Cyber Risk News
Vision Direct has apologized after customers' personal and financial details were found to have been leaked.
According to a statement, the data was compromised between November 3 and 4 2018 “when entering data on the website and not from the Vision Direct database” and included full names, billing addresses, email addresses, passwords and telephone numbers. Payment card information, including card number, expiry date and CVV, was also compromised. However, PayPal users are unaffected, Vision Direct confirmed.
“As the information was compromised as it was being entered into the site, any existing personal data that was previously stored in our database was not affected by the breach,” it said. “All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach.”
Anyone who visited the website and did not enter details should not be affected, it confirmed.
“We understand that this incident will cause concern and inconvenience to our customers,” Essential Retail reported. “We are contacting all affected customers to apologize and continue to inform you of any updates in the next few days.”
40% of UK Shoppers Want Cyber Monday Bargains, Half Willing to Buy from Previously Breached Retailers
A new survey of 1000 UK consumers has found that 40% of UK shoppers are planning to make the most of big-name discounts available on Black Friday and Cyber Monday, with half of those stating they are happy to buy from retailers that have suffered a breach in the past.
The findings, from DomainTools, show that UK shoppers are just as keen as their US counterparts to spend online this winter period, and are even willing to overlook security concerns at previously breached retailers.
However, on a more positive note, DomainTools did discover that 63% of respondents are more likely to cross reference email domains with legitimate retailers’ URLs, which can go a long way to preventing successful phishing attacks.
“The results of the survey provide us with both positive and negative outcomes,” said Corin Imai, senior security advisor at DomainTools.
“While it’s undoubtedly encouraging that respondents are more likely to check email addresses for tell-tale signs of phishing, it is concerning that so many remained happy to use companies which had been breached in the past. If customer details are accessed by cyber-criminals, it can leave them vulnerable to a variety of further crimes, up to and including identity theft. Consumers should be sending the message to companies that data protection matters.”
Without any notable opposition to the Senate’s version of the bill, the House agreed to a reorganization of the Cybersecurity and Infrastructure Security Agency (CISA) Act earlier this week, according to FCW.
Replacing the National Protection and Programs Directorate, the new agency will oversee the cybersecurity of federal computer systems and will be a government liaison on cybersecurity issues with critical infrastructure providers, such as banks, hospitals and airports.
"This is just a new sign and a lick of paint on another DC bureaucracy. CISA is focused on securing federal infrastructure as a part of the Bush-era Frankenstein’s Monster DHS, so they will continue to spend vast amounts of money on systems, while 91% of attacks will succeed via phishing attacks,” said Colin Bastable, CEO, of Lucy Security.
“From the perspective of protecting government departments, businesses and citizens against phishing attacks by 'upgrading' the security skills of the people, CISA will bring zero benefits," said Bastable. "Effective cybersecurity requires a holistic approach, securing people and systems as part of an integrated plan. The weakest points are the people – it only takes one successful attack.”
In addition to businesses needing to defend against cyber-attacks, there is also a need for federal, state and local government departments to protect themselves and a Federal Bureau of Cybersecurity to protect people, businesses and non-federal assets, according to Bastable.
“This is a national issue: Americans treat consumer protection as a national priority, and yet cyber insecurity is treated as a fact of national life that we should somehow tolerate and accommodate," he said. "A dedicated Federal Bureau of Cybersecurity will treat cyber insecurity as the consumer safety issue that it is, and respond with serious intent to protect Americans as voters, social media users, health insurance consumers and taxpayers."
In order to effectively defend critical infrastructure, the government must be able to detect, respond to and recover from these types of attacks. George Wrenn, CEO and founder, CyberSaint Security, said, “As the former CSO of a global critical infrastructure organization, I've seen first-hand that adopting the National Institute of Standards and Technology's Cybersecurity Framework is a robust first step in lowering the cybersecurity risk in our government agencies and critical infrastructure organizations. The focus on cybersecurity for organizations such as these is critical to our safety as a nation, and I'm pleased to see this issue enter the spotlight."
