Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, January 12th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
This week IT World Canada announced a partnership with the Canadian Cybersecurity Network. In a few minutes Francois Guay of the network will be here to talk about how the partnership will benefit the cybersecurity community and to discuss the current job market for security professionals.
But first a quick look at some of the headlines from the past seven days:
The U.S. Securities and Exchange Commission became the latest major organization to have its account on the X social media platform hacked. The attacker was briefly able to post an official-looking message that the regulator had approved bitcoin exchange-traded funds. X says its IT system wasn’t breached. Instead it says the attacker somehow got account control through a phone number. That suggests the hacker was able to persuade a wireless carrier to swap the SIM card of an SEC employee’s cellphone, or persuade an SEC support staffer to change the cellphone’s access. X also says the SEC didn’t have two-factor authentication protection enabled on the account. So far this year Mandiant and a Canadian Senator are among those who temporarily lost control over their X/Twitter accounts.
Speaking of the SEC, the regulator got German software provider SAP to agree to pay US$100 million to settle charges that bribes were paid to officials to win business in several African countries, as well as Indonesia and Azerbaijan. SAP recorded the bribes as legitimate business expenses.
A decryptor for victims of the Babuk Tortilla strain of ransomware was released by researchers at Cisco Systems. Not only that, Dutch Police were able to arrest the crook behind this strain. The decryptor is available on the NoMoreRansomware site as well as from Avast, which has decryptors for several Babuk variants.
Much has been written about the 2008 compromise of Iran’s nuclear weapons development systems through the deployment of the Stuxnet worm. A Dutch news site this week claims a Dutch engineer was recruited by the country’s intelligence service to somehow deliver the malware on-site through a water pump. Is it true? It’s a mystery.
HMG Healthcare, a company that runs rehabilitation and long-term care facilities in Texas and Kansas, has acknowledged personal and medical data of patients and employees was copied in a hack last August. The company hasn’t said how many people are affected.
Finally, American mortgage lender LoanDepot was forced to take some IT systems offline this week following a cyber attack. It isn’t using the ‘r’ word, but the company says some data was encrypted.
(The following transcript has been edited for clarity)
Howard: Joining me now are Jim Love, publisher of IT World Canada and Francois Guay, founder of the Canadian Cybersecurity Network and the Canadian Cybersecurity Jobs portal. Francois is a former vice-president of global recruiting at Nortel Networks who has moved into the cybersecurity market. There’s a new partnership between Francois’ efforts and IT World Canada. Before I ask Francois about the job market for cybersecurity professionals here, Jim and Francois will explain what the partnership means.
Jim Love: I’m thrilled about this. I met Francois mostly by chance and in networking. IT World Canada is known for its technology journalism. We have no bigger draw than our security publications. We put on an annual conference called MapleSEC every year where we bring together security professionals from around the country. And this podcast is a big part of what we publish and what our community is interested in. Probably 10,000 people listen to this podcast every time there’s an episode. But there’s a curious thing that happens in Canada … We tend to fragment into little groups. But when I met Francois he was so open to the idea of why don’t we combine our efforts and really work to serve this community? And that’s where this all started.
Francois Guay: It’s amazing because we’re very focused with the Canadian Cyber Security Network on collaboration, trying to get other organizations in the country — associations, businesses, government — to work with us around some of the common challenges around cybersecurity. And as you mentioned, everybody likes to have their own little slice of the world. It’s so nice to meet up with you and [ITWC president] Ray Christophersen and start having that conversation about how we can work together … and making Canada the star. Our motto is ‘Stronger Together’ at the Network, and that means it’s all about collaboration.
Jim: Given the the discussions we were having was so neat to see your logo with that ‘Stronger Together’ line on it. We also bring our partnership with the Canadian Association of CIOs and they have a cybersecurity arm as well.
Francois: I think there are some exciting programs from working together. You mentioned a few like MapleSEC. We’re looking forward to how we can help you grow, bring some thought leaders to it and continue to extend the reach. The first collaboration I think we’re going to focus on is Cyber Towns. It focuses on trying to share how Canadian cities and communities are attracting and retaining talents and making them the best places to work in Canada. Whether it’s remote work or not, people want to grow in communities. They have resources: the tax bases are reasonable. They have access to nature access, to all types of activities. Cyber Towns is really about identifying the top communities in Canada where cybersecurity resources want to work, or potentially should work. Bringing out a report and talking about the challenges facing communities and facing Canada in both attracting and retaining those [human] resources. We have a challenge keeping them. So for us, it’s all about attracting developing and retaining the talent here. Cyber Towns is an extension of that.
Jim: Cyber Towns fit so nicely with our Technicity series, which is the study of technology in cities and the partnership of government and private sector and communities. I’m really also excited about this idea that we’ve talked about in terms of really becoming a knowledge hub.
Howard: What does membership in the Canadian Cybersecurity Network get you?
Francois: There are a lot of different services an individual has access to: Mentoring, the Canadian Cybersecurity Jobs portal, a LinkedIn group which I think has about 37,500 members across Canada. They can network, ask questions about what certifications they should be taking, what education should they be taking, what program should they take, what are the skills required, what are the technologies being used in cyber security.
For business members, we’re really focused on making them shine. We have webinars all year. One coming up will be about Canada’s failure to launch on the educational side. There are phenomenal opportunities for them to access these services to grow their business. This [partnership with IT World Canada] is just an extension of that.
