski, Secbüro Labs: There is no substitute for experien-ce. Be prepared to work hard and learn fast because the security ecosystem is changing far more quickly than other sec-tors.

Kris Rides, Tiro Security: It will still be tough to stand out from the crowd, ad-verts will attract the masses meaning a good quality experienced candidates resu-me will be in the middle of a pile of peo-ple trying to move into cyber security. Expect to see plenty of counter offers, it’s not a new challenge but there will be a distinct rise so it’s important to ensure you have tried your utmost to get the changes you require in your current job before you start your search. If it takes you to get another job before they give you what you are looking for, you are working for the wrong company.

It will also be important for candidates to weigh all the benefits of job offers, expect to see some good salary increases but remember, there is a lot more to a job than that. As Richard Branson was recen-tly quoted, “Time is the new money.”

Anthony Di Bello, Guidance Software: Cer-tainly not a lack of competition in the job market.

R

ECRUITMENT

What new challenges will people looking

for work in cyber security have to face?

Andrew Bagrin, My Digital Shield: How to defend against the new threats, how to simplify and at the same time reduce cost. We can’t continuously keep spending mo-re and momo-re money on security.

Julie Herold, Kenny Herold, Odin’s Eye: Eventually a shortage of jobs and decli-ning wages; cookie cutter vulnerability assessments and penetration testing (which really isn’t penetration testing). We refer to it as hitting the big green “go” button with automated web application or vulnerability scanning tools and remo-ving false positives and calling it a pene-tration test. As a result of this stance from most IT Security companies, there will be a lack of opportunities to grow in this space with breadth and depth of knowledge and offering additional value to engagements.

Stephan Conradin: They must open their eyes and have great interest on what happens just in left or right of them. We could not have only one specialization, we must have several and/or have a generali-stic view.

Ondrej Krehel, LIFARS: New threats and budgetary challenges as technology emer-ges.

Dotan Bar Noy, Re-Sec Technologies: For the next few years not much. They need to keep up-to-date with industry deve-lopment and solutions.

Paul Hoffman, Logical Operations: It is not new, but on-going; it is defending against those things that you don’t know. Redu-cing risk and exposure in areas that are unknown. Hackers are constantly looking for new ways to breach security and com-panies are just trying to patch those known areas.

Wade Lovell, Simpatic: Entrants will likely find themselves in the security silo witho-ut many non-entrepreneurial opportuni-ties to move to other parts of engineering and development.

BroadTech Security Team: There are so many tools and using them is very easy. But understanding the underlying techno-logy is something lacking in people even with certifications. People will need to have more than certification if they need to get work. People who do not have cer-tification will have to show their experien-ce and credibility in some tangible way.

R

ECRUITMENT

What new challenges will people looking

for work in cyber security have to face?

Nick Prescot, ZeroDayLab: The balance of qualifications vs. experience. There are many consultants who are experienced but don’t have the level of qualifications and others who are well qualified but don’t have the experience.

David Clarke, VCiso: A Cyber Role is a jour-ney and the role has to match where the client is their cyber maturity and position it no longer a “finger in the leaking dyke”.

Dennis Chow, Millar, Inc Short: The pro-blem of finding well-paying local security positions as opposed to ones that require relocation to high cost of living areas.

Wade Johansen, CouriTech LLC: Employ-ers who look for talent often don’t under-stand just how talented an individual real-ly is from a resume. Because every resu-me is filtered through an HR dept, often by keyword - great prospects are skipped over. Keyword resume searching has be-come the norm, often when you do get an HR person who calls, they don’t under-stand the technical abilities of the pro-spective employee, and so they are often overlooked when in reality they may be a perfect fit. This is a challenge because IT techs often are the worst at describing what they know and do on a daily basis.

Mitchell Bezzina, Guidance Software: Pro-ving their skillset can easily transition into cybersecurity would be the main challen-ge. For those in developing careers, there will be a steep learning curve which may involve odd hours and be prepared to “roll up the sleeves”, as with growing in-dustries, managers rarely manage people but must also take on work tasks and as-sist in day-to-day activities.

