March 2017

RSA Conference | Cybersecurity Jobs Go Begging

  |   The Latest

 

By Robert R. Ackerman Jr. | Founder & Managing Director of Allegis Capital | March 27, 2017

 

In an era in which we chronically hear about a profusion of new low-paying jobs, there is a challenging and diversified specialty – the cybersecurity professional– that pays well and offers good advancement potential. And yet, we can’t come close to filling the demand for these types of workers.

Security pros protect critical information, which means they have an immediate impact on the businesses in which they work.  Cybersecurity is also a challenging puzzle and one that changes all the time, eradicating boredom. Because cybersecurity touches virtually every other IT discipline, cyber pros are also constantly learning.

As previously mentioned, the pay is good, too. According to New Horizons Computer Learning Centers, the median wage exceeds $90,000 annually, 9 percent more than other IT workers overall. In addition, the number of cyber jobs is projected to grow 18 percent annually through 2024, much faster than the average for all occupations. In fact, U.S. News & World Report ranked a career in information security analysis eighth on its list of the 100 best jobs for 2015.

1.5 Million Job Shortfall in Five Years

Nonetheless, nowhere near a sufficient number of qualified job applicants are biting. About 210,000 cybersecurity jobs are unfilled today, according to the Bureau of Labor Statistics, a number widely expected to keep growing. Frost & Sullivan has estimated that the global shortfall of information security work will reach 1.5 million workers in five years.

What is the problem?

Nobody knows for sure, but it appears to be part of the general reluctance among young Americans and their global counterparts to pursue STEM careers, a reflection of their perceived inability to master math and science and related disciplines. Companies sometimes will hire people with the right skill sets without a college degree, but a STEM bachelor’s degree is preferred and usually essential. Typically, certifications are also required down the road, especially the CISSP (Certified Information Systems Security Professional).

Another smaller but still prickly problem is that cybersecurity is not the same as computer science, another technical pursuit that also offers ample jobs — and greater job diversity. Computer science courses are helpful, but insufficient to crack stubborn encryption cyber professionals also need to learn how systems work. Computer science doesn’t always explore this.

Boot Camps Help Ease the Challenge

Those with computer science degrees and other non-cybersecurity backgrounds can sometimes sidestep the cybersecurity job hurdle by enrolling in boot camps – intensive programs that accept non-programmer, train them in key skills and help them land jobs. In Denver, for example, startup SecureSet Academy is among the latest organizations to use the boot camp model to prepare cybersecurity job seekers for the career of their choice. Launched a year ago, SecureSet has since graduated 16 cyber pros and placed all of them in solid cybersecurity jobs. A similar number of fresh graduates are expected to join them shortly in the workforce.

Doing much the same thing is the City Colleges of Chicago (CCC), which recently became the first community college system to partner with the Department of Defense on a cybersecurity training program — and one not limited to members of the military. The CCC program is becoming a model for other community college programs and, among other things, is helping prepare students for entry-level analyst positions.

This program happens to be free. But this is the exception, not the rule. More typically, SecureSet charges thousands of dollars for its 20-week program. And while their graduates have gotten jobs so far, they’re still likely to find themselves shut out of many other cybersecurity positions because they lack degrees.

Given the severe shortage of cybersecurity talent, a key question inevitably arises: Is this the way things should be? As businesses face ever-growing cyber threats, the lack of cybersecurity talent is downright dangerous. A recent report by Intel Security – “Hacking the Skills Shortage” – polled 775 IT decision-makers and found that 82 percent reported a lack of cybersecurity skills within their businesses. One in three said this makes them hacking targets.

Hiring Standards May Be Too High

Given the backdrop, I believe cybersecurity applicants are being judged too harshly. Some on-the-job training makes sense given the rapid growth of cybersecurity. So, too, would corporate partnerships with local colleges to create cybersecurity programs.

Companies also need to do a much better job providing adequate cybersecurity training. That way, the cyber pros they have on board can maintain their skills. This won’t bring in fresh talent but might prolong the stay of current cybersecurity employees, who constantly attract job offers. A survey of more than 430 security professionals by the Enterprise Strategy Group found that 56 percent believed their company did not provide adequate training to keep their skillset current.

For now, and the foreseeable future, there is no shortage of specialties for appropriately skilled cybersecurity pros. Seven come to mind:

  • Security analysis. This is the first job for many cyber pros. These analysts plan and activate computer system security measures.
  • Risk mitigation. This entails tracking security risks that have been identified, discovering new risks, and tracking risk throughout select projects. This position also involves brainstorming what might happen if there is a breach.
  • Data security. This has become a common job as organizations move to cloud computing. The job of data security pros is to protect company information from threats.
  • Network monitoring. This requires professionals who know what they’re looking for in networks and can make decisions rapidly when suspicious behavior is detected. They work in concert with advanced network monitoring apps.
  • Cloud security. Cloud security specialists analyze threats particular to cloud security. Dangers include data breaches, system vulnerability exploits, hijacked accounts, inadequate diligence and malicious insiders.
  • Intrusion detection. Experts in this area search for potentially harmful activity that could undermine the confidentiality, integrity or availability of information.
  • Secure software development. Most data breaches are successful because of vulnerabilities or flaws in software code. Specialists in this area patch code on a routine basis.

