The cybersecurity talent shortfall is stunning: some 1.8 million positions are waiting to be filled globally, says Steve Rampado, Risk Advisory Partner for Deloitte Canada.

The unemployment rate in the work category is zero. Wage inflation is such that some businesses can’t hold onto their cybersecurity staff. And the results can mean corporate havoc.

It was a sobering briefing for a near-capacity workshop on cybersecurity at the second day of True North 2019.

The morning workshop, hosted by the University of Waterloo, was to be a tabletop exercise: All Hands on Deck for a Security Incident.

But before the 100 people in the room began roleplaying an incident that they hoped they’d never have to experience in real life, there were some unsettling facts to share about cybersecurity.

Rampado told the crowd that the attack surface — the sum of the different points in a software environment that can be accessed by unauthorized users — “is increasing at an exponential rate,” thanks in part to the runaway growth of mobile devices.

But the talent pool is not growing to meet that threat. He urged employers to “do a better job of bringing more immigrants in with these skill sets so we can learn from them and build that (cybersecurity) community.”

Attendees seated and listening to workshop

Participants enjoyed some light moments despite the gravity of the cybersecurity
threats they
discussed during a workshop at True North 2019.
(Communitech photo: Sara Jalali)


Michele Mosca, co-founder and Deputy Director of the University of Waterloo Institute for Quantum Computing, went further, saying, “We need people from a broad spectrum of backgrounds. The lack of gender and ethnic diversity is a real security threat. This is not just a social justice issue; we need that diversity of thought and views to tackle the challenges of cybersecurity.

“We moved so much of our lives and economy into cyberspace without understanding the consequences.”

The need for staff was bookended at the end of the session by Dinah Davis, Vice-President of R&D for Arctic Wolf, a security operations centre as a service with an office in Waterloo, who invited attendees to spread the word about the CyberCity Conference to be held Oct. 1 in Kitchener

“There are 40 different security companies in Waterloo. We need to hire people,” she said.

Davis said that “Every company in this region is going to have to have cybersecurity experts on staff. We want to showcase K-W as a cybersecurity hub in Canada.”

Lewis Humphreys, Managing Director of UW’s Cybersecurity and Privacy Institute, riffed on the True North “tech for good” ethos by noting that security is fundamental to privacy and democracy: “Cybersecurity involves everyone. Everybody is at risk.”

The “cybersecurity fire drill” involved a fictional waste management company, with attendees grouped into six departments: Finance, Legal, Human Resources, IT, Support and Marketing. Jamie Hari, CEO and Founder of Waterloo security service Derisk, played the unflappable CEO of the room.

John Svazic, Information Security Manager at Waterloo infrastructure management firm Auvik Networks, was the simulation leader, and with the addition of 20-sided and six-sided dice to each table to randomize events, a bit of a D&D gamesmaster. “You will either love me or hate me” by the end of the simulation, he told the group.

On an imagined Friday, company staff opened their computers to find their screens locked and displaying a ransomware demand: Pay $300 per computer or lose your data forever.

With all contracts, payables/receivables and payroll offline, the internal workings of the company grind to halt, while customers and the media are calling to ask what the problem is. And IT? Everyone is calling IT.

The D20 and D6 dice are rolled, and the group discovers that, among other things, the company has a disaster plan that hasn’t been tested and is locked up in the system; there is no cyberattack insurance; Slack works, so the CEO can get a message out to clients; and 25 per cent of the staff don’t get the advisory about not clicking the buttons on the ransomware screen.

There was levity and intensity as the teams worked to contain customer panic and return to full operation.

Svazic wrapped up the exercise by revealing that the source for the system breach was the CEO himself, who recycles his passwords and has access to all aspects of the company, even though such access is unnecessary. “Sometimes you have to ask the hard questions even of your superior,” said Svazic. “Use this workshop as a reason to make that case.”

In the simulation, it took 10 minutes to idle 500 machines and hobble the entire business. “If they don’t practise proper security hygiene,” said Svazic, “it can spread like wildfire.”

He urged participants to return to their organizations and make the case for a disaster recovery plan. He said the nearly standard response from organizations is “That’s never going to happen to us.”

Svazic offered a pro tip: “If you don’t have a plan, run one of these – you’ll build a plan.”

Some tips from the tabletop exercise:

    • Keep a paper version of the emergency plan in a prominent location: a system version is no good to you if the system is locked up.
    • Prepare your elevator pitch to investors or clients beforehand. Don’t waste time in an emergency writing it.
    • Don’t use the word “breach” when communicating with clients. Breach suggests data loss. Just say the website is down.
    • Long-term backups are important because dwell time for hackers to reside in the system can be several months.
    • Practise security hygiene and train staff not to click any links on a ransomware warning.
    • Never recycle passwords.
    • Very few staff members should have the ability to access all company data. Those access points are entry points for unauthorized users.