BlackBerry announced that it has finalized an agreement in which it will acquire Cylance for $1.4 bn in cash, plus the assumption of unvested employee incentive awards. With Gartner citing security as the top barrier to successful internet of things (IoT) implementation, BlackBerry aims to improve its offering to enable the enterprise of things (EoT). By applying Cylance’s artificial intelligence, algorithmic science and machine learning, the new platform is expected to prevent known and unknown threats to fixed endpoints, according to a press release.
The BlackBerry Spark platform will join Cylance’s cybersecurity software with next-generation secure chip-to-edge communications and promises to deliver trusted connections between any endpoint.
“Cylance’s leadership in artificial intelligence and cybersecurity will immediately complement our entire portfolio, UEM [Unified Endpoint Management] and QNX in particular. We are very excited to onboard their team and leverage our newly combined expertise,” said John Chen, executive chairman and CEO of BlackBerry. “We believe adding Cylance’s capabilities to our trusted advantages in privacy, secure mobility and embedded systems will make BlackBerry Spark indispensable to realizing the enterprise of things.”
Founded in 2012 and privately held, Cylance has over 100 patents and patent applications in cybersecurity and machine learning. The company delivers endpoint protection services to more than 3,500 enterprise customers, boasting that more than 20% of those are Fortune 500 companies.
“Our highly skilled cybersecurity workforce and market leadership in next-generation endpoint solutions will be a perfect fit within BlackBerry, where our customers, teams and technologies will gain immediate benefits from BlackBerry’s global reach,” said Stuart McClure, co-founder, chairman, and CEO of Cylance. “We are eager to leverage BlackBerry’s mobility and security strengths to adapt our advanced AI technology to deliver a single platform.”
The deal is expected to close prior to February 2019, which is the end of BlackBerry’s current fiscal year.
A new report looked at the number of companies that allow users to access corporate data on personal devices and found that most organizations enabling BYOD lack proper security controls, according to Bitglass.
With the advent of the cloud, more employees are taking advantage of being able to work from anywhere at anytime on any device, including non-company issued devices. The Bitglass 2018 BYOD report found that 85% of enterprises now allow data access from personal devices for employees, partners, customers, contractors and even suppliers. As a result, more than half (51%) of participating firms report a rise in mobile security threats this year. Based on a survey of nearly 400 enterprise IT professionals, the study also found that 43% of organizations are not able to determine whether the personal devices that are accessing corporate data have actually downloaded malware.
In addition, only 56% of companies use the basic protections of remote wipe and mobile device management tools, though these tools do lead the pack in adoption of companies employing BYOD, according to the report. Only 30% of firms are confident that they are properly defending against malware on personal and mobile devices.
“BYOD increases employee mobility, and consequently, organizational flexibility, efficiency and collaboration,” the report said. Though the main drivers for enabling BYOD are employee mobility (74%), employee satisfaction (54%) and reduction in cost (49%), only 19% of organizations reported enabling BYOD because it reduces security risks. As little as 15% of organizations reported that they do not enable BYOD for any users.
“While most companies believe mobile devices are being targeted more than ever, our findings indicate that many still lack the basic tools needed to secure data in BYOD environments,” said Rich Campagna, CMO of Bitglass, in a press release. “Enterprises should feel empowered to take advantage of BYOD’s myriad benefits, but must employ comprehensive, real-time security if they want to do so safely and successfully.”
A Japanese minister in charge of cybersecurity has shocked lawmakers after revealing that he doesn’t use a computer, and struggles to grasp the concept of a USB stick.
Yoshitaka Sakurada, 68, is deputy chief of the government’s cybersecurity strategy office.
However, responding to an independent lawmaker at a Lower House Cabinet Committee meeting this week, he’s reported as saying: “I don’t use computers because since I was 25 I have been in a position of authority where secretaries and employees handle such tasks for me.”