Cybersecurity Automation

While all these positions are crucial, it’s also important to note that cybersecurity automation has begun to play a role in coping with the shortage of skilled security professionals Increasingly common advanced persistent threats (APTs), for example, are spearheaded by automated bots, not human assailants, and, in fact, IT personnel are no match for such intensive, sustained attacks. Most humans do not have the ability to make quick decisions to manually address such attacks.

In addition, even the most skilled cyber professional tends to make occasional mistakes, which can be very costly. Automation helps mitigate this by removing the human element in appropriate circumstances.

A new cohort of orchestration/automation and analytics companies have begun filing the cybersecurity gap with technology solutions that confront automated attacks and/or materially increase the productivity of cybersecurity analysts. This helps address analyst shortages.

As cybersecurity issues continue to grow, it’s natural to wonder whether the salaries of cyber pros will climb still higher. This seems to be inevitable because there aren’t enough professionals to go around. And fatter compensation packages might begin to attract candidates from other disciplines, such as electrical engineering. For the foreseeable future, this might be the best possible way to address the talent shortfall.

 

Robert Ackerman Jr.

By Robert Ackerman Jr. | Founder and Managing Director, Allegis Capital

See more at: www.rsaconference.com/blogs

Read More

Cybersecurity startups start to see slump in VC spending

  |   Allegis News, The Latest

 

 

 

Third Certainty | Roger Yu | March 20, 2017

 

Venture capital funding in cybersecurity is cooling. And it’s show-me time for startups battling for the dwindling pool of funds.

While the cybersecurity market is maturing, startups are still innovation drivers and venture capitalists are keen on finding the next big unicorns. Large enterprises’ tendency to juggle products from multiple vendors—despite their wishes for seamless, one-vendor-only solutions—leave the market perpetually fragmented. And the fact that cybersecurity threats are evergreen enables venture capitalists who specialize in the sector to operate with little regard for broader macroeconomic conditions.

Still, the ample opportunities afforded by the fragmented, constantly shifting market have bred too many me-too companies and fast followers, driving some venture capitalists to pause and reflect on the next phase. “It’s definitely overfunded, massively so,” Ravi Viswanathan of New Enterprise Associates told a panel at CB Insights’ Future of Fintech Conference last year.

Bob Ackerman, Allegis Capital founder and managing director

 

“You saw a material pause in the fourth quarter,” says Bob Ackerman, founder and managing director of Allegis Capital, which specializes in the sector. “You have too many undifferentiated companies. There’s a level of noise that develops as a result of that. … Cybersecurity is one of those areas where experience and domain knowledge matter a great deal.”

After growing steadily since 2012, venture capital funding in cybersecurity dipped in 2016, alarming entrepreneurs. The cybersecurity market captured roughly $3.1 billion of venture funding in 2016, down from $3.8 billion a year earlier, according to research firm CB Insights. The cybersecurity market will undergo a few years of retrenchment with a host of companies shutting down, VCs say.

More judicious spending

But the market is hardly mature. Money will still be spent, just more selectively. At this phase, fewer deals will be struck. But those deals will be reserved for larger companies, with proven products further along in development.

“The deal size and valuation is coming down a bit,” says Sean Cunningham, managing director of Trident Capital Cybersecurity, which raised $300 million this month for a fund to invest in cybersecurity startups. “I don’t think there’s any shortage of capital for the right type of companies. But the dollars being invested are smaller.”

Appthority is one of the companies that made Trident’s cut. Appthority, which develops mobile threat protection software for corporations, didn’t land its first paying customer until more than a year after it was founded in 2011.

Four years later, its customer renewal rate stands at 98 percent, with about 20 percent of its revenue coming from the government sector. Heartened by solid proof of growth, venture capitalists poured in another $7 million in Series B funding last July, led by Trident Capital Cybersecurity.

Sean Cunningham. Trident Capital Cybersecurity managing director

 

“You’re going to see a lot of startups out there, and good ones will rise to the top,” Cunningham says. “There’s ample supply of capital to fund them. They can get traction.”

Innovation niches

As seen in the early days of the internet, the cybersecurity market is recalibrating for a second wave of innovative technology that’s more comprehensive and cohesive. And that means more seamless products for large clients who are eager to cut down on the number of vendors.

