Preparing the Security Workforce for a Connected World

The ‘Internet of Things’ (IoT) is currently comprised of an estimated more than 16 billion connected devices worldwide¹, with growth expected to reach more than 200 billion by 2020². This growth is being spurred not just by volume, but by variety as well. Smartphones and computers are being joined by wearable devices, automobiles and even kitchen appliances like refrigerators and coffee makers.

Everyday objects becoming smarter and more connected is a widening trend. One example is a smart home. From my smartphone, I can turn on lights, adjust the thermostat and even unlock my front door. Though these advancements seem futuristic, we are witnessing only the beginning of the potentially connected devices and the IoT present.

This connectivity is also spreading to the security world, providing a more efficient and accessible alternative to analog systems like closed-circuit security television³. Instead of being connected to a server in a back room where a person has to be present to access the information, video can be uploaded to the cloud and be made accessible to anyone in the world with the stroke of a few computer keys⁴. Cameras also can be enabled with facial recognition software connected to a database of employees to instantly identify a person inside a building who may not belong⁵. And digital signatures allow security to track employees⁶ and sensitive materials throughout the building⁷.

These exciting emerging technologies are changing the way people live their lives and the way business is done. However, the more IoT introduces new technology, the more it opens new gateways for cyber-criminals. Six out of every 10 connected devices contain security concerns in their interface, and 90 percent of devices collect at least one piece of personal information from the user⁸. This means billions of devices containing valuable information to hackers are vulnerable to cyber-attacks. And even those that do not collect information can open doorways to hackers, giving them to access to other devices that do.

The growth of the IoT, and the subsequent expansion of cyber-crime has an enormous impact on the security industry. The security workforce is formidable, with a total of more than 3 million professionals in the United States alone⁹. Currently, one million professionals in this workforce are employed in information security¹⁰, a number that is expected to grow by 18 percent between 2014 and 2024, greater than the national average of other occupations¹¹. With this rapid growth, it is forecast there will be an extensive global shortfall of information security professionals of 1.5 million by 2020¹², heightening the dangers presented by cyber-attacks.

A number of large hacking incidents across multiple industries over the past few years, including government¹³, health care¹⁴ and social media¹⁵, highlight the very real threat of the IoT being exploited for criminal activity. We’ve also seen “white hat hackers” demonstrate vulnerabilities, including last year when one of these teams demonstrated how a hacker can breach a smart car and take control of everything from the radio to the steering and acceleration¹⁶. Similar concerns are being expressed with smart homes¹⁷ and connected medical devices¹⁸. And along with all of these revelations, we have seen the overall number of cyber breaches rise over the past three years¹⁹. This emphasizes the importance of building a security workforce that is prepared to face the challenges of a connected world.

I believe part of this starts with bridging security and IT departments. For many companies, the role of information security falls within IT, while security maintains the protection of the building and its contents and personnel. But as the security profession continues to evolve and become more technological in nature, the line separating the two departments is becoming more and more blurred²⁰. By debunking the misconception that both departments are independent of each other, physical security and information security can work together to form a greater barrier of protection, especially when it comes to employee behaviors – one of the greatest threats to a company.

Almost half of all data breaches in 2015 were the result of the theft or loss of materials containing sensitive information, employees misusing their credentials to access sensitive information or from employees unintentionally downloading ransomware or malware²¹. An IT professional may see the solution as technological and suggest building a better firewall or blocking certain programs from the system. Physical security may focus on the person who committed the breach, evaluating whether there was intent and if that employee is a threat. By converging the two approaches, we can maintain their strengths while limiting their weaknesses. But this can only work if we ensure that all security professionals receive the proper training and education.

This starts with establishing core competencies necessary for professionals in the industry. This is why University of Phoenix College of Security and Criminal Justice worked with industry leaders to develop the Enterprise Security Competency Model²². This first-of-its-kind model, which has been endorsed by the U.S. Department of Labor and implemented by Fortune 500 companies²³, outlines the unique set of competencies and skills security professionals need to develop in order to face the challenges the industry will be seeing over the next five years, including cyber breaches.

These increased challenges will result in a greater demand for a technologically intelligent security force. As we become more connected, computing will slowly become an extension of the individual, making our environment smarter and more contextually aware²⁴. Greater security measures are being developed for a variety of endpoint devices and the communication channels that connect them all. Passwords are gradually being replaced by more advanced systems such as facial recognition and fingerprint scanning²⁵. We must have a workforce armed with the skills and training aligned with the job demands that these new challenges will present.

To help achieve this goal, University of Phoenix introduced the Cybersecurity & Security Operations Institute. The Institute promotes the integration of physical and cyber operations into a unified organizational body and is dedicated to the education, training and professional development in the field of physical security and cyber security operations²⁶. Students learn from experienced professionals in security and IT and study real-world scenarios through hands-on simulations. This education prepares students with the skills they need to be effective security professionals their first day on the job, with the ability to adapt to new challenges they will face in the future²⁷.

The role of the security professional is evolving well beyond its traditional perception as a spin-off of law enforcement thanks to the part the industry will play in an ever-expanding, connected world. Tomorrow’s security professional must be prepared to protect outside intruders on both a physical and cyber level. The only way the industry can meet this challenge is by ensuring security professionals have the adequate training and skill sets to protect our information.

About the Author: Dr. Kirsten Hoyt is the Academic Dean for the University of Phoenix College of Information Systems and Technology and the co-director of the University of Phoenix Cybersecurity and Security Operations Institute.