Sakurada also admitted “I don’t know the exact details” when asked by another lawmaker about the measures that are in place to guard the nation’s nuclear power stations against cyber-attacks.
He also appeared confused when asked if USB drives were being used in said nuclear facilities, according to reports.
Sakurada’s shaky performance comes after he was criticized last week over his handling of basic questions on the upcoming 2020 Olympic Games in Tokyo — another area he is in charge of as minister.
At one point he reportedly claimed the budget for the event was 1500 yen, which amounts to around £10/$10.
According to local news wire Kyodo, the debate was interrupted frequently while his aides were forced to step in to answer questions on his behalf.
While Sakurada’s unusual decision never to use a PC could be viewed as the ultimate security strategy, his apparent lack of understanding of basic details is some cause for concern.
Olympic Games events usually attract the attention of nation state operatives and cyber-criminals. The last event in Pyeongchang earlier this year saw a major attack leave the official Winter Games website down for 12 hours shortly before the opening ceremony.
MPs are unhappy at the government’s response to their committee report on cybersecurity skills in critical infrastructure (CNI), claiming it fails to address the immediate challenges facing the industry.
The Joint Committee on the National Security Strategy published its initial report in July, claiming the skills gap in the sector was “cause for alarm” and that the government had to “explore more creative options” to improve skills capacity in the sector and across government.
A government response to the report out this week acknowledged the problems and set out several things it is doing to improve the pipeline of talent, including the CyberDiscovery and CyberFirst programs. It also referred to the Cyber Skills Immediate Impact Fund as helping to address shorter term skills issues, and a bursaries scheme to assist with Masters degrees.
The government also acknowledged the need to “think creatively” and said it was considering extending the NCSC’s Industry 100 initiative to build more skills capability.
However, committee chair, Margaret Beckett, was unimpressed.
“The committee remains to be convinced that government has grasped the immediate challenge of keeping CNI secure from cyber-threats,” she responded in a statement.
“Many of the plans set out in this response will come to fruition in a decade’s time. It fails to answer our questions about today and tomorrow – and this is concerning.”
Those plans also include funding for teaching improvements such as: a Continuing Professional Development (CPD) program which aims to upskill 8000 teachers so they can deliver GCSE computer science courses, and a £500/year commitment to creating new “T levels” courses by 2020.
The government also clashed with the committee over the level of cybersecurity training provided to civil servants.
The former recommended that “basic cyber security training and continuing professional development” be made compulsory for all, while the government responded that it already offers basic training via a Responsible for information – General User including Government Security Classifications course.
However, there were some signs of progress. Beckett welcomed the government’s commitment to publishing a coherent cybersecurity skills strategy by the end of the year.
“Today’s response from the government accepts the need to think creatively about current and future challenges relating to cyber skills. This is a start. The government sets store by its 2016 National Cyber Security Strategy, and today’s response to our report acknowledges that in terms of a standalone skills strategy, there is more to do,” she said.
“We have been assured that government has begun work on that strategy, which they promise by the end of 2018. When it arrives, we will look carefully to ensure that this is the case.”
Security researchers are urging parents to think twice about buying GPS-enabled smart watches to keep their children safe, after revealing that scores of models are riddled with vulnerabilities.
Pen Test Partners’ initial research detailed security issues with the MiSafes device first launched three years ago. The idea, like all similar devices, is that it keeps track of the wearer’s movements at all times, reassuring parents.
However, hacking the watch is “well within the capability of an attacker with basic coding skills using only free tools,” the firm wrote.
Doing so will reportedly allow an attacker to change the device’s ID number and therefore access a user’s account, enabling them to locate and view a photo of the child; listen in to conversations between parents and their children; and call or message the child.
Attackers could also cause the watch SIM to dial premium rate numbers, potentially running up a huge bill.
