In the current threat environment, it’s essential for organizations to harden their systems with the latest tools to protect against technological and software vulnerabilities. But if you look at how attackers are actually getting in the door, more often than not, it’s through human vulnerabilities. These can include everything from an unsuspecting employee falling prey to a phishing email, to sharing passwords, to leaving a tool like TeamViewer open. ICS Pulse recently talked to Debbie Gordon, founder and CEO of Cloud Range, about the dangers of not training your employees and why cyber practitioners need to have more than just skills. Listen to the full podcast here.
The following was edited for clarity.
ICS Pulse: Let’s start off by learning a little bit about you. You’re the founder and CEO of Cloud Range. Can you tell me a little bit about your background and why you saw a need for this company?
Debbie Gordon: Really, my career started in the technical education space back in the mid ’90s, during that time when people were getting CNEs and MCSEs. That was something that enabled people to get a job, and most of the time perform a job really well. What’s very different in cyber is that if somebody has a certification, it really is just table stakes to be able to qualify to apply for a job. It doesn’t mean they can perform a job or even perform a job well on an ongoing basis. So everything that went on in my career, 30 years ago to now, things have changed in technology and the need for training. With cyber, I was very, very aware of the talent shortage and how that impacts organizations.
It’s not just a matter of having empty seats, but it’s about the people who are already employed in cyber and how competent they are and how much experience they actually have. So I set out to solve for that, to make sure that organizations had the ability to continuously train people to be cyber defenders so that they’re proactively preparing for the next attack. That is how Cloud Range came to be.
ICSP: Human errors are where a lot of attacks are coming in. What happens when you fail to train your people, even if you have hardened your systems?
Gordon: There are human vulnerabilities that come in a few forms. No. 1 is the vulnerability associated with somebody clicking on a phishing email or responding to a phishing email. The second one is insider threats, and those can show up in many different ways. But the third, which is where we’re really focused, is how do we make sure that the people who are in the security operations center and the incident responders, how do we make sure that those people are prepared to detect and respond to the first two, whether it’s somebody clicking on a bad email or an insider threat activity?
How do we make sure that they – I call them the goalies, they’re the people who are the last line of defense – how do we ensure that they have not just the skills but the competencies to detect, investigate, respond and remediate those attacks? Because every single attack that we hear about in the news, every one of those companies had tens of millions of dollars of cyber technology. But what they all have in common is that people did not know what they were looking for or looking at. And it’s not their fault. People are only as good as their experience, so we have to give people experience in a way that’s safe. That’s why we use simulation to do that.
ICSP: In previous podcasts, we’ve talked about labor shortage versus skill shortage, because there are plenty of people out there willing to work, but the skills to do so are not necessarily there. Would you say that’s prevalent in the cyber industry?
Gordon: Absolutely. We refer to it as an experience shortage, actually, because people can have skills. Individual skills are very prevalent, but when defending against cyberattack, people need to know what they’re looking for. They can hear and read, assist the advisory, and understand and read about TTPs or some threat actor, what they’ve done. But until they’ve experienced it, they really don’t know what that looks and feels like. So, yes, there’s absolutely a talent shortage by the number of open seats globally.
But where we look and where we focus is giving people the experience that they need to perform their jobs better, and not just today but on an ongoing basis. And so, yes, there is a talent shortage, so there are empty seats. Yes, there is a need to create more talent in education programs, whether it’s higher education or workforce development, or even within companies to really build their own talent. But it’s equally important to ensure that the people who are employed in cyber have ongoing experiential training because cyber changes every day.
ICSP: Especially as we press onward with our digital transformation journey. Cybersecurity needs to keep growing with it. What are some of the risks for companies that aren’t ready for the new cyber landscape?
Gordon: Well, as you guys know, a lot of our work is on the data security side. But with operational technology and critical infrastructure and ICS (industrial control systems), that’s a whole different game. And it’s not a game. It’s not funny because it’s one thing for data to get exfiltrated, but it’s another thing when critical infrastructure can get shut down. It’s about safety. At the end of the day, it’s about human lives also. People don’t necessarily think about that the way that they should because in some critical infrastructure sectors, it’s one thing if production goes down and there’s X number of million dollars an hour that are not being realized because production is down.
But it’s another thing if the bad guys can get into a nuclear power plant. It’s just a whole different ballgame. The challenge that is much greater in the critical infrastructure world is that the organizations are sometimes disparate about who is overseeing cyber and whose responsibility it is. That’s a constant challenge. A lot of organizations haven’t quite figured it out yet. So there’s a lot of discussion on convergence of IT (information technology) and OT (operational technology). And it’s not just convergence of technology, but it’s how do you converge these disparate organizational segments so that it’s very clear where the decision process is?
ICSP: And these different sides have very different goals as to what they’re trying to do.
Gordon: Uptime versus confidentiality, data protection. Absolutely. And they can conflict.