R

ECRUITMENT

What new challenges will people looking

for work in cyber security have to face?

W

HO IS

WHO

Kris Rides

TiroSec, CEO and Founder

Kris believes that there is no substi-tute for building long term rela-tionships with clients and you do that by providing them a great se-rvice. This is his 16th year in the recruitment industry and he has built and managed both perma-nent and contract teams over mul-tiple disciplines in both the UK and all over the USA. Kris is passionate about recruitment and still keeps in touch with both people he placed when he first started his career and clients he worked with. He has spent almost all of his working ca-reer in Tech recruitment and he understands his candidates needs as well as the difficulties clients have in some of these niche areas.

Roberto Langdon KPMG Sr Manager, Forensic Technology Services Risk Consulting

He has a wide experience in the Information Security market, as well as in the Forensic Practices and Technology. He has 35 years of experience previous to his position at KPMG, within national and multinational companies, from IT & Tele-comm sector, and 15 years of experience in Information Security, Physical Security and Urban Security speciali-zation.

Einaras Gravrock Cujo, CEO

12 years digital commerce expe-rience. Founded / built Mod-nique.com to $50M in annual sa-les. Named one of Goldman Sacs 100 most intriguing entrepreneurs in 2014.

Elizabeth Houser Preasidio Security

Engineer

Security Engineer for Praesidio and focuses on vulnerability assess-ments, incident response, and digi-tal forensics. She is a graduate of the University of Washington and lives in Seattle. Her additional inte-rests include malware analysis as well as cyber threat intelligence and serves on the Computer Infor-mation Systems (CIS) Advisory Committee for Edmonds Communi-ty College in Lynnwood, WA.

T

RAINING

What role will formal education play in 2016?

Michael A. Goedeker, Auxilium Cyber Se-curity: It always plays an important role in research based jobs. Teaches how to do research and work within specific require-ments and times. Certification will never replace a degree (IMHO). A degree is also not everything either.

Irfan Shakeel, EH Academy: Formal educa-tion should play an effective role and we need to make little tweaks in the formal education. But, the formal education wi-thout the required amendments will not play any notable role.

Elizabeth Houser, Praesidio: Formal edu-cation will continue to be sought after but the availability of online (especially free) training resources will increasingly aug-ment the education of individuals at all skill levels.

Roberto Langdon, Nicolas Orlandini, KPMG: The education will be very impor-tant in 2016, because we need to incorpo-rate already skilled people for this activity that can be very effective from the very beginning of his/her job.

Wade Lovell, Simpatic: As the industry matures, degrees and certifications will play more of a role. This is a mistake. Having held a number of certifications myself, including the CFE (Certified Fraud Examiner), I have little respect for their ability to help practitioners stay up to date and see them more as a gate preventing some experts, especially young ones wi-thout corporate CPE and dues sponsors-hip, from appearing as competent as so-me of the corporate dinosaurs.

Chase Cunningham, Cynja: The more edu-cation that cyber operations personnel can attain before they go looking for work, the higher initial salary they can garner. Thanks to increased specialized training in the military and intelligence communities, the need for actual degrees is not completely necessary. However, surveys show that the gap in starting pay for those with advanced degrees is much greater, by up to 40%, compared to those with similar cyber skills but no formal edu-cation. In short—it pays to go to school.

Nick Prescot, ZeroDayLab: Education will become more formalised in 2016 where it will be a training requirements.

Dennis Chow, Millar, Inc Short: There will be an increase in positions requiring an undergraduate degree to even apply. Ho-wever, I do not believe there will be a lar-ge increase in requirements for ‘security’ specific degrees. Certification need will also increase, as well, that teaches hands-on skills rather than chands-onceptual hands-only.

Amber Schroader, Paraben Corporation: We have seen a change in a need for a base training and understanding of the principles associated with examination that comes through formal education. However, we see a deficiency when it co-mes to the ethics that are required to be able to function in the field when it comes to formal training.

