Facebook’s Jennifer Henley: ‘There is a serious skills shortage in IT security’

9 Jul 2015

Facebook is going all-out to give users better privacy controls, said security chief Jennifer Henley

It takes 36pc longer to find security professionals for IT roles and in the coming decade two-thirds of security positions could go unfilled due to the lack of qualified candidates, Facebook’s director of security operations Jennifer Henley has warned.

Henley, who was in Dublin today (9 July) with Facebook’s deputy chief privacy officer Stephen Deadman, said that privacy is a two-way street and that security and privacy efforts by social networks are only worthwhile if users themselves are better empowered.

Henley previously held security roles at eBay and PayPal, while Deadman was up until last year chief privacy officer at Vodafone.

Henley said: “My role focuses on coordinating key strategic priorities, and that includes rolling out the tools and technologies to make sure the right people are talking to each other and prioritising the right things. My job is about raising security awareness internally and externally. As a female in this space, I am also committed to increasing diversity in security and STEM in general.”

Deadman, who guided Vodafone through the fallout from the Edward Snowden revelations, said that every day Facebook conducts more than 80 trillion object (pieces of content) privacy checks and, broken down, this includes 70bn object privacy checks a minute and, for the average user, 2,500 object privacy checks every time you reload News Feed.

Henley said Facebook’s security team is spearheading a mission to collaborate with other players like Twitter, Yahoo!, Pinterest, Microsoft and Tumblr.

It’s time for businesses to collaborate on defeating the hackers

She said that in the cat and mouse game between IT companies and hackers, the tech companies are losing out because they don’t collaborate and for this reason Facebook is leading an industry-wide initiative to shift the balance.

“We realised in the last few years that the attackers have been collaborating for quite a while, sharing information on the black market and sharing methods and tools – but as an industry we need to learn something from this approach.”

For its part, Facebook has been open-sourcing products and apps to help companies both defend themselves and share information to ward off attacks.

Two tools have been created: OSquery, which allows security teams to catch unwanted changes to operating systems and which has become one of the most popular tools on Github, and ThreatExchange, an API platform designed to help businesses share information on malware, harmful URLs and apps.

Within Facebook every year she said the social network hosts Hacktober, which engages Facebook workers in all kinds of security exercises and teaches them how to respond to threats such as phishing, malware on USBs and general security consciousness, such as guests walking around unacompanied on campus.

The UX push behind privacy

Both Henley and Deadman pointed out that privacy isn’t just a personal right or security challenge, it is a design challenge.

“We think of privacy as a product, putting people in control of who they connect with,” Deadman said, adding that it has become a company-wide effort involving UX designers and a wide spectrum of backgrounds and skill sets.

“Privacy is a design challenge,” he said. “The experience has to be intuitive and as easy as possible for people to manage. If you have to learn how to manage your security settings, to us that’s a design failure.”

He pointed to core changes to the Facebook mobile app and its desktop app that makes it clear if you are sharing with friends or sharing content publicly.

He said that each minute on Facebook more than 70bn objects or pieces of content are checked for privacy.

He said that every week at Facebook people are brought into its labs to sit down and walk through privacy tools and through a feedback loop people are constantly surprised that people who are not their friends can see their posts.

Henley said Facebook is testing a Privacy Checkup feature in the US, India and Germany that will go global later this year that walks users through the key settings they need to apply to protect their information.

“Nine out of 10 people who do the Privacy Checkup go through to the end, so it is effective.”

The check consists of questions and teaches people the basics of privacy, such as how to change their passwords.”

She added that Facebook has applied reporting tools that also empower users to have content removed or raise alerts if there is offensive material posted or they are being harassed.

“We have teams around the world reviewing these reports and if they violate community standards then the content is taken down.”

Facebook now employs close to 1,000 people in Dublin

Deadman added that with 1.5bn people using Facebook every month the social network’s operations have to be structured in such a way as to handle privacy and security threats.

He said that Facebook employs close to 1,000 people in Dublin, who between them speak 50 languages. The social media giant is also building a €200m data centre in Clonee, Co Meath.

“We had good reasons for setting up our office in Dublin. The regulatory environment is seen as being of a good, high standard and Facebook in Dublin covers services for every country worldwide outside the US and Canada.

The Dublin operation covers small business marketing, communications, engineering, data protection, compliance and risk among its myriad of roles. “We have 10 offices in Dublin supporting the business and we opened our first artificial intelligence lab in Paris last month.”

Deadman said that everybody in different countries thinks about security and privacy differently. “Europe is the most sensitive when it comes to sharing and privacy, Europeans share less and keep their groups tighter. In India, people are more concerned about connecting their real identity with online identity and have concerns about ID theft. In north Africa, people are willing to use social media to make new connections with people they don’t know in the physical world, while in Indonesia people are using the technology in a wholly different way.

“Our job is to reflect these different needs and put control back in the hands of people.”

Henley said that other efforts aimed at protecting privacy include making use of the Tor Hidden Services to allow people to use Tor to safely access Facebook.

“This is important for journalists and activists in conflict regions to safeguard their privacy,” she said. “This is used by a small set of people but ensures that the traffic coming to our servers no longer needs to leave Tor.”

Other steps include the addition of HTTPS encryption on URLs and the ability for people to apply PGP encryption via their profiles to protect notification emails.

The most important security tips, she said, include everyone setting up two-factor authentication as well as login approvals. “It takes less than 10 seconds to set this up and it is the single most effective tool that exists and gives you piece of mind to ensure it is you accessing your social media.”

On the question of Safe Harbor and the impact of the Max Schrems case about the location and privacy of user data, Deadman acknowledged that Facebook is receiving more and more queries from people about what happens to their data and where it is stored.

He said that if Safe Harbor between the US and Europe is removed it won’t affect Facebook greatly. “It is one of the bases, but not the only basis. If it was to fall away it would be a mechanism that showed political alignment, but there are other mechanisms.

“The problem with challenging Safe Harbor is that it will have an impact on smaller businesses that don’t have the manpower to do the heavy-lifting in terms of moving data,” he warned.

Ultimately, Deadman said that Facebook is determind to get the balance right in terms of provacy and security.

“We are a business built on trust. It is essential to maintain trust. We are still a young company that has matured a lot in the process – we have put a lot of thought and effort to build our team in Ireland and engineering is at the heart of the company.

“I’m at pains to say how hard we work to get this right and it is essential to our own motivation as a business.”

The security professional skills shortage

Henley said that the biggest change that is occurring is how much more dialogue there is between Facebook and consumers in terms of the public taking a more active control in managing their own security.

However, she said that the problem isn’t just empowering consumers to take control over their own security, the problem is finding security professsionals.

“It takes 36pc longer to find security professionals than it does to find other IT professionals. The US Department of Labor has found that two-thirds of security positions could go unfilled due to the lack of qualified candidates.

“How do we get more people interested in IT security as a career?” she asked.

She pointed to the fact that there are 350 undergraduate programmes in the US focused on cybersecurity and that 42pc of high school students in the US taking part in ‘capture the flag’ hacking workshops are interested in protecting the internet.

“This is an opportunity,” she concluded. “We are seeing just as many young people interested in a security career as being a doctor or a lawyer. It is key that a greater understanding of opportunities in this space exists.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com