As the risk of cybercrime climbs, a lack of cybersecurity talent has organizations looking to technology to fill the gap. However, experts from Ottawa’s cybersecurity sector say a mix of both tech and talent is necessary to keep Canadians and businesses safe.
In 2017, more than a fifth of Canadian businesses were affected by a cybersecurity incident, according to Statistics Canada. A report by Deloitte estimated a seven per cent growth in demand would result in approximately 5,000 cybersecurity jobs between 2018 and 2021.
Dave Masson, the Ottawa-based country manager for cybersecurity software firm Darktrace, says there may be a gap in human talent, but training more people isn’t enough to keep up with the changing world of cybercrime.
“They’re going to need machines,” says Masson, explaining that most cyberattacks are done by automated processes and need to be fought by the same. That’s why machine learning and artificial intelligence are increasingly becoming central to cybersecurity, he says.
Ottawa-headquartered Interset’s software uses data analytics to identify high-risk anomalies. For example, if a computer uploads a file to an IP address it has never accessed before, the program flags that event so the user can investigate.
Interset’s chief technology officer Stephan Jou says the goal is to maximize efficiency: “We’re taking what a naturally gifted human would be able to do if he or she had enough time, and we’re automating that.”
Tech tools meet talent
Darktrace’s software takes this a step further – it stops anomalies first and asks questions later. Instead of focusing on specific types of attacks – of which there are new types every day – Darktrace’s software learns the network inside and out, stopping all anomalies before further investigation.
The tool is not, however, meant to replace the role of humans.
“This is AI that’s actually supporting that scarce human resource,” says Masson. “It’s going to support them and free them up to concentrate on the really meaningful tasks.”
Masson says the nervousness people have about AI stems from the concept of broad AI, currently the stuff of science fiction. For now, AI is targeted, used as a tool alongside humans; in a sector with a talent gap several thousand jobs wide, AI-based programs may be a welcome asset.
Daniel Tobok, CEO of cybersecurity consulting firm Cytelligence, says machine learning and human expertise are both critical to fighting today’s cyberattacks.
"You cannot replace people with tools. ... It's really a combination that will make the difference."
“You cannot replace people with tools,” says Tobok. “It’s really a combination that will make the difference.”
Tobok and Masson say a key mistake companies make is housing cybersecurity under the IT department, when it should be part of overall business risk strategy.
Something businesses can do to significantly lower risk is to train employees in what Jou calls “basic cybersecurity hygiene.” Making employees aware of risks, such as the implications of reusing a password, can go a long way.
The Deloitte report also highlights another gap: most cybersecurity professionals are male, with an IT background. Extending the net to women and visible minorities, as well as people from other industries with useful skillsets, could help fill the gap.
As for cybersecurity companies, many are looking to educational institutions to advance training and innovation in the sector. For example, Interset provides real datasets to post-grad students at Carleton University and works with them to solve problems.
Software companies Sophos and Fortinet both reached out to Willis College, a private career college in Ottawa, to help them train the next generation of cybersecurity talent.
Michael Anderson, senior vice-president of Sophos, says between 80 and 85 per cent of Sophos’ Ottawa staff graduated from Willis College’s advanced network security program, and took a third of the time to train.
“There’s a constant need for new people,” says Anderson. “The idea was essentially to grow our own.”
‘An unclassified space:’ Federal government looks to private sector for innovation
Tobok says it’s not enough for businesses and schools to tackle the problem; cybersecurity is an issue the government needs to take leadership on.
Canada’s new cybersecurity strategy acknowledges the talent gap and mentions plans to support education and partnerships. It also consolidated the federal government’s cybersecurity operations into one branch: the Canadian Centre for Cyber Security.
The centre, which became fully operational Oct. 1, includes an increased online presence and awareness campaigns. A new physical space is also underway for 2019.
Scott Jones, head of the CCCS, says the new space is designated for more than just employees. Jones describes it as an “unclassified space” where companies and institutions can collaborate with the government to tackle some of the biggest challenges in cybersecurity.
“It’s not the federal government’s (problem) to solve. It’s all of ours to solve together,” says Jones.
The government also decided to open-source Assemblyline, its malware detection software.
“This was a critical tool for us, and we realized we can share this with the community,” says Jones. “I think the important thing was it showed that we were willing to share.”