As the cybersecurity industry works to address a shortage of skilled workers, an advertisement backed by the UK government may provide an example of what not to do.

The ad, which encouraged people working in the arts to retrain in cybersecurity, has been abandoned amid backlash online and even within the government, according to reports from The Guardian, The Washington Post and MarketWatch.

Although pulled from the official website, the ad was still easily viewable after going viral on social media with the hashtag “#SavetheArts.” The image displays a ballet dancer tying her shoes. The caption reads, “Fatima’s next job could be in cyber (she just doesn’t know it yet),” followed by the tagline “Rethink. Reskill. Reboot.”

Posted on the website of training firm QA, the ad was part of the UK cybersecurity agency’s Cyber First campaign, which promotes tech training for young people. Oliver Dowden, the British culture secretary, tweeted that the ad was “crass” and did not come from his agency. A spokesperson for the prime minister said, “This particular piece of content was not appropriate and has been removed from the campaign.”

The UK government’s volte-face followed widespread criticism that the ad showed disrespect toward the culture sector, which has been suffering catastrophic job losses. The author Caitlin Moran tweeted: “I don’t know if the government know they appear to have recently created a ‘Hopes & Dreams Crushing Department,’ but for a country already depressed and anxious, I would suggest it’s a bit of a ‘Not now, dudes’ moment?" The shadow health minister, Rosena Allin-Khan, chimed in: “Fatima, you be you. Don’t let anyone else tell you that you aren’t good enough because you don’t conform to their preconceived social norms.”

Meanwhile, a recent survey finds that most people say a career in cybersecurity isn’t for them, despite the sector’s demand for talent. Among 2,500 U.S. and UK workers surveyed by (ISC)2, 69% said that while cybersecurity seems like a good career path, it isn’t the right personal fit.

The world of analytics is changing.  Self-Service Analytical tools like Tableau, Qlik, and Power BI are enabling business users to perform reporting and analytics on their own with little to no support from the IT organization. This trend has evolved due to several factors including:

1)    Organizations are flooded with data and IT organizations are not able to keep up
2)    Easier to use Business Intelligence tools make it more efficient for business users to directly create their reports rather than go through IT for a project
3)    IT organizations analytical projects can take several months when a business needs this information in weeks

This trend has caused the efforts of IT Business Intelligence (BI) teams to spending most of their energy gathering, cleaning, and structuring data for the business to perform their own analytics through a self-service model. In special cases, they provide industrial strength reporting that can scale to thousands of users where trusted verified data is needed.  However, they are still being shown the door when it comes to some of the more interesting work.

What can IT BI teams do to stay relevant and valuable to the business? We have several suggestions that relate to embracing self-service analytics as the new reality and transitioning core competencies of the Business Intelligence team away from purely descriptive reporting and moving to diagnostic & predictive analytics.

Let’s explain that last concept before prescribing several solutions. The current state of most analytics is descriptive in nature and helps answer questions of, “what occurred?” Diagnostic and Predictive Analytics help answer the questions of, “Why did it occur?” and sets the stage to answer, “What can I do about it?”  Diagnostic Analytics helps organizations to not only understand what, but also why and what decisions and actions can be taken to solve for the issue. This type of analytics is more valuable to the business and requires competencies that IT BI teams are uniquely qualified to bring from their years of building analytical solutions.

To enable IT Business Intelligence teams to move up the value chain from providing commodity reports to business driving analytics, we recommend adding these four components:

1. Build out a Data Science capability– Data Scientists are starting to appear in analytical groups within companies. However, they are still not pervasive and the function is understaffed. In addition, most groups within a company cannot justify the cost of a full-time data scientist. By adding data scientists to the IT BI organization, you are creating a centralized team that can provide analytics to underserved parts of the organization.  This team is already focused on creating analytical data structures and reports and adding the ability to derive insights from the data is a natural extension.   
2. Make it about the Decision– In your requirements process, add Decision Architecture Methodology as a capability. Most methodologies for capturing analytical requirements focus on the questions asked of the data to surmise the Dimensions and Facts.  While this gives us great descriptive analytics, but it does not move the company along the analytical maturity curve.  A deeper focus on the decisions that the business makes and thereby centering analytical capabilities around helping to enable actionable insights will move the needle.
3. Add Decision Theory to your analytics– If Data Science helps you turn information into actionable insights, Decision Theory helps you structure the decision process to guide a person to the correct choice. Decision Theory, along with Behavioral Economics, is focused on understanding the components of the decision process to explain why we make the choices we do. It provides a systematic way to consider tradeoffs among attributes that helps us make better decisions. Tools such as thresholds, alerts, decision matrixes, and choice architecture should be considered important capabilities to add to your team’s tool chest.
4. Create a Report Certification process– As report proliferation occurs with self-service analytics, creating a standard for the health and validity of a report is going to be important if the analytics are to be consumed by a broader audience and are to be trusted.  For example, you may have one group create a report with key metrics sourced from uncertified data sources. By putting reports from individual departments through a certification process similar to UL labeling on electrical products, broader consumers will know the level of scrutiny that has been put on the report by Data Governance and IT teams and thereby trust the data and metrics contained within it.

