At CLOUDSEC in London on 6 September 2016, Rik Ferguson, VP president security research, Trend Micro, presented a session titled ‘Take Control: Empower the People’
Prior to his talk, I had been sitting with Rik in the press room, and asked him “do you still get nervous when you present?” His answer made me smile. “I get nervous that I’m going to run out of time.”
Fast forward an hour, and Rik is half way through his presentation when he confesses “I haven’t said a single thing I planned to yet – I’m definitely over-running.” Later on, given the nod from timekeeping staff that he had five minutes left he responded “you’re deluded” laughing.
As is often the case when Rik speaks, his presentation goes off on several different tangents. Despite this – or maybe because of this – he is an excellent speaker, always engaging, always getting the messaging right, and very articulate.
Arguably the most interesting point Ferguson made was in regards to the perceived cyber skills gap in the industry. “There’s not a cyber skills gap, the industry is just looking for the wrong things: It’s looking for paperwork and certifications rather than people and skills.” The problem, he says, is that employers are looking to hire certificates. “They should be looking for tenacity, problem-solving, analytical thinking. These skills are far more useful than a CISSP.”
Here is a selection of the other wisdom Ferguson shared with his audience:
- Machine learning is becoming a buzz word: “Machine learning is a technique, but what is most valuable is the output and what we can learn from it.”
- Online extortion is at an all-time high. In 2015, 29 new families of crypto-ransomware were discovered, compared to 79 just in the first six months of 2016: “One security company actually offers to pay a ransom for you if you get hit by ransomware: they’re happy to finance online crime.”
- It’s not just data breaches of the future and the present causing problems: “Data breaches of the past are suddenly haunting us, the LinkedIn/Dropbox breach for example.”
- Take control of your systems and security solutions: “Build a reliable perimeter around everything you can control, and build out from there to the network.”
- Don’t use compliance as a shield. “Compliance is where you begin, not stop. View compliance as an obligation and security as an aspiration.”
- “Self-certification is for losers”
- It’s easy to make security look cool: “Make sure your employees are educated, aware and engaged.”
- The fast will beat the slow in security.