“Our research was carried out on watches branded ‘Misafes kids watcher’ and appears to affect up to 30,000 watches. However, we discovered at least 53 other kids tracker watch brands that are affected by identical or near-identical security issues,” warned Pen Test Partners.
“So far, we have gathered data that indicates at least one million tracker watches in use today are affected.”
Aaron Zander, IT engineer at HackerOne, argued that until manufacturers are forced to build security into smart products from the start, consumers shouldn’t expect it to be included.
“So how do you purchase safe smart toys for your kids? You don’t,” he added.
“But if you must, don't go for the cheapest options and try to minimize capabilities like video, Wi-Fi and Bluetooth. Also, if you do have a device and it does have a security flaw, reach out to your government representatives, write your regulating bodies, make a stink about it, it’s the only way it gets better.”
Despite the session’s name, “Two Points of View: Collaboration and Disclosure: Balancing Openness About Cyber Security with Managing Risk and Reputation,” panelists at today’s Infosecurity North America conference were actually in agreement about sharing threat intelligence.
Moderated by Joseph Gittens, director, standards, Security Industry Association, the panelists explored the different channels by which information can and should be shared. Participating in the talk were Andrew Conte, AVP security leadership team, at The Guardian Life Insurance Company of America, and James O’Shea, head of re-engineering, cybersecurity and IT infrastructure, at RBC Capital Markets. Both participants noted that their comments were their own and not representative of the thoughts or policies of their employers.
“This is just for fun,” O’Shea said, which Conte echoed.
Of great concern is how threat vectors are expanding in recognized brands, but with the value of personally identifiable information (PII) these days, protecting the customers PII is critical. To do that, companies need to understand new and emerging threats, so being a member of an information-sharing organization is a great opportunity to learn about those threats. "They are good at de-anonymizing where the threats came from and sharing that information,” Conte said.
As you mature as an organization, you should be thinking about the other information channels by which you can come to understand threats. "Criminals are criminals and they are going to try to convert something that you have into something of value that they can use for something else. Those sorts of things happen in other industries all the time,” O’Shea said.
Including law enforcement in cyber war-gaming is incredibly useful as well, and depending on the type of organization, you may naturally have a relationship with law enforcement already. Sectors that are regulated, such as critical infrastructure, are examples of the types of organizations that have those front-line partnerships on call.
For non-critical infrastructure organizations, there are professional organizations across the country, whether it’s ISACA or (ISC)2 or other types of member groups.
“People are never going to turn away people who want to join together and work on the problem,” O’Shea said. Additional good sources of information are within the legal industry, whether its in-house counsel or outside of the organization. “Look laterally,” O’Shea said.
Gittens asked whether the security industry ought to have a general good neighbor policy, and the panel then hypothesized about the likelihood that there could someday be legislation that imposes liability for failure to share threat intelligence.
“It’s something to think about,” O’Shea said.
It’s months past when the EU’s General Data Privacy Regulations (GDPR) went into effect, and many are wondering, “Where are we now?” Among the many aspects of the GDPR talked about at today’s Infosecurity North America conference, Nashira Layade, SVP, CISO at Realogy Holdings Corp., and Elena Elkina, partner at Aleada Consulting, spent a bit of time focusing on data-subject requests.
In particular, one of the three types of data-subject requests is the right to be forgotten, which in itself can be tricky, Layade said. “Understanding where the data is will help you with data-subject requests, but the right-to-be-forgotten request means that you also have to look at the requirements on how long you are supposed to hold onto that data. Always check with your legal team to make sure you are complying with all of the regulations.”
It’s also key to understand the 30-day-response requirement. The data-subject request demands a response within 30 days, but that doesn’t mean that the activity will be carried out within those 30 days, according to Layade.
Certainly there will be situations where an organization may need more time to act, which is something that should be discussed with legal. Either way, the response has to be delivered in the designated time frame.