As IT Business Intelligence teams look to move up the value chain in the capabilities they offer to their internal customers, adding addition skillsets, methods, and tools will be a necessity. The capabilities outlined are a great fit for a centralized team to own and this transformation in IT BI teams can speak to the value these enhanced capabilities provide to the business.

---

Andrew Roman Wells is the CEO of Aspirent, a management-consulting firm focused on analytics. Kathy Williams Chiang is VP, Business Insights, at Wunderman Data Management. They are the co-authors of Monetizing Your Data: A Guide to Turning Data into Profit-Driving Strategies and Solutions. For more information, please visit www.monetizingyourdata.com.

It’s no surprise that big data is on the rise in businesses around the world. Companies routinely use big data to analyze common trends in their practice; enabling them to make sophisticated decisions to ensure their businesses prosper. According to Statista, an online statistics, market research and business intelligence portal; companies routinely use data to drive process and cost efficiency; drive strategy; and to monitor and improve financial performance. When used in these ways, data has the ability to save the company a significant amount of money because they are able to spend their money efficiently.

While data does have the ability to improve a company’s performance; companies just aren’t catching up on the trends as fast as one would assume.  Big Data software company, Quoble along with Dimensional Research; recently published an e-book, “An In-Depth Look at Big Data Trends and Challenges”. As the name suggests, the data looks at global data trends in the workplace and the problems that businesses often face.

Among the issues that the research uncovered was, “the realization of value from big data in on-premises environments has lagged expectations, largely due to complexity, cost overruns, steep demands for specialized talent, and need for powerful computing platforms.” While companies may understand the value that big data brings their company; finding qualified candidates and obtaining funds to purchase the computing platforms needed to manage data sets are among the set backs employers are facing today. Nearly 75% of those surveyed sighted a gap between the necessary resources and tools that are available to them. And while 50% of businesses plan to moderately increase their data headcounts in the next year; 83% find it difficult to find the right candidate.  Not only does it take time to find the money to pay for data headcounts; finding the right candidate can often times be complex and time consuming.

The survey found that big data teams’ lack of experience creates a slow progress to get things done. 42% also sight that it is hard to keep up with big data trends and new data sources.  Big Data is constantly expanding. Five years ago machine learning and AI weren’t as mainstream as they are now. BI tools were available but not widely used and companies didn’t have big data teams. In fact their “team” often consisted of one or two data scientists. Big Data’s continuous growth has lead to expansion that many businesses can’t keep up with.

The intention of Quoble’s “An In-Depth Look at Bid Data Trends and Challenges” is  not to solve these problems, but to bring awareness to the issues that companies are facing when it comes to data.  As big data continues to surge, so will an influx of knowledgeable employees and efficient software that will guide the business to succeed in an age where big data is becoming the norm.

To view the full report, go to Quoble’s website and download the free e-book.

Colleagues think of data analysis much in the same way they think about marketing. Which is everyone thinks they are data analysts. With little to no practice they can put together graphs and visualize data at the drop of a hat. When interviewing Dave from accounting he made sure you knew that he has Tableau reader on his desktop which totally means he’s one step away from Tableau certification. Karen from Sales also discussed her extensive knowledge when it came to Excel. Yes, that same Karen who emailed you a month ago and asked how a pivot table worked.

If you’re interested in a career in big data it shouldn’t be daunting, but you should take the time to research and learn the tools and software needed to excel (pun intended) at the job. Data analysis is so much more than filtering data and pretty graphs. It takes someone who is curious and can think analytically to thrive in the job.

