Influential trends for emerging roles in digital security - 2023 and beyond

Over the last 21 years, “misuse” and “human error” have been seen as the most significant root cause of data breaches. From 2000 to 2021, we observe 4,457 human errors out of 10,363 errors as the root cause. According to research report Ponemon “Data breach costs rose from US$3.86 million to US$4.24 million, the highest average total cost in the history [1]” We also know that 287 is the average number of days taken to identify and contain a data breach. The longer it took to identify and contain, the more costly the breach.

In Figure 1 we observe that the cybersecurity industry is now better at identifying actors. Second, there is a significant rise in organized crime (5% to 38%), and lastly, the danger of mistakes by developers is increasing (from 0% ten years ago to 11% today). The actors have become increasingly sophisticated, and the impact is more catastrophic than 20 years ago.

• A top-down approach to cybersecurity [2]
• The risk of spreadsheet-based security assurance [3]
• An increase in technology adoption requires “craftmanship” [4]
• Security spending is under scrutiny [5]
• Sophistication and dynamics of cyber actors and attacks [6]
• Lacking awareness campaigns
• State-sponsored spionage [6] [7] [8] [9] [10]
• Mis-configurations and human errors
• Machine learning and artificial intelligence [4]
• Distributed – fragile – hybrid environments [11] [12] [13]
• Cybersecurity alarm fatigue
• New ways of working (DevOps, Agile, Scrum) [12]
• Continuous software development [3]
• Regulatory and assurance (integrated reporting) pressure [14]
• Outsourcing of security tasks
• Ethics in cybersecurity [10]
• War on talent
• Difficulties with handling data according to regulatory requirements [15]
• Virtual identities.

Our objective is not to be exhaustive but to give you some significant trends based on our experience and external research reports and articles. These trends will demand other capabilities and, therefore, roles in the cyber domain such as: Cyberdata Analyst, Cyber Attack Agent, Cyber Calamity Forecaster, Machine Risk Officer, Virtual Identity Defender, Data trash engineer, Cloud orchestration architect, Security vaccinator, Cyber talent magnet, and AI auditor. We briefly explain each function in the section below to give you an idea about what those roles mean. In the end, we blend this into our vision of the part of the CISO and the future – workforce – curriculum.

Due to the rapidly changing threat landscape and the morphing actors, it is hard to keep up with this knowledge and translate it into actions. These actions seem to work. We also identified that the cybersecurity in the healthcare industry was substantially improved, resulting in the percentage of medical data compromised decreasing from 44% in 2010 to 14% in 2021 (Figure 2) based upon 100% deviation between the several data types (might be so that amount of data increased). Financial data has also become less exposed. The reason for that is that regulated companies expend more efforts on cybersecurity and framework implementations that are designed to prevent financial data from being exposed. On the other hand, we note that regulatory requirements and associated frameworks are not a ‘silver bullet’ and that personal data breaches have increased (from 20% in 2011 to 43% in 2021) despite mandatory data protection laws (e.g. GDPR, CCPA) in place since early 2018. The main reason for this is the lack of knowledge and skills [to implement technical measures], confirmed by research at Antwerp Management School in 2020 [15]. All of these trends make us wonder what our future priorities should be: should we put technology or education first?

To face this problem, cyberthreat agents or Security Operations Centers (SOCs) rely on a vast body of reports of newly detected (or suspected) threat avenues that are reported in public sources: newsfeeds, mailing lists, Twitter streams, forums, etc. Many non-public sources are also offered: like paid vendor threat bulletins and announcements in closed channels. This forms a growing challenge, which is a specific instance of the ‘firehose’ data problem. A lot of data is available. Beforehand, its veracity is never beyond doubt. Moreover, it is not guaranteed to be structured so that automated or emi-automated processing is easily enabled. And, with many data sources potentially shedding light (potentially from different perspectives) on issues that share underlying coherence, discovering the relationship between reports from various sources is a critical enterprise. Also of note is that data sources are linguistic, with a wide range of potential source languages. Many are in English (of varying quality), but far from all, and one should never exclude the possibility that a highly relevant and urgent report could be published in Russian, Korean, Chinese, German, French (etc.) first.

Given the data stream’s size (‘firehose’), the scalability problem arises; a high level of automation is called for. With this problem in mind, we define three related capabilities:

1. Assessing Data Source Quality
2. Intelligent Correlation, Relevance, and Risk Determination
3. Automating Data Source Handling Process Flow and directing that to target audiences in a presentable and actionable format.

Based on the threat data, the calamity forecaster can carry out trend analysis on sectors (finance, retail, manufacturing), countries, platforms (Microsoft, Oracle, etc.), environments (Industrial plants), etc. This role is becoming more and more critical since the majority of the people do not see the trees in the wood anymore and need somebody to translate calamity information into possible decisions.

