CybersecAsia: How can governments and businesses make the shift and expand the cyber talent pool?

Hugh Thompson: We can all agree that developing cybersecurity talent is a crucial priority right now, especially when we have ever-increasing dependence on technology, and at the same time, that technology—and the people that use it—is under an onslaught of cyberattacks.

Expanding the pool starts with being open to training candidates without prior experience in the field. We need to look at the talent crunch through a human-centric lens: understand the position of would-be candidates and provide a clear value proposition to them which includes charting out career progression.

Also, working with mentoring programs, in partnership with other organizations, will be important for outreach and for matching interested candidates with the right organizations.

CybersecAsia: Big thinkers are constantly watching the world from the sidelines and formulating big ideas worthy of TED talks. In the wake of the world’s worst-ever coronavirus pandemic, what keeps you up at night when you goes about pushing for lasting tech collaborations and cybersecurity resilience?

Hugh Thompson: While it is easy for people to see the utility with technology, it is much more difficult to assess the risk with technology.

A few years ago, some may have believed that we could educate our way out of this cybersecurity problem. The challenge we are facing with security awareness is that we often teach people ‘rules’ like “Don’t click on a link in an email from someone you don’t know.”

If an attacker knows that someone is following a specific rule like this, they will adapt their techniques around it, or worse, cite the rule in a phishing email to build credibility and then direct the user to do something else that may invite threats in.

This dynamic between the attacker and defender continues to favor the attacker; there are many ways to personalize attacks. Yet, the average human being is not equipped psychologically to handle mass personalization. We see many attack groups are now getting to the point of automation with technology, and the marginal cost to personalize attacks is rapidly approaching zero from a cost perspective.

These are very important elements all of us should keep in mind and consider—especially people who have influence over policy. Over the long-term, we must accept that people will generally behave in a way that maximizes utility and will therefore build technologies where the path of greatest utility is also the path of least risk.

CybersecAsia: If you could not succeed in influencing the disparate tech sectors to unify and do what is right for their own regions and cultural needs, what are the foreseeable consequences in the medium- to long- term?

Hugh Thompson: Massive digitization, the proliferation of IoT and increased connectivity mean that the frequency and severity of cyberattacks are likely to continue to rise.

To face this challenge, we need a constant push for innovation and the growth of the pool of cybersecurity professionals. No single nation can accomplish this alone—it is a unifying problem that businesses, academic institutions and governments need to rally around. Here is a forum keynote that touches on this complex issue. thanks Hugh for his insights. Readers who have a vested interest in cybersecurity and the talent crunch can continue the dialog at the virtual RSA Conference 2020 APJ.