In his 2009 book, Now You See it: Simple Visualization Techniques for Quantitative Analysis; author and information technology innovator Stephen Few lists 13 key traits of a data analyst. Among those traits include, self-motivation; open-mindedness; and the ability to spot patterns. An average data analyst can access a data set; scrub the data; and visualize it using one of numerous data visualization platforms available. She then comes to conclusions based on those visualizations and calls it a day. An exceptional data analyst can use that same data set and visualization tools and come to the same conclusions. The difference is that he will ask different questions and hypothesize about why conclusions are what they are. An exceptional data analyst asks why 9 out of 10 dentists prefer Colgate or why Rugby is becoming a more popular youth sport in the United States while lacrosse youth teams are declining.  For them, it isn’t enough that the data shows an increase in Rugby youth teams. They have to know why. Which will ultimately bring them to more questions which will lead to more data sets and more visualizations. In essence, is a data analyst’s job ever really done?

Another factor that separates a mediocre from an excellent analyst is the ability to tell a story. Unless you are speaking to a fellow analyst, chances are spewing out data isn’t going to capture the attention or the comprehension of what the statistics show. In fact, if you go that route, you may be met with a lot of blank stares. It’s important to tailor a narrative to the audience you are speaking to. Crafting a story beforehand makes it easy for your audience to follow and will help you answer any follow up questions that you might receive.

While you may have the skills that make an excellent data analyst, without practice you’ll never truly be outstanding at your job. And with data analysts and scientists being critical to the success of a company, it’s important that you push past mediocrity and aim for excellent. So tomorrow when you go into work remember that not everyone can be an analyst but by methodically thinking, crafting a perfect story from your data sets and asking questions, you’ll be on the road to greatness.

Explore the most recent developments in cybersecurity regulations, including Zero Trust Architecture and the revised CMMC standards, impacting federal and private sectors.

In the dynamic world of cybersecurity, regulations are ever evolving to keep pace with emerging threats and technological advancements. Recent weeks have seen significant movements within the realm of cybersecurity policies, particularly in the United States, as governmental bodies strive to enhance standards that safeguard both businesses and individual data.

A noteworthy development comes from the U.S. federal government's efforts to heighten cybersecurity defenses. A new mandate requires all federal agencies to adopt Zero Trust Architecture by the end of the fiscal year. This framework, designed to 'never trust, always verify,' is anticipated to significantly enhance the security posture across federal systems by minimizing vulnerabilities and reducing the risk of unauthorized access.

Across the private sector, the spotlight is on updated compliance requirements. Following a series of high-profile breaches within major corporations, there has been a concerted effort to revise the Cybersecurity Maturity Model Certification (CMMC) standards. Initially targeting defense contractors, these standards are expanding their reach, impacting a wider array of industries. Companies are now tasked with demonstrating robust cybersecurity practices and ensuring that proper safeguards are in place to protect sensitive information.

Furthermore, state-level undertakings haven't gone unnoticed. A prime example is the California Consumer Privacy Act (CCPA) which continues to evolve. This pivotal legislation, aimed at protecting consumer data privacy, has seen amendments that strengthen consumer rights regarding data access and deletion, thereby imposing strict new obligations on companies operating within the state.

One recent case study illustrates how a prominent Fortune 500 company navigated the complexity of adhering to these new cybersecurity regulations. By leveraging advanced analytics and deploying an integrated cybersecurity framework, the company not only maintained compliance but also achieved a fortified security environment. This proactive approach underscores the importance of adaptability and innovation in contemporary cybersecurity strategies.

As organizations across the nation confront these regulatory changes, many are turning to cybersecurity experts for guidance. These advisors offer critical insights on how to implement policy updates efficiently, avoiding compliance pitfalls while preserving operational integrity. Their expertise is proving invaluable, particularly for small to medium enterprises (SMEs) that may lack the resources of larger firms.

The road ahead in cybersecurity regulation promises to be one of continual advancement and adjustment. Staying informed about these updates is crucial for any business aiming to stand resilient in the face of potential cyber threats.

The Securities and Exchange Commission’s recent fraud allegations against technology company SolarWinds and its chief information security officer, Tim Brown, over a 2020 data breach have hit the cybersecurity community like a shockwave.

While some industry experts hew to SolarWinds’ view that the lawsuit sets a troubling precedent, others see the case in a positive light, as Security Week reports.

“The SEC litigation against SolarWinds is going to do more to advance security than another decade of breaches would,” security researcher Jake Williams wrote on X, formerly known as Twitter. “CISOs are often beaten into submission under threat of losing their jobs. The SEC gave them the holy hand grenade to fight back against any pressure to mislead.”

However, SolarWinds CEO Sudhakar Ramakrishna wrote in a blog post, “The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security. They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”

As Dark Reading reports, Amtrak CISO Jesse Whaley expressed uncertainty as to how the SEC lawsuit could affect the CISO position overall. “It’s either really good or really bad,” Whaley told the news service.