In the full article, which can be found here: https://www.linkedin.com/pulse/influential-trends-emerging-roles-digital-security-2023-bobbert/, we highlight the main emerging roles:

• Cyberdata Analyst
• Machine Risk Officer
• Cyberdiplomat
• Cyber Attack Agent/SEAL
• Data Trash Engineer
• Cyber Philosopher
• AI Auditor
• Security User Experience (SUX) Designer

For these future roles, you need educated talent. Many learning and certification programs that have already been developed are a complete forest of trees for many HR professionals or recruiters. For the HR professional, it is becoming more and more complex to distinguish talent from amateurs. You simply cannot judge on certification alone; one needs to look deeper into intrinsic motivations and personal capabilities. This seems obvious, but in Information security, it is not easy for an HR professional to see how good someone is in a particular domain.

Lee proposes in the article “Seeking the Purple Squirrel” to opt for an open job description named “Desired Experience”: “Security is a rapidly evolving space, made up of numerous different technologies, and no single person is expected to possess every characteristic in this list. A curious mind, an ability to think about the rules and how to break them, and a willingness to learn are the most important traits we look for. If you have some of the following and are willing to learn more of them, we want to hear from you.”

Despite great progress in the industry, the race for talent, and the search for the Purple Squirrel, data and information inaccuracy remain a considerable challenge for many organizations. Inadequate detection rates and slow response to attacks are evidence of this. The lack of craftsmanship is the leading root cause for these insufficiently configured security tools and the many-point solution. But the stakes are high. An inadequate and seemingly weak response to breaches can negatively impact a company’s perceived value and potentially its share price. This information rarely trickles down to operational teams. There is a task here for all security professionals to communicate “fact-based data” upstream and downstream. The Executive Master’s program in Cybersecurity at Antwerp Management School focuses on many aspects, such as Cybereconomics and decision-making, Security in distributed environments, API security, Leadership, Data Security, Incident Response, and HR.

[1] Ponemon, "Cost of Data Breach Study: Global Analysis," Ponemon Institute LLC, Verenigde Staten, 2016.

[2] WhiteHouse, "Executive Order on Improving the Nation's Cybersecurity," https://www.whitehouse.gov/bri..., Washington, Verenigde Staten, 2021.

[3] Y. O. N. Bobbert, "LockChain-technologie als één bron van waarheid voor Cyber, Informatiebeveiliging en Privacy," in Computing Conference, Londen, 2020.

[4] Y. Bobbert en M. Butterhoff, Leading Digital Security; 12 manieren om de stille vijand te bestrijden, Utrecht: https://12ways.net/blogs/emerg..., 2020.

[5] AFCEA, "De economie van cyberbeveiliging: A Practical Framework for Cybersecurity Investment," AFCEA CYber Committee, 2013.

[6] MITRE, "Aanvalgroepen", 2021. [Online]. Beschikbaar: https://attack.mitre.org/group....

[7] AIVD, "AIVD Jaarverslag 2020," 2022. [Online]. Beschikbaar: https://english.aivd.nl/binari....

[8] AIVD, "Cyberaanvallen door statelijke actoren," Ministerie van Defensie Militaire Inlichtingen- en Veiligheidsdienst, Den Haag, 2021.

[9] AIVD, "Publicatie AIVD en MIVD 'Cyberspionage: bent u zich bewust van de risico's?' Een gezamenlijke publicatie van de AIVD en MIVD over de dreiging van cyberspionage voor bedrijven en instanties," Ministerie van Binnenlandse Zaken en Koninkrijksrelaties van de Algemene Inlichtingen- en Veiligheidsdienst (AIVD), Den Haag, 2017.

[10] BakerMcKenzie, "Het toenemende belang van het beschermen van bedrijfsgeheimen," 2017. [Online]. Beschikbaar: https://www.bakermckenzie.com/....

[11] T. Kumar, Wat is de impact van gedistribueerde agile softWare ontwikkeling op teamprestaties, Antwerpen: Antwerp Management School, 2020.

[12] Y. Bobbert, M. Chtepen, T. Kumar, Y. Vanderbeken en D. Verslegers, Strategic Approaches to Digital Platform Security Assurance, Hershey, PA: IGI Global, 2021.

[13] E. Botjes, "Defining Antifragility and the Application on Organization Design," Antwerop Management School (AMS) -https://zenodo.org/record/3719..., Antwerpen, 2020.

[14] Y. Bobbert, Improving The Maturity of Business Information Security; On the Design and Engineering of a Business Information Security Artefact, Nijmegen: Radboud Universiteit, 2018.

[15] J. Kuijper, "Effective Privacy Governance-management reserach_A view on GDPR ambiguity, non-compliancy risks and effectiveness of ISO 27701:2019 as Privacy Management System," Antwerp Management School, Antwerpen, 2020.