Palo Alto Networks's Sean Duca on cybersecurity skills
There's a huge talent crunch in the cybersecurity sector, made even worse by the COVID-19 work-from-home phenomenon. Research conducted in 2017 by Cybersecurity Ventures originally indicated that there would be 3.5 million unfilled cybersecurity jobs by 2021; chances are good the number have increased this year.
In a conversation with People Matters, Sean Duca, Regional Chief Security Officer for Asia Pacific & Japan at Palo Alto Networks, shared some thoughts on hiring and skilling for this niche but critical field. Here are the highlights.
What are your thoughts on the talent outlook for the security sector around the region? Do you see companies facing challenges in finding the talent they need?
Security is a hot topic right now because of the challenges presented by the working from home phenomenon, and a lot of companies are looking for talent. For us right now, we're actually looking at people who can fill account management and sales roles, and who are sufficiently familiar with the field to work credibly with customers. And in terms of technical roles, while there absolutely are technical roles to be filled, the challenge we see is more around targeting the specific skills that we look for. We require engineers to know a certain range of technologies, and that does make it difficult to find talent. We're constantly on the lookout for people who might be the right fit for us, and for whom we're also the right fit.
I find that talent acquisition, especially in the cybersecurity space, comes down to the maturity of an organization.
The more mature an organization is, the less likely it will be to go out and try to find a unicorn, so to speak.
A unicorn in this context is someone who has 10-20 years of experience, has done a range of different things over their career, has a very high number of certifications. Basically, the biggest, the best, and the most amazing talent out there. And sometimes, trying to find this talent doesn't necessarily align with what the organization is actually trying to achieve.
What kind of skills do you see as most important for security?
When you go out and find talent in this space, a lot of the time you're not really looking for people that have cybersecurity skills, because these skills can be trained. Instead, you look for communication skills. People who have an understanding of how to communicate cyber risk to people who are less familiar with the concept. Your staff is basically managing the risk that an organization incurs by doing something online. If they are thinking of new products and services, if they are thinking of new ways of bringing something to market, then you have to ask: what's the risk from a cyber standpoint? And how do we manage that risk?
You also look for problem solving capabilities, which are fundamental to any organization, and which I personally see as one of the most important skills someone should have.
And you look for attitude, especially in larger organizations. I like to call it the fire in the belly: the passion to learn. People who want to go out there and stretch themselves, who think constantly about what they could do differently. Over the years, we've seen this concept of "fail fast" with technology startups, where people try something and once they recognize that it's not working, they quickly change it and keep pushing on. That's the agility, the attitude you need to look for.
Does that mean the field is open to mid-career professionals, people who are coming in from other industries and have decided to switch?
Absolutely. It's a great thing, because it brings diversity of thought, which is a massive positive attribute. I like to use the famous quote from Albert Einstein: the definition of insanity is doing the same thing over and over again and expecting a different outcome.
We need people who can challenge the status quo and think about what we can do differently. And people who are mid-career, who have training in different aspects of the business, who can think more laterally—I think these people will be the ones to solve some of the biggest challenges that we have ahead of us.
What about upskilling: what do you think needs to be done to get people to develop skills in cybersecurity?
One way of looking at talent acquisition and upskilling is to go out and find people who are capable of solving yesterday's problems. But I prefer to turn around and ask, have we really solved yesterday's problems? I don't think it's enough to go out there and say that we'll keep working based on what we've done before. I think we always need to be thinking about a better way to try and solve these challenges.
So when it comes to developing cybersecurity skills, the reality is we need to ensure that we're spending the right amount of time educating everyone from the bottom up. We need to change the way people think about doing things when they're online, train them to think about cybersecurity every single time they go online. When they think about how to transfer products to the market, they need to think about how to do it in the safest and most secure way.
I would love to say that we're spending more time on educating people about risk and how to communicate risk, but I don't know if we do that enough globally. I don't think we even do it enough across the region.
What do you think cybersecurity jobs are going to look like maybe six months down the road?
I would say cybersecurity is definitely going to be spoken about a lot more at the executive forum. It's always been one of the top items discussed at board level, but the challenge has always been to get people to actually do something about it.
The pandemic has shown that we've planned for fire, flood, buildings collapsing. But we haven't planned for this situation that we're facing today, or the idea that we'd have to run everything remotely. In today's situation, the requirements for the cybersecurity skillset can be quite steep. It's about maintaining the security of the entire organization, but without being inside the organization. It's about being able to sustain and run the business even if there is a second wave of COVID-19—would we be able to keep things going the way they used to, or would we start to suffer some issues and challenges? Today's cybersecurity professionals need to think a lot about how could they can manage this autonomously, and how they can leverage technology a lot more to help them out.
Do you think that cybersecurity in the future will be more of an in-house role, or is it more likely to be outsourced like the cloud infrastructure?
The important thing to remember is that accountability always lies with the organization. Yes, you can push the responsibility for managing security to someone else.
But at the end of the day, if your organization were to be breached, it's your organization that will be on the front page of the newspaper, not the organization that was helping you manage your security.
To put a more positive spin on it, you need to think in terms of the outcome you're looking to achieve and the timeline you have in mind. Don't think of just hiring someone to stare at your setup and hope that they magically find the needle in the haystack—think of knowing the infrastructure, knowing how to secure it, knowing how to proactively hunt for threats that may be inside the organization or brought externally by users. That's a key outcome. And if you don't have the skills, the resources, the capability, go find it. Go leverage some of the great partners that are out there to help with that.