As more regulations and legislative acts are brought forth, complying with all of them could feel overwhelming. Usually, though, compliance with one will cross over and lead to compliance across the board. “I would not focus on a regulation-by-regulation basis, because you are going to drive yourself crazy. What is your organization’s risk profile? Start there,” Layade said.
For some organizations, GDPR has had little impact on their data privacy impact assessment practices. Layade said that her organization has two different processes for risk assessment, which include the technology side and the data side.
“GDPR didn’t change anything for us because we do impact assessments on a six-month basis. For those who are just starting out on the journey, though, you should consider evaluating certain GRC [governance, risk and compliance] tools that automate your privacy impact assessments. Those assessments should be automated to increase efficiency and make the process more streamlined and easier to implement,” Layade said.
“If you are just implementing, think about the goal of why these regulations were even required by regulators. If there is potential for high risk, you need controls. Assess your product and your business processes. Don’t just think about products. Think about the process as well,” Elkina said.
In his opening keynote presentation kicking off the second day of this year’s Infosecurity North America conference in New York, the technical director of cybersecurity threat operations center for the NSA, Dave Hogue, talked about how innovations in policy, technology, and people can lead to break-through results in one of the largest 24-7-365 operational environments across the US government.
Hogue said the threat operation center is equivalent to security operation centers in industry, and his teams are on the front line of defending against cyber threats every day. The fully operational teams are divided into threat analysts and countermeasure engineers.
Noting that the NSA director often describes cyber as the ultimate team sport, Hogue said this philosophy is embodied in operations center, which has representatives from different government agencies, including the FBI, among their team. “If something happens that affects one agency network, they are there and given the information needed to do their jobs.”
On the unclassified Department of Defense information networks it defends, there are 36 million emails coming in every day. While it’s a challenge to defend against that magnitude, Hogue said that 85% of user emails are rejected daily. In addition, once a vulnerability is disclosed, the network is scanned within 24 hours.
“It is incredibly easy for adversaries to take advantage of released vulnerabilities, so you need to understand your attack surface and understand how fast you can push patches out, because vulnerabilities are turned around extremely quickly,” Hogue said.
Increased attacks from nation-state actors have grown more sophisticated, with the majority of geopolitical events coming from Russia, Iran, North Korea and China. Commenting on events coming from Russia, Hogue said, “We see their cyber activity very much guided by what they are doing in real time. Every time we severed their malware or took down their IP addresses, they established a new one.”
China, on the other hand, has transformed how it conducts its activity, but it continues to use cyber-espionage as a prime enabler to acquire transformative technologies as part of its long-term plan to be a global superpower.
The NSA is diligent in deploying its cyber defenses, and because of those efforts, Hogue said it has not responded to an intrusion using a zero-day exploit in the last 24 months. As is the case with the private sector, 90% of its cyber incidents are due to human error. In fact, 93% of the 2017 incidents were preventable with basic best practices of application whitelisting, role-based access controls and two-factor authentication.
Five key strategies that will lead to successful defense include instituting well-managed and defendable perimeters and gateways; ensuring visibility and continuous monitoring of the network to include traffic and endpoints; hardening networks, endpoints and services to best practices; creating and fostering a culture of curiosity and embracing innovative approaches; and using comprehensive and automated threat intelligence sources.
US lawmakers have been warned of the growing risk to national and corporate security posed by Chinese efforts to dominate 5G infrastructure and the IoT supply chain.
The US-China Economic and Security Review Commission’s 2018 report to Congress claimed that significant state support for these technologies, along with alleged cyber-espionage, IP theft and other measures, have helped China to achieve dominance in the manufacturing of “global network equipment, information technology, and IoT devices.”
However, without the right tools to conduct rigorous supply chain assessments, the US government is left exposed to mounting cyber-related risk.