“Companies that can stand on their own two feet, deliver value, and have deep knowledge will do fine,” Ackerman says, citing one of the companies he’s invested in, EnVeil, which uses “homomorphic encryption” to secure data in operation.

As more companies employ automation and “big data” to enhance efficiency and find new markets, data encryption products will continue to be in heavy demand.

The emergence of the industrial internet—the integration of complex machines to network sensors and software—also will breed startups eager to provide cybersecurity solutions to power and water grids, refineries and pipelines.

In May, Trident helped raise $6.6 million in Series A funding for Bayshore Networks, which develops cloud-based software that offers “visibility” into operational technology infrastructure, networks, machines and workers.

Meanwhile, the proliferation of enterprise mobile devices will continue to see vulnerabilities and pose a ripe market for startups like Appthority, Cunningham says.

Early investors haven’t gone away

That VC dollars are chasing more evolved companies doesn’t mean early-stage investing is passé, Ackerman says. “That’s where the new things get started.”

But cybersecurity, unlike more consumer-oriented technology sectors, is a competitive and difficult market, rife with startups struggling to recruit and market products.

That’s partly why Allegis funded DataTribe, a startup studio based in Fulton, Maryland. It was designed to tap into the wealth of cybersecurity-savvy technologists in the region with experience or ties to the federal government and intelligence agencies.

Ackerman also anticipates more mergers and acquisitions activity from large cybersecurity companies that may find it easier to acquire smaller niche players as they seek to add new product lines.

As venture capitalists squeeze their wallets, startups lucky enough to land Series A funding also will have to justify more vigorously their pursuit of Series B funding, Cunningham says. “And unicorns are in trouble,” he says, referring to startups valued at over $1 billion.

The Trump factor

Meanwhile, venture capitalists are hopeful that the federal government, with President Trump at the helm and promising a rollback in regulations, will cut steps in federal procurement and stay engaged in securing networks.

“We think the administration understands the value of national cybersecurity,” Cunningham says. “We’re not counting on incremental increases in spending. But we’re excited about the awareness level.”

Article found here: Thirdcertainty.com

Read More

Exclusive: Blackstone-Backed Network for Cyber Risk Launches Today

  |   Portfolio News, The Latest
 
Fortune | Jeff John Roberts | 7:40 AM Pacific

Financial firms have long used rating agencies like Moody’s or S&P to judge the risk of bonds. Now, companies that face risk from cyber attacks—which these days is almost everyone—have a tool to do the same.

On Wednesday, CyberGRX unveiled a platform that acts as a clearinghouse for cyber risk. Developed by a group of blue chip security pros from companies like Blackstone and Aetna, CyberGRX promises to make the process of flagging cyber dangers from their vendors dramatically more efficient.

The risk posed by vendors has been top of mind for many companies ever since the infamous hack on Target (TGT, +0.40%) in 2013, which saw attackers compromise the computer systems of Target’s HVAC supplier in order to steal credit card information from 40 million customers.

According to Jay Leek, the former chief security officer of Blackstone, the idea for a clearinghouse came about because companies spend enormous amounts of time filling out check-lists to assess the security risks posed by their vendors. Many of Blackstone’s portfolio companies, for instance, were all conducting the same compliance tests to see if vendors—which can include anyone from software giants like Salesforce (CRM, +0.86%) or Workday (WDAY, +0.65%) to catering companies—had programs in place to defend against cyber-attacks.

This process, says Leek, resulted in a lot of duplicated efforts and security officers spending their time on checklists rather than on mitigating cyber dangers.

In response, Leek and others realized the approach was to build what they call a “third party global cyber risk exchange” that will let companies assess vendors in the same way banks rely on ratings agencies to assess bonds. Leek likens it to performing cyber-risk by means of a Turbo Tax method, rather than doing it by hand.

“The inherent efficiency of the CyberGRX Exchange eliminates the waste in today’s approach—largely based on sharing spreadsheets—in a way no one in the market does. For the first time, companies will know which of their third parties pose the greatest risk to their organizations,” says Fred Kneip, CyberGRX CEO.

The process has been in the works since last year when CyberGRX raised $9 million from investors that include Allegis Capital, Blackstone, TenEleven Ventures, Rally Ventures, GV (formerly Google Ventures), and MassMutual Ventures.

To building process has relied on what CyberGRX calls its “design partners” like Aetna, and their existing dossiers of tens of thousands of vendor reports.

Now, the tool is ready for primetime as CyberGRX (GRX is for global risk exchange) invited other companies to take part. Here is how CyberGRX described it in a release announcing the news:

Built in partnership with chief security and risk officers from Aetna, Blackstone, MassMutual, ADP and other large companies with a combined network of more than 40,000 companies in their digital ecosystems, the CyberGRX Exchange brings together enterprises and their third parties and creates massive efficiency to a process that has largely been driven by sharing spreadsheets and trusting unvalidated self-assessments.