Meanwhile, Weave CISO Jessica Sica told Dark Reading she’s worried the allegations against Brown will have a “chilling effect” that keeps people from wanting to take on the CISO job. She noted that CISOs are often under-resourced.

As The Wall Street Journal reports, CISOs worry they’ll be exposed to legal liability. CISO job candidates now often ask to be included in companies’ directors and officers insurance policies, which cover them against lawsuits alleging breaches of fiduciary duty, according to executive search firm Heidrick & Struggles. “The fear is real,” Heidrick partner Matt Aiello told the Journal.

Numerous other security leaders told SiliconAngle they share the concern of a “chilling effect” on CISO recruitment. Timothy Morris, chief security adviser at systems management company Tanium Inc., told the publication, “With SolarWinds’ CISO now under the microscope and Uber’s former CISO making similar shock waves last year, we can expect turnover in this role.”

The Securities and Exchange Commission has sued SolarWinds and its chief information security officer, Tim Brown, over a wide-ranging breach of the company’s software in a 2020 Russian cyber-spying effort. So reports ABC News.

The SEC alleges that SolarWinds and Brown defrauded investors and customers by concealing the company’s security vulnerability ahead of the hack, which reached the Department of Justice, the Department of Homeland Security and more than 100 private organizations.

According to a complaint filed in New York federal court, the securities regulator is seeking civil penalties, reimbursement and Brown’s ouster.

Read the full article from ABC News.

A British regulator has ordered the UK arm of Equifax to pay a fine of £11,164,400, or roughly $13.6 million, for a massive 2017 data breach. So reports The Record.

The Financial Conduct Authority said that the breach impacted about 14.8 million UK customers and included “names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details, and residential addresses.”

Around 143 million people in the United States were affected by the breach, which to this day ranks as one of the biggest ever.

Read the full article from The Record.

Ransomware attackers have shown that they are willing and able to use securities disclosure rules against corporate targets, throwing another spanner in the works for cybersecurity pros.

Financial software company MeridianLink has confirmed to The Record, a publication by cybersecurity firm Recorded Future, that it was hit by a cyberattack. AlphaV, also known as Black Cat—the ransomware group suspected in the hacks of MGM Resorts and other prominent targets—previously claimed to DataBreaches to have stolen files from MeridianLink.

Notably, though, AlphaV further claimed to DataBreaches that it reported the breach to the Securities and Exchange Commission. The breach had purportedly taken place a week earlier. New SEC reporting rules effective December 5 require companies to disclose a “material” cybersecurity incident within four days of it being identified. As The Record notes, however, government officials have clarified that the four-day timeline applies only after an attack has been deemed to be material, not after its initial discovery.

Hackers have flirted with notifying regulators before. Over the summer, a different ransomware gang threatened to report companies under the European Union’s General Data Protection Regulation, the continent’s sweeping privacy law.

Patrick Tiquet, vice president of security and architecture at Keeper Security, told Dark Reading, "This is yet another warning to security leaders, who must recognize that disclosure decisions and plans are no longer solely guided by security best practices,” Tiquet said. “Federal legal liabilities also play an important role.”

“This is an industry-wide wake-up call,” Ferhat Dikbiyik, head of research at cyber risk management firm Black Kite, told CSO. Jim Doggett, CISO of cybersecurity firm Semperis, added to the news outlet that the move ultimately wasn’t surprising given that ransomware is “ever-evolving” and motivated by profits alone.

Thomas Barton, senior IR analyst at Integrity360, told CSHub the alleged SEC complaint shows that ransomware threat actors have matured to such an extent that they can incorporate regulators in their extortion threats.

What’s more, Sean Deuby, principal technologist at Semperis, wrote in an op-ed for SC Magazine that tattling to regulators “could become the new normal for ransomware operators.”

As Bloomberg columnist Matt Levine writes columnist Matt Levine writes, “Hackers know everything is securities fraud.”

 

 

The global cybersecurity workforce is as big as it has ever been. So is the cybersecurity skills gap.

That’s according to the latest annual study by ISC2, a nonprofit member organization for cybersecurity professionals.

“We need to continue as an industry to open doors.” He said the issue is “a skills shortage, finding people with the right skills for the right job," ISC2 CISO Jon France told SDxCentral.

According to the study, the global industry workforce has grown 8.7% since last year to a record 5.5 million people. Demand is still growing faster than supply, per ISC2, with 4 million pros still needed to protect digital assets. That’s a record skills gap.