Howard: What’s the state of cyber security jobs in Canada. There are many reports about IT departments around the world finding it hard to find cybersecurity professionals. Is that the same here in Canada?
Francois: Yes, there are a lot of job openings in Canada — but there are a lot of cyber security graduates sitting on the sidelines. The requirements of organizations looking for work experience is extremely detailed. They’re looking for four or five years of experience. You can’t expect these graduates to have that. It’s very much what I faced during the telecom boom of 1996 when telecom companies were looking for PhD students and there were only so many available. At the time Nortel was hiring 33 per cent of all PhD students graduating across Canada. Today there’s a lack of those types of resources, so organizations have to change their culture to adapt to the marketplace. It’s going to require a culture shift in a lot of companies to start looking at graduating resources differently and at people with lack of experience.
But we have noticed a 25 per cent drop in the job market. There are definitely fewer companies hiring for cyber security. That’s partly because you know we’re going through a difficult economic time. We’re seeing consolidation [among businesses] taking place. We’re seeing venture capital in Canada decreasing. And there have been layoffs in pockets across the country. These are impacting an organization’s ability to hire.
Howard: I can understand why employers are demanding. This is cyber security. They’re not hiring marketing people. So experience to some degree counts. But what should employers be reasonably looking for?
Francois: If they’re looking for experienced hires that’s a different story. But I’ll tell you some of the things that most individuals most companies are looking for. They like individuals to come in as grounded as possible on the whole network infrastructure — all the endpoints, understanding mobile and all those kinds of things. Apart from the technology side, it really comes down to communication skills. More and more cyber security individuals need to be able to communicate effectively — with clients, with their peers and they need to be able to communicate across any of the partnerships [their organizations] have in place. In a lot of cases that’s not a skill that universities and colleges are focused on. And Canada has bumped up immigration, but the individuals that are coming English [or French] may not be their first language. And language skills aren’t being worked on in universities and colleges to adapt them to the marketplace. So this becomes a challenge.
We need adaptability. We need curiosity in cybersecurity. These are the things that involve constant learning. Look at what’s happening with quantum and AI. AI is starting to make a significant impact. It’s going to be incredible this year but there are very few resources available on quantum, very few graduates. And I would say the same thing on the AI side. We’re behind the eight ball and there’s a real fight going on for talent. I would include cloud as one of those things as well. Individuals that have cyber security and cloud experience are very difficult to find.
Howard: It seems to me that Canadian colleges and universities are increasingly offering cybersecurity training to IT students and certainly there’s no shortage of training and available for IT people to earn certifications on particular products and on broad technologies. So are employees just too demanding?
Francois: No. Although there are a lot of universities and colleges offering cybersecurity programs one of the challenges is to get them to get them closer to employers and embrace the technologies that industry is using. The problem is that the funding that comes from the government and the provinces is based usually on just ‘Provide us with a curriculum. Show that you may have industry support.’ But it’s not a guaranteed support. It may just be a couple of letters of recommendation. So they get the funding they develop a program and the program is not tied to industry. There’s no industry buy-in. So people may they may not have the tools that the industry is looking for. Schools should be building in things where students do some testing, like Field Effect is doing with Algonquin College, where they’ve actually invested millions of dollars to create a cybersecurity lab in the school for students. Toronto Metropolitan University and the Rogers Cybersecure Catalyst have done some great work in working with industry. But a lot of other schools and colleges are lagging and therefore employers don’t see that experience in tackling cyber security problems. Even if it’s just six months or a year tied into the educational process [it will help]. But then a lot of the curriculum was developed with tools that aren’t relevant to industry, or that don’t have access to a work environment or a cloud environment where a lot of the companies are working.
Howard: Is this a matter of provincial/territorial boards of education not going to industry and saying, ‘We need your input. We need your collaboration on cyber security programs?’ Or is this a matter of industry not pushing the provinces?
Francois: It’s a little bit of both. I think the government requirements are superficial for universities and colleges as far as getting funding for some of these programs. And then industry, unfortunately, is always very busy. Their role is to make money. They tackle recruiting usually in six-month cycles and don’t look long term — just like universities and colleges that develop a program and may not change it for years and years … Meanwhile industry’s already adapting to AI and quantum and who knows what’s coming down the pipe. So I think that from that perspective there’s a responsibility on a lot of different players to step up.
Howard: What about those looking for cybersecurity-related jobs? Are they doing anything wrong? What should they be emphasizing when they send in resumes? When they go for job interviews?
Francois: A lot of them don’t have a LinkedIn profile or very little under their LinkedIn profile. Unfortunately most employers leverage LinkedIn for recruiting cybersecurity talent … This is why we built [the CCN] community. We want individuals to come in here, learn, talk to people find out what the best programs are to go into what are the certifications should they get, what skills they need, how to develop speaking skills … I probably get about 50 to 100 requests a day asking me to find them a job. That’s why we built the Canadian Cybersecurity Jos community …
I would say that the important thing is to talk about your journey and why you would be a good fit for an employer. I tell them, ‘Don’t just apply to job postings, reach out directly to the network. Start working with individuals and ask for help — a quick phone call, a quick review of your resume, a quick discussion around what is it like to work in pen testing or to work in a cloud environment — and start building from that. Reach out directly to employers. Bypass the recruiter and go directly to the hiring manager and share your value proposition. Tell your story, tell them why you would be a good fit.’