Jim Motes believes he has a solution to the glaring shortage in cybersecurity talent, which renders corporations more vulnerable to hackers. The CISO of Rockwell Automation proposes a cooperative staffed by the best engineers from member companies. This team of seasoned information security professionals would be better positioned to protect corporate networks than most managed security service providers (MSSP), he says.
"We have a shortage of cybersecurity professionals, with people shoved into jobs [they] are not qualified to do," says Motes, who will formally present the proposal to fellow CISOs at the manufacturer's Milwaukee headquarters on November 30. "We have a stressed-out work force, a shallow talent pool and an increase in demand like nothing we've ever seen before."
Jim Motes, CISO of Rockwell Automation.
It's hard to find fault with that point. Cybersecurity concerns have ratcheted up significantly in the past two years, spotlighted by reputation-tarnishing hacks at Target, Home Depot, Anthem and other companies. And things aren't getting any better. A recent PwC survey reported a 38 percent uptick in cyber-assaults from 2014. The result has business leaders and their boards rethinking their cybersecurity practices.
Not enough cyberprofessionals to protect companies
While Motes says companies should cultivate a multi-layered approach to cybersecurity technologies, there simply isn’t enough qualified staff capable of shielding corporate networks from attackers who excel at covering their tracks. The cooperative would shore up network defenses and monitor them for attacks. The services are similar to what MSSP offer today, but with some key differences, says Motes, who has delivered MSSP services in previous roles at Perot Systems and Affiliated Computer Services.
Most MSSPs are trained to monitor threats and call clients when they find anomalous activity. They are motivated by profit to rack up as many clients as possible, an approach that dilutes their effectiveness because they have too many customers to become familiar with various vertical industries, each of which boast unique architecture and defense requirements.
Also, when a company is breached, the MSSP typically returns only the money paid to them, which is typically thousands of dollars, as opposed to the millions of dollars breach might cost a brand. “[The cooperative] beats out an MSSP, which is made up of a bunch of guys who sit there and watch glass for a whole lot of customers,” Motes says.
Initially, Motes says the co-op would work best with manufacturing companies with profiles similar to Rockwell Automation. But, eventually, the co-op would develop specialists, versed in how to handle threats for retail, finance, healthcare and other sectors. Knowledge would become institutionalized and shared for the good of the co-op, which would invest in training its members on the latest threats and emerging technologies. The co-op would sustain itself utility-style, charging clients on a pay-per-use basis. It would do a "good job without bringing in outsourced services, and we could create a center of excellence that could be replicated for other industries," Motes says.
Sign up for CIO Asia eNewsletters.