“China’s central role in manufacturing global information technology, IoT devices, and network equipment may allow the Chinese government — which exerts strong influence over its firms — opportunities to force Chinese suppliers or manufacturers to modify products to perform below expectations or fail, facilitate state or corporate espionage, or otherwise compromise the confidentiality, integrity, or availability of IoT devices or 5G network equipment,” the report warned.
These risks are compounded by the “lax security protections and universal connectivity of IoT devices” — creating multiple weaknesses which hackers could exploit to target critical infrastructure, private enterprises and individuals, it continued.
“These types of risks will grow as IoT devices become more complex, more numerous, and embedded within existing physical structures,” the commission claimed. “The size, speed, and impact of malicious cyber-attacks against and using IoT devices will intensify with the deployment of 5G.”
The report listed a series of recommendations which could signal a major new focus from Washington on supply chain security.
These included: an annual Office of Management and Budget report to ensure Chinese supply chain vulnerabilities are adequately addressed, an investigation into “trade-distorting practices” from Chinese state-owned enterprises, an assessment of any US-China “collaborative initiatives in technical cooperation” and an NTIA/FCC investigation into Chinese supply chain threats to 5G.
The US Office of Personnel Management (OPM) has still not implemented over a third of the recommendations made by government auditors after a devastating 2015 breach.
Some 29 recommendations remain “open” out of the 80 that were made by the Government Accountability Office (GAO). These include key best practice security steps which many would consider basic, such as installing the latest OS versions on networks supporting “high-impact” systems.
Also missing were plans to avoid multiple staff using the same admin accounts, password encryption at rest and in transit, and “procedures governing the use of special privileges on a key computer.”
Amazingly, the OPM has still not been able to demonstrate to the GAO that it has reset all passwords after the breach, or that it installs critical patches in a timely manner. Nor has it shown that it periodically evaluates accounts to ensure privileged access is warranted, or assesses controls on certain systems as part of continuous monitoring.
“Implementing all of the remaining open recommendations expeditiously is essential to OPM ensuring that appropriate security controls are in place and operating as intended,” a congressional briefing document noted.
“Until OPM implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption.”
These concerns are key, given that the OPM was breached, it is thought by Chines hackers, after they obtained credentials from a contractor.
This access was then used to install backdoors and subsequent info-stealing malware on the department’s network.
The incident exposed 21.5 million sensitive records relating to current and former federal employees including security clearance investigations which could prove useful for intelligence operatives looking to blackmail individuals.
The good news is that the OPM said it plans to implement 25 of the 29 open recommendations by the end of 2018 and three more by the end of fiscal year 2019.
Card details stolen from British Airways and Newegg customers by Magecart operators went up for sale on the dark web in just over a week after the raids, potentially generating millions in revenue, according to new insight.
In the report, “Group 6” is pegged for the BA and Newegg attacks, described as “extremely selective” and only choosing victim organizations where a high-volume of traffic and transactions are guaranteed.
In the report, the researchers show screenshots from one of the most popular “dump shops” on the dark web.
Dated September 13, the BA-linked advertiser claims to have “CVV2 DUMPS UPDATE (HIGH VALID)” with a huge range of countries listed including the UK, US, Germany, France, Spain, Italy, Canada etc.
The Newegg ad is listed for the 27th of the same month and offers a “BIG CVV2 UPDATE” of around 500,000 cards.
Reports suggest the details were on sale for between $9-50, which means those behind the digital skimming campaigns may have been able to net tens of millions of dollars.
However, BA is still insisting that there’s not been any verified instance of fraud as a result of the incident.
Customers should not wait around to find out, according to ESET UK cybersecurity expert, Jake Moore.
“If your data was included in this breach and if you haven’t already, you’ll need to take action to protect yourself. Call your bank or card issuer, cancel the card and request a new card. No bank will ever mind being contacted for you being cautious,” he advised.
“You’ll also want to check your card statements for suspicious activity or purchases online — in particular small amounts just in case they are testing your card before a larger transaction is placed online. It also might be worth adding extra fraud alert security on your account. And it goes without saying, make sure all your passwords are unique online.”
