Editor’s note: James Lyne, a cybersecurity expert and global head of security research at Sophos, will deliver the opening keynote address at the 2018 CSX Europe conference, to take place 29-31 October in London, UK. Lyne visited with ISACA Now to discuss major challenges faced by the cybersecurity industry as well as which characteristics best position cybersecurity practitioners for success. The following is a transcript of the interview, edited for length and clarity.
ISACA Now: You describe yourself as a “massive geek.” What are some characteristics that earn you that esteemed distinction?
I’ve always loved technology and breaking things apart to understand how it all works. From a young age, I was dangerous with a soldering iron and enjoyed meddling, or building neat devices, like my first FM bug transmitter at 13! I take great joy in my geeky pursuits from programming to malware reversing and gaming. Geek culture is fantastic fun!
ISACA Now: What has surprised you most about the way the threat landscape has evolved over the past year or two?
Some trends continue for a very long time, and certain tactics are undeniably a staple of cybercriminals – for example, the old but eminently practical use of phishing. I think the most interesting shift over the last couple of years is cybercriminals’ diversification related to how they monetize you. Stealing data for fraud is not news, but the transition to ransomware that allows cybercriminals to profit from the fact you care about your data was quite a change – even more when they started using coin-mining malware to leverage your hardware to make money. That was an interesting shift from just stealing data and is brilliant in the ubiquitousness of its application.
ISACA Now: What is it going to take to attract more people to the cybersecurity profession?
One of the biggest issues here has been how under-advertised the profession has been. I’ve talked to countless winners of competitions and games that were organized to find talent and nearly every one of them said “I didn’t know I would be any good” or “You can do this for a job?” Even now, we do an OK job of advertising certain parts of the profession, like penetration testing, but fail to show how impactful and exciting other domains are. The other obstacle to overcome is how people first transition to industry. There are a vast number of roles that require five years’ experience and a tiny number that allow someone to start at an entry level to get said experience.
ISACA Now: What are the most important traits that would position somebody for success as a cybersecurity practitioner?
Most cybersecurity disciplines require extensive learning, and so a passion and drive to learn more about the topic is critical. Many security disciplines also require problem-solving and plenty of persistence. The drive to want to understand how a specific piece of code works and how to attack it, or to produce a tool that solves a new problem, is somewhat crucial. As much as this is a job that pays the bills, I do find that many of the more successful practitioners truly care about making things more secure and improving technology resilience and safety for all of us.
ISACA Now: How do you envision AI having the biggest impact on cybersecurity practitioners in the next 3-5 years?
Many are quick to anthropomorphise AI and assume much more significant ramifications than are likely in the short term. Even still, there are interesting short-term ramifications to security due to AI. As machine learning and AI are deployed and enhanced to solve business problems, they are potentially notable targets for attackers. For example, their data sets could be poisoned to change outcomes. At the moment these systems need to be protected just like conventional systems, but as they develop, perhaps new security issues and controls will be required. There is a lot of uncertainty in this fast-moving space, and both opportunity and looming threat.
More positively, there already are interesting applications of machine learning and AI occurring within the security domain, such as analyzing substantial data sets and identifying opportunities for better threat prevention. The cybersecurity industry has leveraged expert systems for a long time to extend the capabilities of human researchers and, as this technology develops, it will likely have even greater impact.