Jim Motes believes he has a solution to the glaring shortage in cybersecurity talent, which renders corporations more vulnerable to hackers. The CISO of Rockwell Automation proposes a cooperative staffed by the best engineers from member companies. This team of seasoned information security professionals would be better positioned to protect corporate networks than most managed security service providers (MSSP), he says.
"We have a shortage of cybersecurity professionals, with people shoved into jobs [they] are not qualified to do," says Motes, who will formally present the proposal to fellow CISOs at the manufacturer's Milwaukee headquarters on November 30. "We have a stressed-out work force, a shallow talent pool and an increase in demand like nothing we've ever seen before."
[ Related: CISO bets on cloud security services to protect data ]
It's hard to find fault with that point. Cybersecurity concerns have ratcheted up significantly in the past two years, spotlighted by reputation-tarnishing hacks at Target, Home Depot, Anthem and other companies. And things aren't getting any better. A recent PwC survey reported a 38 percent uptick in cyber-assaults from 2014. The result has business leaders and their boards rethinking their cybersecurity practices.
Not enough cyberprofessionals to protect companies
While Motes says companies should cultivate a multi-layered approach to cybersecurity technologies, there simply isn’t enough qualified staff capable of shielding corporate networks from attackers who excel at covering their tracks. The cooperative would shore up network defenses and monitor them for attacks. The services are similar to what MSSP offer today, but with some key differences, says Motes, who has delivered MSSP services in previous roles at Perot Systems and Affiliated Computer Services.
Most MSSPs are trained to monitor threats and call clients when they find anomalous activity. They are motivated by profit to rack up as many clients as possible, an approach that dilutes their effectiveness because they have too many customers to become familiar with various vertical industries, each of which boast unique architecture and defense requirements.
Also, when a company is breached, the MSSP typically returns only the money paid to them, which is typically thousands of dollars, as opposed to the millions of dollars breach might cost a brand. “[The cooperative] beats out an MSSP, which is made up of a bunch of guys who sit there and watch glass for a whole lot of customers,” Motes says.
Initially, Motes says the co-op would work best with manufacturing companies with profiles similar to Rockwell Automation. But, eventually, the co-op would develop specialists, versed in how to handle threats for retail, finance, healthcare and other sectors. Knowledge would become institutionalized and shared for the good of the co-op, which would invest in training its members on the latest threats and emerging technologies. The co-op would sustain itself utility-style, charging clients on a pay-per-use basis. It would do a "good job without bringing in outsourced services, and we could create a center of excellence that could be replicated for other industries," Motes says.
Co-op could better protect privileged user accounts
One area the co-op would be well-positioned to protect is privileged user accounts, essentially valid credentials designed to be used by systems administrators to manage network systems, run services or allow applications to communicate with one another. With few network access restrictions, privileged user accounts are frequently seized by attackers to infiltrate corporate systems. Such accounts played critical roles in high-profile hacks at Sony Pictures, Las Vegas Sands casino and the Office of Personnel Management.
Protecting privileged user accounts is top of mind for Motes. Rockwell Automation has recently consolidated IT operations under a single outsourcing firm, whose staff require privileged access to, for example, provision and manage the Windows servers and network infrastructure required to operate the business. The outsourcer's access Rockwell's network both on site and remotely via virtualized connections. Extending the company's attack surface initially made the board of directors uneasy.
[ Related: 7 tips to becoming a successful CISO ]
Rockwell uses software from CyberArk to sandbox privileged sessions and prevent the spread of malware from user endpoints to critical systems as well as to prevent users and their devices from ever exposing the privileged account credentials. It also generates an audit log to track any suspicious activity for both the outsourcer's staff and Rockwell's employees. "We don't want them logged in with that privilege without us tracking it, knowing who logged in [and] what they did and when," Motes says.
Things to make a security co-op hum
For the co-op to work, Motes says members would have to make sure their own security, including mitigating the privileged access control threat, is up to par. He envisions seasoned cyberprofessionals hailing from a variety of industries could train interns within the co-op to combat cyberthreats. “Nobody is as good as the team you grow and invest [time and effort] in training,” he says.
Motes has already received the greenlight for the co-op initiative from Rockwell Automation’s senior management, including the company’s general counsel. And he’s received a positive response from the Wisconsin state assembly, as well as fellow CIOs to whom he’s floated the idea. Some peers challenged the co-op premise, noting that their staff wouldn't want to move out of their current roles to go work for a co-op, which would essentially launch as a start-up. But Motes argued that staff would receive valuable cross-training, making them more valuable and well-positioned for advancement within the co-op, or elsewhere. “We’ll give them a career path, they won’t see [at their current company],” he says.
However, cybersecurity has always been a touchy subject between corporations. For that reason, perhaps the greatest opposition to the co-op will come from companies opposed to sharing cybersecurity insights for fear of exposing themselves to bad actors seeking the next big challenge. Motes will find out November 30.