While the plan will provide a way for big companies to speed up their cyber risk assessments, it will also help hundreds of thousands of vendors who currently must wait for a cyber seal-of-approval before they can start providing their services.

As for the risk assessments the platform provides, those are compiled from the reports provided by the member companies but also from a host of outside signals. These include threat reports from security companies as well as news reports from Thomson Reuters and others.

The other advantage of the service, according to CyberGRX, is that it will continually update the security profiles of all the companies on the exchange. This means companies will no longer need to rely on an annual checklist system to confirm a vendor can still be trusted.

The idea for a cyber risk clearinghouse is not a new one. According to Leek, S&P tried unsuccessfully to come up such a service way back in 2006. Goldman Sachs(GS, +0.23%), meanwhile, tried to create a risk standard with Moody’s in 2015 but was likewise unable to pull it off.

If CyberGRX is a success, its backers say the service could save companies billions in legal and compliance costs, and allow security executives to devote far more time to threat mitigation rather than bureaucratic measures.

The new service may also jumpstart the market for cyber-insurance, which has been expanding in light of the ongoing number of high profile data breach incidents. But that is far from mature—in large part because of a lack of information on how to price cyber risk.

Article found here: www.fortune.com

Read More

G6 Hospitality Leverages RedOwl to Prevent Insider Threats

  |   Portfolio News, The Latest
RedOwl Analytics, Inc.

 

 

Top Lodging Company Boosts Protection of Sensitive Data of Company and Guests

 

Marketwired | March 07, 2017 11:00 ET

 

SAN FRANCISCO, CA–(Marketwired – March 07, 2017) – RedOwl, the leading provider of insider risk solutions, today announced that G6 Hospitality, known for its iconic economy lodging brands, Motel 6 and Studio 6 in the U.S. and Canada, has deployed the RedOwl Insider Risk Management platform to mitigate the risk of negligent, compromised and malicious employees leaking sensitive company intellectual property or customer data.

G6 Hospitality owns, operates and franchises over 1,300 lodging locations and employs more than 10,000 team members across the U.S. and Canada. Like many organizations, at G6, email is how business is done — both internally and with its franchisees who still at times maintain their own email systems. The company selected RedOwl specifically because it is the leading solution for electronic communication content and behavioral analytics as well as having the capability to integrate other critical streams of activity and employee-specific characteristics.

“One of the biggest strains on resources within our security team is ensuring all of our employees across North America are aware of how email should and shouldn’t be used and are educated on the risks of phishing and other types of external attacks and internal risky behavior that could result in critical data loss for our organization,” said Harvey Ewing, chief information security officer (CISO) of G6 Hospitality. “With RedOwl, our team no longer has that burden, as the platform can analyze and alert potential threats before they become incidents.”

RedOwl combines content and behavioral analytics to identify both acts of exfiltration and the potential precursor activities that indicate unwanted behavior in the enterprise, such as data theft and even employee flight risk. Critical to the team at G6 is RedOwl’s ability to reduce the noise and false positives typically seen in monitoring as well as to be able to quickly go from alert to in-depth investigation.

“Insider threats can no longer be ignored by organizations looking to protect their intellectual property and customer data,” said Guy Filippelli, founder and CEO of RedOwl. “RedOwl is proud to be G6’s partner as they work to further protect themselves and their customers from insider threats.”

In the year ahead, G6 Hospitality will continue to strengthen its defenses by leveraging more insider risk management capabilities offered on the RedOwl platform.

ABOUT REDOWL
RedOwl helps large enterprise and government organizations mitigate insider threats with technology designed for the modern workplace. Information security and regulatory surveillance teams trust our behavioral analytics platform to provide holistic and actionable visibility of all human risk, ranging from common employee data leaks to malicious insider attacks. With offices in Baltimore, New York City, San Francisco, and London, RedOwl’s investors include the Blackstone Group, Allegis Capital, and Conversion Capital. To learn more about RedOwl, visit: https://redowl.com.

ABOUT G6 HOSPITALITY
G6 Hospitality LLC owns, operates and franchises more than 1,350 economy lodging locations under the iconic Motel 6 and the extended stay Studio 6 brands in the U.S and Canada, and Hotel 6 and Estudio 6 brands in Latin America. Headquartered in Dallas (Carrollton), Texas, G6 Hospitality was rated one of the top ten hospitality companies according to the Hotel Management 2015 Top Hotel Companies rankings list, which evaluated over 260 hotel companies. For more information please visit G6Hospitality LLC.

Article found here: www.marketwired.com

Read More