The Cybersecurity and Privacy Institute (CPI) hosted the All Hands On Deck for a Security Incident workshop at True North 2019 and announced their new industry collaboration with CyberCity, a Waterloo Region cybersecurity industry organization.
Lewis Humphreys, managing director of CPI, led the session. “We are very pleased to be working with local industry to address the talent gap problem in security and helped to found CyberCity to organize the local ecosystem,” said Humphreys. “We have 45 security companies in our region and want to be recognized as the national hub for cybersecurity business, much of it emerging from University research and spinoffs. It’s an important economic driver for the region and we want to help our Waterloo graduates find good jobs close to home.”
Tech company leadership and product management teams had the opportunity to learn from Deloitte Senior Partner and author of an influential report about the talent gap in the Canadian cybersecurity industry, Steve Rampado. Michele Mosca of the University spoke about the importance of Waterloo in educating the students who will eventually have cybersecurity careers and gave an overview of the University’s cybersecurity research areas. Members of CyberCity then demonstrated what a cybersecurity breach would be like in a tabletop exercise for the True North participants.
The talent gap
Steve Rampado, risk advisory partner at Deloitte explained how a second industrial revolution where we are more interconnected than ever has increased our exposure to security risks and the attack surface is increasing at alarming rates. On top of this attack to Canadian security, we’re experiencing a talent gap in the cybersecurity industry of 8,000 unfilled high-paying technical jobs.
In addition to a zero per cent unemployment rate, Rampado also shared that gender diversity in the field is at an all-time low. He suggested that to tackle the gap, and the diversity problem, businesses need to do better and support an inclusion agenda. But, it doesn’t stop there. Governments need to work with academia and support immigration policies that make it easier to recruit a highly-skilled international workforce, while academia increases the number of people applying for programs in this field.
Deloitte has more information about this top in the Changing Faces of Cybersecurity report.
A history of cybersecurity at Waterloo
Michele Mosca, a professor in the Department of Combinatorics and Optimization and a founding member of the Institute of Quantum Computing, shared his personal path to studying post-quantum cryptography, a field he originally didn’t think would exist. He also spoke about Waterloo’s history in the field of cybersecurity from Bill Tutte’s work in World War II to elliptical curve cryptography and data integrity, to the work on privacy happening at Waterloo before it was a “thing”. Waterloo’s advantages, he added, were its research capabilities from foundation to application, multidisciplinary research through the Cybersecurity and Privacy Institute, and the ability to prepare the next generation through coursework, co-op, and internships.
Mosca concluded, “We are winning the battle, but losing the war.” He questioned how we can position ourselves to get ahead of the threats. Mosca has been suggesting for some time that we need a proactive plan to get ahead of quantum computing which will break everything we depend on for the digital economy and work harder to prepare the workforce of tomorrow.
Simulating a security instance
Jamie Hari, CEO and founder of Derisk, took the stage to stress that: “Everybody needs to be responsible for security and privacy.” To prove his point, he walked us through the cyber equivalent of a fire drill through a tabletop exercise with John Svazic, information security manager at Auvik Networks and Dinah Davis, VP of Research and Development at Arctic Wolf. (Imagine a game of Dungeons and Dragons complete where actions and consequences are decided with a 20-sided die and a six-sided die.)
The group ran the simulation on the premise that attendees worked for a software-as-a-service provider for a waste management company of 450 employees that experienced a ransomware outbreak. Each table represented a department in the company and had to make decisions for the company based on the department’s expertise with consequences decided by the roll of the dice.
The attendees ultimately paid the ransom with no key to unlock the system. This also happened in the real situation that the simulation was based on. In that situation, the ransom was a smokescreen by a competitor to steal IP and take down production. The attackers got in because the CEO retained systems access as the company grew, and he kept re-using his passwords.
The moral of the story: Ask the hard questions when it comes to security – even of your supervisors. We never think it will happen to us, but Svazic recommended that everyone go back to their workplace and develop a disaster recovery plan if it didn’t already exist.
The workshop ended with Arctic Wolf Vice President, Research and Development Dinah Davis (MMath ‘03) announcing the new CyberCity conference on October 1, 2019. Tickets for the CyberCity Conference at Catalyst 137 went on sale Wednesday, June 19. The conference, hosted by Auvik Networks, Arctic Wolf, Derisk, and CPI, will feature a keynote by Cat Coode, founder of Binary Tattoo.
If you’re interested in presenting, there is an open, blind call for papers.