Andrew Pak - How to Close the Talent Gap in Cybersecurity

Mover-and-Shaker
Written By Michael F. D. Anaya | Founder
Andrew Pak

Critical Stats

LinkedIn: https://www.linkedin.com/in/andrew-pak-5366252/

Started their cybersecurity journey in: 2011

Most passionate about: Helping non-technical folks understand cybersecurity risk.

Favorite zero-day: Ones that are now resolved.

Favorite song: Midnight in a Perfect World by DJ Shadow

Introduction

Andrew is a practicing attorney who is a former DOJ prosecutor. He counsels businesses on cybersecurity, data protection, risks, compliance, and litigation matters requiring deep technical knowledge.

Andrew draws on his experience as a former federal prosecutor with the U.S. Department of Justice (DOJ) and as in-house counsel to a global Fortune 500 financial institution to advise clients. In addition, he is a Certified Information Systems Security Professional (CISSP), meaning he has practitioner-level knowledge and experience in cybersecurity matters.

Andrew is a mover-and-shaker

We selected Andrew because he is a mover-and-shaker, but more than that, he is a triple threat! He is an attorney, a cybersecurity guru, and a skilled public and private sector professional. He does it all!

Without further ado, we asked Andrew our standard set of 5 questions to rule them all, and here are his responses:

Five questions to rule them all!

1. What is the biggest problem we are dealing with in cybersecurity?

The most significant cybersecurity challenge my clients typically face is a lack of qualified cybersecurity personnel. Sometimes, this results from internal resource constraints, but oftentimes, this results from a lack of qualified personnel in the job market. When it comes to services/functions that are cybersecurity adjacent (such as compliance and legal), the problem can be even worse, as it is even more challenging to find talent in these fields that are well-versed in cybersecurity, as they already require significant training in and experience in other subject matters.

2. How can we address the talent gap in cybersecurity?

We can address that challenge through increased training and education at all levels. The more we can make cybersecurity a core element of any education, the more we can close this gap. However, it is also crucial to provide professionals who have completed their formal education with opportunities to gain competence in this space through informal educational resources and, where feasible, on-the-job training and exposure. In the near term, it is crucial for organizations to consider where they have gaps and to supplement them as needed through outside resources to the extent that they can bring to bear the relevant specialized knowledge and experience.

3. What are three actions a CEO can take to protect their company from cyberattacks?

  1. Assess key metrics: Assess the reporting metrics you rely on for understanding the state of cybersecurity within your organization to determine whether you (and for larger organizations, your Board) have the visibility needed to make valuable insights. Picture someone on a journey to get healthier but does not track their activity, caloric intake, and the like. That person may have the right intentions but may lack the data needed to help focus their energy in a way that will improve their overall health.

  2. Understand the risks: Ensure senior management is aware of your cybersecurity posture based on the available metrics, where you don’t have metrics (and might need them), and the associated risk for each. At the end of the day, a Chief Information Security Officer (CISO) is not exclusively responsible for an organization’s cybersecurity but is responsible for ensuring that relevant decision-makers (especially the ones approving budgets) know the relevant cybersecurity risks and tradeoffs their decisions implicate.

  3. Make awareness training a priority: Where senior management does not appear to take cybersecurity seriously enough, focus on increasing awareness through tabletop exercises that involve them as participants. Given the growth and seriousness of ransomware attacks, organizations are increasingly aware of the need to engage all members of senior management in such training. If done correctly, awareness training can be an eye-opening experience for CEOs and other members of senior management who may not think about cybersecurity every second of the day.

4. What are the best resources for learning more about cybersecurity?

People who work in this space. Do not underestimate how much you can learn from subject matter experts willing to share their knowledge. Hold on to their contact information and treat them well when you encounter one. They can help you understand concepts holistically and point you to more specific resources to study.

A large part of cybersecurity risk is understanding how the threat actors operate. I am a regular reader of Brian Krebs’ security blog, which provides significant insights into what many categories of threat actors are doing and how they operate.

For lawyers, I would recommend a deep dive into the New York Department of Financial Services’ "Cybersecurity Regulation." To be clear, this is a regulation; however, for a lawyer, it can be read as a set of recommendations, written at a level of generality that is easier for lawyers to follow, that tracks many relevant industry guidelines for what amounts to “reasonable cybersecurity.”

5. What is one piece of advice for those wanting to pursue a cybersecurity career?

Embrace the limits of your knowledge, but strive to increase them. In any conversation with technical folks, it can be daunting to identify areas where you lack knowledge. Keep in mind that anyone you are speaking with who has more knowledge than you was also in your position at some point and is typically willing to help you elevate your game. For those who work in adjacent fields touching cybersecurity (e.g., compliance, risk, or legal), sometimes the instinct is to avoid engaging with technically complex material and ask your technical folks to answer specific questions, giving you just enough of an explanation to make a decision. While that can be a reasonable approach where time is limited, it is not the way to grow your career in this space because you will have missed opportunities to really gain insights that will make you more effective in your role. Instead, when time permits, I encourage you to understand the material and internalize it fully.

Ready for some epic articles?

Here’s our latest and greatest!
Decoding the “Feds”: Law Enforcement vs Regulation
Decoding the “Feds”: Law Enforcement vs Regulation
Vendors Explained: Navigating the Digital Defense Landscape
Vendors Explained: Navigating the Digital Defense Landscape
The World of Hackers: White, Black, and Gray Hats
The World of Hackers: White, Black, and Gray Hats
The Critical Role of a CISO in Modern Organizations
The Critical Role of a CISO in Modern Organizations
SIEM and SOAR: Are They Right For Your Organization?
SIEM and SOAR: Are They Right For Your Organization?
Conquer Cybersecurity Challenges in the Cloud with SASE
Conquer Cybersecurity Challenges in the Cloud with SASE
Misinformation vs. Disinformation: Ways to Combat Fake News
Misinformation vs. Disinformation: Ways to Combat Fake News
The Biggest Security Threat You Might Not Know About: Insider Threats Explained for SMBs
The Biggest Security Threat You Might Not Know About: Insider Threats Explained for SMBs
DevSecOps for Startups: Building Cybersecurity into Your Product From the Beginning
DevSecOps for Startups: Building Cybersecurity into Your Product From the Beginning

 Be excellent to each other, and party on, dudes! Oh, and always remember, sharing is caring… dude.

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD

Michael F. D. Anaya | Founder

I’m a techie who’s been in cybersecurity for over two decades. My passions are being a top-tier dad, helping others, speaking in public, and making cyber simple. I am also partial to cheesecake and bourbon, but not together… well, come to think of it, it might be a killer combo! TBD.

https://www.mfdanaya.com
Previous

Steve Wright - How to Combat the Exploding Threat Landscape Before It's Too Late
Next

Lesley Heizman - How to Balance Cybersecurity with Business Operations