Whether it’s a question of to whom the CISO reports or quantifying what the CISO is actually responsible for, the role has changed over time, leaving many wondering how to balance the competing demands of IT, security, innovation and compliance.
In the final panel that closed out the second annual Infosecurity North America conference in New York, Martin Gomberg, the author of CISO Redefined, moderated a discussion, “The Changing Role of the CISO: Balancing the Competing Requirements of IT, Security, Innovation and Compliance to Optimize Business Performance and Shareholder Value,” that aimed to answer the ambiguous question of where the CISO should sit.
Participating in the conversation were Bernadette Gleason, VP BISO at Citi; Randle Henry, former CISO at Hewlett-Packard and consultant at Tevora; Ben Harris, VP of policy/compliance and CISO at Rakuten Marketing; and Derek Vadala, global head of cyber risk group at Moody’s.
“It seems like we are facing these challenges newly now, but it’s been almost 15–16 years that the CIO role has been in transition,” Gomberg said. With the CIO role now focusing more on innovation, what then happens to the role of the CISO?
The answer wasn’t quite clear. Across the panel, the roles and responsibilities differed in their responses to the question of what drives them on a daily basis. When asked whether compliance, innovation or risk is their greatest driver, Henry said risk, while Harris noted the influence of GDPR and Vadala noted the adoption of innovation.
“I focus most of my time on policy, strategy and architecture and a lot less time on the operation piece. One of the biggest challenges is the amount of tasks that have to be done,” Harris said.
Vadala echoed that the accumulation of responsibilities contributes to the challenges of today’s CISO. “I think in some cases those roles have accumulated a lot of aspects that are in some cases misaligned and may be becoming a little inefficient because it doesn’t allow individuals and teams to focus in on problem areas.”
"So how does today’s CISO go about making sure they are getting the budget they need?" Gomberg asked.
“Something that I struggle with is that the budget is pushed down from the top still and set, which is unfortunate, but we try to go bottom-up across the different groups and identify the risks that need to be addressed,” Harris said.
Finding and keeping talent in the cybersecurity industry is a challenge for organizations of all sizes around the globe. As a result, the talent market is highly competitive, which is why a panel of experts came together at this year’s Infosecurity North America conference in New York to talk about building an effective cybersecurity team in a highly competitive market.
Let by moderator Alexander Abramov, president, ISACA New York Metro, three panel members discussed what they are looking for in new recruits and how to effectively close the growing skills gap.
“When I look for talent, I have a preference toward deep, technical talent. I have a blind spot for, so if you don’t have the social skills, come to me. I would much prefer to hire someone who doesn’t have the social skills but has the deep technical skills,” said Cindy Cullen, managing director, NDegrees, and a member of the (ISC)2 international board of directors 2019–2021.
On the flip side, Cullen said that recruiting, especially if trying to recruit someone with experience, is a real challenge. “My perspective is to work with universities. I worked with a local university on a capstone project, so I was able to see which ones were the good ones and decide whether to extend an offer or endear myself to other people.”
Not all hiring managers are looking for recruits with those deep technical skills, however. Roger Parsley, managing director, Robert Half International, said he looks for people who put the team success ahead of individual success. In return, the organization has to create a retention-focused culture in which people want to stay.
Once you get over the hurdle of finding the talent you need, you have to deal with the reality that they may choose to go elsewhere if they aren't happy. It’s what Matt McKeever, CISO, LexisNexis Legal & Professional, called the missionary versus mercenary conflict. Those who are driven by salary are likely not going to stay, so focus on keeping those employees that are driven by passion.
One way to effectively do that is to “promote a culture of creativity and innovation within the organization,” Parsley said. “If people feel that they are engaged and have the opportunity to think outside of the box and you expose them to cutting-edge technology and involve them in design, it’s a very powerful concept.”