The cybersecurity skills needed today and tomorrow.

Bret Arsenault, Microsoft's Chief Cybersecurity Advisor, on today's skills gaps.

Bret Arsenault, Microsoft's Chief Cybersecurity Advisor visited Whatcom Community College to learn about their cybersecurity program and understand how Microsoft can provide solutions in the state of Washington and beyond. These are the highlights of our discussions.

July 22, 2024

Skills Gaps – Current and Future 

According to Mr. Arsenault’s global perspective, these are the hot areas that deserve more training in the college sphere. 

Containers and Microservices 

Mr. Arsenault said, “This is a growing global problem. It’s a skill gap problem, but also a technology gap problem.” Containers and microservices are small, fast, and easy to deploy. Thus, their proliferation within an organization can grow beyond the ability of IT Security to keep them safe. The world needs tools and standardized rules to govern and secure containers and microservices. 

SBOM Skills and Supply Chain Security 

SBOM stands for Software Bill of Materials. According to CISA, an SBOM is a nested inventory, or a list of ingredients that make up software components. CISA and its affiliate organizations are working to formalize and promote procedures and tools to advance the adoption of solid SBOM strategies.  

According to Mr. Arsenault, every company should define how they control provenance and be able to defend their adherence to good SBOM practices in the face of an audit or in a post-incident report. Additionally, he states that every company should “track where their code comes from and be able to say if it has been modified and by whom. Is it open source or is it proprietary? Who touched it and when?” 

Hardening and adopting strong SBOM procedures is a global need, as is codifying rules for it within federal and state laws. Mr. Arsenault has a strong interest in building strategies to protect open source code from corruption by evil actors.

College programs for IT Project Management, Cybersecurity, and Software Development should include up-to-date training in this area. 

Securing Hybrid Environments 

Mr. Arsenault stated, “Not everyone is ‘cloud-first’ because it doesn’t make sense in all environments.” Therefore, many organizations continue to build and use in-house, or “on premises”, hardware and software stacks. These usually must blend seamlessly with cloud resources and must be accessed by remote workers. Securing these hybrid environments is a challenge. 

IT personnel in charge of hybrid environments must understand how to manage resources, capacity, and security across the two realms. The procedures and rules are different between on-prem and cloud. 

Colleges that teach cloud technology should teach security best practices throughout all classes. Conversely, every cybersecurity program must teach cloud technology – how it works and how to secure it. 

Cloud Native App Development 

IT professionals are needed who can govern and manage the whole development process for cloud-native applications. 

According to the Cloud Native Computing Foundation, “cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.” 

Everything that lives in the cloud should have a cloud-native design and approach. But this means that all parts of the stack should adhere to a unified set of standards, for example standardized logging and events along with the ability to match those logs and events to a standardized catalog that multiple microservices can use. 

The college grad who understands all this is ready for hire. 

Artificial Intelligence 

Regarding AI, Mr. Arsenault says, “We see people writing code 30% faster now with AI assistance. But how can we keep up with the security needs of so much new code? DevSecOps people are needed who understand the whole ecosystem.”  

DevSecOps is a tactical and operational methodology that seeks to unify development and operations with security as the continuous force that propels every step. But now, as AI is rapidly adopted, DevSecOps must evolve even faster.  

Cybersecurity students should be taught business decision-making factors related to AI. They must learn how to securely use AI tools, how to protect them from abuse, and learn effective AI prompting. 

Threat Modeling 

Threat modeling is a “massive gap” that Mr. Arsenault sees in today’s college programs. He says, “Code must be designed from the very beginning to account for what bad guys might do to the product.” Along with writing User Stories in the Agile development process, teams should brainstorm “Evil User” stories too.  Envision not only how the end-users will enjoy the software product, but also predict how evil users might exploit it, and how innocent users might blunder and break a feature that’s poorly designed. 

Threat modeling is used in infrastructure planning and support too. So, network designers, technical support engineers, and system administrators also need this skill. 

College instructors can lead students through threat modeling exercises as a form of hands-on practice. Secure design principles should be taught in programming classes. And networking students can practice table-top exercises for disaster planning.  At all levels, it is useful to teach the mindset of threat actors. So, it is appropriate to add one psych class to a college IT program, especially if it’s criminal psychology. 

Planning for Disasters 

Mr. Arsenault sees a huge gap in the tech space around planning. “When something goes wrong, what’s the plan? Who will do what, and how? Is the plan documented? And have you done practice drills? Every company should do formalized threat modeling which should result in a documented plan for a variety of scenarios.” 

IT Project Management programs are an appropriate place to teach disaster planning skills. 

End to End Security and Access Management 

Most breaches are an access and authentication problem. Access management may sound boring, but it’s critical. We need people who can secure accounts and guard digital assets. Protection of digital assets should not come at the cost of time-consuming security challenges that frustrate legitimate consumers. This is made ever more complex by the nature of hybrid environments with remote access. 

We need technological advancements to help us with access management in complicated infrastructures. And we need skilled people to deploy and manage these technologies. 

 Summary

These skills listed by Mr. Arsenault are tightly interconnected with each other. None of them can stand alone. In like manner, each class within a cybersecurity college program must incorporate these skills from start to finish. Thread them throughout the entire learning process from enrollment to graduation. Clarify how each skill connects to the others.

We look forward to future meetings with Mr. Arsenault where we can support each other's initiatives in the world of cybersecurity education.

Bret Arsenault visits CCoE and NCyTE at Whatcom Community College campus.Brent Lundstrom (CCoE), Bret Arsenault (MS), Michele Robinson & Anna Ritchey (NCyTE)
Bret Arsenault - Cybersecurity advisor for MicrosoftBret Arsenault - Chief Cybersecurity Advisor for Microsoft