Of nearly 15,000 cybersecurity pros surveyed, 75% indicated the threat landscape is more challenging now than it has been in the last five years. Just 52% said their organization has sufficient tools and people to respond to cyber incidents in the next two to three years.

Cutbacks in the face of global economic certainty didn’t help close the skills gap. Indeed, 47% of respondents said they had experienced layoffs, budget cuts, hiring freezes, promotion freezes or other cyber-related cutbacks in the past year.

ISC2 CEO Clar Rosso suggested that the cybersecurity cutbacks were particularly disappointing given that corporate leaders have grown more cognizant of the financial and reputation risks of skimping on cybersecurity. “The logical conclusion from that is they are more concerned about economic risk than cyber risk and they’re not fully understanding the equivalency between the two risks because they are inextricably tied together," Rosso told Infosecurity Magazine.

Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at ISC2, told Federal News Network that for federal agencies, at least, the findings drive home the necessity of expanding cybersecurity recruitment and retention initiatives. Over the summer, the Biden administration unveiled a “cyber workforce and education” strategy that includes “skills-based” hiring practices as opposed to focusing on degrees.

Genetic testing company 23andMe has begun reaching out to customers as the reverberations from a hacker’s recent claim to have stolen millions of “pieces of data” from the ancestry tracker.

As Reuters reports, 23andMe recently emailed several customers to notify them of “unauthorized access” into one or more accounts linked to theirs through the “DNA Relatives” feature, through which users worldwide can connect and share personal data.

The company previously said it was cooperating with experts and law enforcement to investigate the breach.

A 23andMe spokesperson declined to comment to Reuters about the emails, citing the existing inquiry, and pointed to an October 20 blog post in which the company said it was pausing aspects of “DNA Relatives” for privacy reasons.

Meanwhile, the hacker behind the initial cache of 23andMe data leaked a dataset containing four million more user records, as TechCrunch reports. In an online forum, the hacker claimed the leak included data from “the wealthiest people living in the U.S. and Western Europe on this list.” A 23andMe spokesperson said that the company was “reviewing the data to determine if it is legitimate.”

In an earlier announcement, 23andMe said hackers used credential stuffing, the popular tactic of entering login details that are already public from other breaches, and urged customers to change their passwords.

Senator Bill Cassidy (R-La.) has called on 23andMe to provide more information about the breach, as PYMNTS reports. The top GOP member on the Senate’s health committee indicated worries about genetic information possibly being used by malicious actors.

According to The Conversation, the 23andMe leak “challenges how we think about privacy, data security and corporate accountability in the information economy.” The site notes that most personal data in the information economy is inextricably connected to other people’s data, which means vulnerabilities are globally networked, too.

As Israel ordered a “siege” of Gaza following a surprise attack by Hamas, the deadly conflict reverberated across the digital world too.

As Bloomberg reports, hackers were targeting Israeli government and media websites in alliance with Hamas. Some of the threat-actor groups, such as Killnet, has ties to Russia. Killnet purported to have temporarily disrupted Israeli government websites, including the website of security agency Shin Bet.

According to cybersecurity firm Group IB, another group known as AnonGhost breached a mobile phone application that warns Israelis of missiles.

Rob Joyce, cybersecurity director at the National Security Agency, reportedly said that while cyberattacks hadn’t played a big role in the conflict thus far, “There may be significant events coming, more hacktivists, more people taking up cyber arms in defense of their cause.”

Israeli defense leaders were defiant and resolute in the wake of the Hamas attack, as BankInfoSecurity reports. Yotam Segev, co-founder and CEO of Israeli firm Cyera, wrote on LinkedIn: “This attack is akin to 9/11, an unprovoked terrorist assault on civilians. Israel’s response will be swift and mighty.” Eitan Worcel, an Israel Defense Force veteran who launched U.S.-based firm Mobb in 2022, wrote elsewhere on LinkedIn, “I hate this helpless feeling and I so wish not to feel that ever again.”

Although the situation in Israel could weigh on cybersecurity shares, many companies should be able to avoid any negative impact.

As CNBC reports, JPMorgan analyst Brian Essex reassured clients that many Israeli cybersecurity companies should be able to largely avoid ill effects from the violence. “Israel has been the source of a substantial amount of talent, development, and innovation over the years and, as a result, several companies within our coverage universe maintain a meaningful presence in the country,” Essex wrote in a research note. “As events continue to evolve, we believe companies with operations in Israel are well prepared to manage geopolitical disruption in the region, but we would not be surprised to see headlines pressure more exposed stocks within our coverage universe.”

Nvidia has canceled an AI conference that was scheduled to be held in Tel Aviv, as CNBC reports separately.