BroadTech Security Team: It will be an important factor but not a deterministic factor. Skill, experience & passion will win over nonchalant formal education.

Wade Johansen, CouriTech LLC: In the U.S. it is starting to gain more ground now. The federal Govt has started giving grants to more colleges to develop Cyber Techno-logy and Security programs and degrees. For many colleges, this is the first time they’ve ever had real Cisco or cyber secu-rity labs and not just textbooks and desk-tops. It’s a big leap forward.

Stephan Conradin: Crucial, more educa-tion for more ability to work with com-plexity.

Paul Hoffman, Logical Operations: Formal education will have to step up in some capacity and in 2016 you will see some do just that. But it will take time. Those in-stitutions do not move very fast.

Rajeev Chauhan: There can be no substi-tute for formal education, the formal education provides the base for future. However, exceptions can not be ruled out.

Ondrej Krehel, LIFARS: It’ll be more impor-tant, as curriculums are getting better, but still not where it should be.

Anthony Di Bello, Guidance Software: This depends on the ability for universities to find qualified instructors and develop me-aningful curriculum. Given the salaries associated with skilled cyber pros, I can see how attracting qualified educators in the field will be challenging. Perhaps universities can turn to their own internal information security teams for assistance in this area. Universities that offer mea-ningful cyber programs can be expected to play a big role.

T

RAINING

Andrew Bagrin, My Digital Shield: Just ad-ding head count in the industry. The secu-rity industry requires experience and knowledge about hacking, networking and coding.

Przemek (Shem) Radzikowski, Secbüro Labs: It is difficult to see formal education disappearing completely, but in general, it has been slow to incorporate cybersecuri-ty trends within their curricula. It’s not uncommon for university curricula to re-main static for many years because of their reliance on published textbooks.

David Clarke, VCiso: Education needs to start in schools, the gap between schools and IT is getting bigger, Cyber Security is misunderstood.

Julie Herold, Kenny Herold, Odin’s Eye: We think, based on the previous answers, we won’t quite yet see the results this year.

T

RAINING

T

RAINING

Will certification keep its role as the main

tool to confirm skill and expertise?

Se-curity: They are important but experience is more important. Certs don’t guarantee success but combined with experience through using taught concepts in projects is an indicator.

Rick Blaisdell: Yes, that’s for sure. The 2015 CompTIA study HR Perceptions of IT Training and Certification revealed that: 65 percent of employers use IT certifica-tions to differentiate between equally qu-alified candidates • 72 percent of employ-ers use IT certifications as a requirement for certain job roles • 60 percent of orga-nizations often use IT certifications to con-firm a candidate's subject matter knowledge or expertise • 66 percent of employers consider IT certifications to be very valuable - a dramatic increase from the 30 percent in 2011.

Dotan Bar Noy, Re-Sec Technologies: Cer-tification plays an important role ensuring your team is up to speed with new solu-tions and encounters other professional to share ideas and feedbacks on the diffe-rent solutions.

Rajeev Chauhan: To some extent, certifi-cations are benchmarks for judging capa-bilities, but there is no substitution for hands on skills.

Wade Johansen, CouriTech LLC: For now, yes! Because most college degrees don’t prove skills in the field, or because the requirements of the degree may use outdated resources, there is a tendency now to look for certified professionals such as VCP, CCNA, MCSA, C|EH, etc., which shows the skills are currently re-levant to an architecture or model.

Przemek (Shem) Radzikowski, Secbüro Labs: I’ve met many highly-certified peo-ple who have turned out to know very little. All too frequently, certifications only test knowledge but not the candida-te’s ability to apply the concepts in real world situations.

Dennis Chow, Millar, Inc: Yes, certifica-tions will complement and evolve to help maintain the attestation of a certain level of skill. However, we will see more inte-rviews and other candidate requirements to prove hands-on experience through ‘practical’ assignments.

David Clarke, VCiso: The idea that a five day training course means we have cyber skills, anymore than learning to drive from multimedia training course is valid, we need the equivalent of medical interns, Barristers Pupilage.