Award-winning cybersecurity leader Katie McCarthy discusses the ongoing diversity problem in the industry and the biggest cyberthreats for companies.
There are a few things we know to be true about the cybersecurity sector. Firstly, due to the fast-paced world of emerging tech, the threat landscape is getting dangerously large.
Secondly, the industry is suffering from a significant skills shortage to deal with this expanding threat landscape. In fact, the latest report from (ICS)2 revealed a substantial jump in the size of the global workforce gap to 3.4m – up from 2.7m the previous year.
However, the industry suffers from another problem, one that is sadly not unique to cybersecurity – a lack of diversity.
Katie McCarthy, head of cybersecurity at Uisce Éireann, was recently named the winner of the Cybersecurity Leader award by the organisers of Zero Day Con, Smarttech247.
Speaking at the event, Smarttech247’s Raluca Saceanu said the award aims to recognise the hard work that goes into protecting businesses.
The award judges said: “Katie’s role in leading and defining the cybersecurity direction of [Uisce Éireann] provides an example to others to develop and implement security measures that protect against cyber threats.”
While she is undoubtedly a fantastic role model for women within the cybersecurity sector, she told SiliconRepublic.com that there still aren’t enough women in the industry.
This is something she was particularly aware of early in her career. “While my own employer was very active in promoting diversity and inclusion across all areas, this was not always the case with clients,” she said.
“While I could handle this most of the time, when high-pressure projects, tight timelines and demanding stakeholders all came at once, a comment about my appearance, my capability or my interests hit a lot harder.”
To combat these challenges, McCarthy completed a degree in cybersecurity, immersed herself in podcasts and webinars, and spoke to her peers about her experiences.
“Underrepresentation of women in cybersecurity is still an issue and increasing that representation can only stand to improve the industry for all involved.”
The ever-evolving landscape
McCarthy has worked across various tech and security roles over the last number of years so she is used to the constantly changing attack surface with which she is faced.
Currently, she said the prevalence of third-party cloud applications combined with the advances in techniques for bypassing identity and access controls have become a major security challenge for organisations.
“Many organisations have only just crossed the threshold into multifactor authentication adoption. However, attackers are becoming more adept at finding ways around this. Targeted user awareness training that drives behavioural change is the best way to address this. However, there is no silver bullet against social engineering.”
In the next five to 10 years, McCarthy is expecting an increase in the prevalence and volume of cyberattacks, particularly with the increased accessibility of powerful AI services and ‘cybercrime-as-a-service’ offerings.
“This will mean that all organisations and businesses will need to build up a level of cyber capability, regardless of size or industry. Social engineering will likely remain a key contributor to compromise. However, these may move to much more advanced attacks with advances in voice simulation technology and AI models.”
Among all the emerging technologies, McCarthy added that any tech that reduces friction between an end user and cybersecurity controls will have the biggest impact.
‘There is no silver bullet against social engineering’
“This is likely to take the form of multiple, well-designed, seamlessly integrated technologies working in harmony as opposed to one individual solution. For example, passwordless solutions, which mean a user can be authenticated to a high level of confidence with only a biometric like a thumbprint will considerably improve the security of an organisation.
“This requires a number of well-integrated controls including biometrics, endpoint management and a well-managed identity and access management solution.”
Alongside this, she said end-user experience is becoming more and more important, which means cybersecurity offerings need to secure customers without compromising experience.
Offering advice
With so many trends and threats to keep track of, leaders can often feel overwhelmed. However, McCarthy said the most important mistake to avoid is treating cybersecurity as a hurdle rather than a key input in their business model.
“Over the last few years there’s been a welcome shift in IT as a whole with cybersecurity increasingly being accepted as a core requirement of IT change. However, cybersecurity functions are still seen as a gatekeeper to be appeased as opposed to a key contributor to achieving the best outcome,” she said.
“Businesses should look to engage cybersecurity teams as early as possible – the earlier we are engaged, the more effective we can be in assisting the business to achieve what they need and in a secure manner. This enables cyber teams to proactively support the business and move away from the ‘department of no’ reputation that we are desperately trying to shake!”
For those who want to work in the industry, she recommended talking to someone already working in the sector.
‘Being able to discuss core topics and ideas in an interview goes a long way’
“There are so many different domains within cybersecurity, each one requiring a different skillset. Not everything in cybersecurity is technology heavy! For example, if you want to be in the technical deep end investigating and tracking down incidents you’re likely looking at a position in a security operations team.
“If you prefer a more holistic view, looking at an organisation’s risk and threat profile and understanding where the most critical risks are, then risk and compliance is a better area to look at,” she said.
“Once you have an idea of where you want to be in cybersecurity, demonstrate that interest on your CV. There are lots of free training resources online (cybrary.it was what I used starting out), and even more cybersecurity podcasts to choose from. Being able to discuss core topics and ideas in an interview goes a long way, even in the absence of formal experience.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.