This story was originally published in Az Business magazine.
Hacking and data breaches have been in the public mindset for a long time. But as more technology is integrated into our daily lives and the workplace, you and your firm have become even more susceptible to a hack – highlighting the importance of cybersecurity, an industry Arizona is on the frontline of shaping.
You’ve probably seen the splashy headlines about data breaches hitting big names like Banner Health, Chick-fil-A, Equifax, Target, the U.S. Postal Service, Sony, Yahoo! and the list goes on.
Like many other people, you might have brushed off those headlines or yawned, thinking you’re glad not to have to manage those damage control teams. But in this growing world of cybercrime and technology, it’s no longer a matter of if you’ll be playing damage control after a data breach at your firm, it’s a matter of when.
“Small and medium-sized businesses are drastically underestimating the risk by just thinking, ‘They’re not interested in me,’” says Michael Cocanower, founder and president of Phoenix-based itSynergy. “In fact, hackers are very interested in you. They realize, ‘I can spend six months hacking into Target, or I can spend this afternoon hacking into your 20-person company and make $10,000 off that.’”
Cybercrime has cost businesses, individuals, governments and the world game-changing amounts of money.
Cost of cybercrime
Cybersecurity Ventures, a research and market intelligence firm, reports the cost of cybercrime will grow from $3 trillion in 2015 to $6 trillion by 2021. United Kingdom-based research firm Juniper Research predicts cybercrime will cost businesses alone more than $2 trillion by 2019.
However you cut it, cybersecurity will only get more serious and more important as time moves on. Many businesses are unprepared, with 87 percent of small businesses reporting that they do not have a formal written Internet security policy, according to the National Cyber Security Alliance.
Also, The National Cyber Security Alliance reports that 60 percent of small companies are unable to stay in business six months after a cyberattack.
Cocanower says business owners need to be much more aware of cybercrime and the importance of having their cybersecurity systems up to snuff.
There are a variety of ways hackers can infiltrate your business and you need to be aware of them, Cocanower says. Phishing scams and downloading malware or viruses are probably the most common and known. But you could also be compromised by inputting your password on a website you think is real, using open Wi-Fi, the list of risks goes on.
Nothing Web-connected is safe either. Your smart phone, watch, car and Web-connected toaster oven are just the newest items susceptible to attack.
Sure, you can download the latest anti-virus software, hire a skilled cybersecurity team (if you can find people who are qualified and available) and do 100 different things to keep your company secure, but that’s still not enough. Why? “The weakest link in any system is the human being,” Cocanower says.
No one wants to give their company a virus, but many do because they weren’t aware that simply clicking the wrong link can get you in hot water, Cocanower says. Just ask 2016 Hillary Clinton Campaign Chairman John Podesta how clicking a single suspicious link can lead to a world of trouble.
Cocanower hopes the headlines about data breaches are making people aware. Each time he sees one, he thinks it will be the biggest story of the year, when instead the headlines are met with yawns.
Everyone needs to look at cybercrime and cybersecurity with a holistic approach, something Cocanower says the local universities and trade schools are doing. Looking at cybercrime deterrence not just as an engineering problem, but as a people problem, will lead to better protection, he says.
“I don’t think we’ll ever get to a point with cybersecurity where you can buy this set of tools and you’re done, you’re secure. That will never happen,” Cocanower says. “Of course, you have to look at technology, but I think you have to look at psychology and the social side and all these other things.”
The Cyber Desert
At the risk of sounding overzealous, there’s a war out there for data. Hackers, whether they’re independent actors or hired by another entity, are trying to access the massive amounts of data your firm collects and stores.
They want to bog your website down, lock you out of your system until you pay a ransom, steal trade secrets or skim every number (social security, credit card, etc.) from your hard drives.
Last year, the Identity Theft Resource Center tracked 1,093 data breaches in the U.S. IBM’s Ponemon Institute’s 2017 Cost of Data Breach Study found that the average cost of a data breach is $3.62 million, putting the average cost per lost or stolen record in a data breach at $141.
Hackers can make a lot of money through data breaches and there is a lot of opportunity out there.
On the proverbial frontline of this cyber war are many Arizona-based businesses, organizations and leaders. For many years now, they’ve been working to keep data safe, boost consumer awareness of the risks of cybercrime and teach the next generation of cybersecurity professionals.
These companies have been creating software to secure websites, mobile security applications, advanced authenticators and they work with businesses in the wake of a cyberattack.
Many of these companies and leaders have been operating in Arizona since the early ’90s, around the same time Arizona’s software industry started to take shape.
Sean Moshir, co-founder, chairman and CEO of Scottsdale-based CellTrust, has been one of the many local leaders operating within the cybersecurity space in Arizona for many years. You don’t typically hear about the cybersecurity firms operating in Arizona because they’re mostly operating on a national level with little local marketing, Moshir says.
In the past, many cybersecurity companies grew in Arizona until larger corporations acquired them, Moshir says, which is why there aren’t many large firms here. But Arizona is home to many medium-sized firms, he says.
One challenge Arizona’s growing cybersecurity industry faces is that it’s unknown, they’re all in stealth mode. Despite these companies operating within the same space, they’re disjointed, Moshir says.
These companies struggle to fill open positions at their firms because of the extreme shortage of cybersecurity talent in the nation.
The Peninsula Press, a data analysis project by Stanford University’s journalism program, reported in 2015 that there are more than 209,000 unfilled cybersecurity jobs in the U.S. and that demand for cybersecurity jobs was expected to grow by 53 percent through 2016. There have been other projections showing an increased need for cybersecurity talent in the millions through the 2020s.
This is why Cyber Security Canyon was created by local cybersecurity leaders like Moshir and Ori Eisen, CEO of Scottsdale-based Trusona.
Cyber Security Canyon markets Arizona’s growing cybersecurity firms so the local firms can attract what little available talent is out there.
“We started creating the Cyber Security Canyon so we could figure out how to bring more talent to Arizona and make Arizona a cybersecurity center,” Moshir says.
Moshir’s firm CellTrust, Eisen’s Trusona, along with the University of Advancing Technology, the cities of Phoenix and Scottsdale and the Arizona Commerce Authority are just a few organizations working with Cyber Security Canyon to create education initiatives and more awareness of the local industry.
Scottsdale’s Mayor Jim Lane was involved in the local technology sector before running for public office and is keenly aware of the local cybersecurity industry.
“We are actively trying to attract and build cybersecurity companies in Scottsdale because the idea of clustering industries can become an attraction to the industry itself — or to individual businesses and components within the industry,” Lane says. “Building a critical mass is a critical component to building an industry in a region.”
In the trenches
One of these Scottsdale-based cybersecurity companies is WGM, which was founded by Arizona native Chuck Matthews in 2011 after hearing about data privacy concerns from his clients.
WGM helps clients identify areas of risk they have and create cybersecurity guidelines, while also helping create a client’s cybersecurity system. WGM helps the company monitor its system and, in the event of a breach, investigates the breach.
Matthews sees a tremendous amount of opportunity within Arizona for his cybersecurity firm because of the tens of thousands of businesses operating here that need it. Arizona is home to many small and medium-sized businesses, which typically can’t afford the best cybersecurity protection.
Large firms in Arizona, such as Raytheon, have very sophisticated and mature cybersecurity operations, because they’re a vendor of the federal government, Matthews says. But your smaller businesses, with about 300 employees, don’t have a mature cybersecurity operation, or much of a budget, which means they’ll want to partner with an organization like WGM, Matthews says.
“We’ve designed our set of services and capabilities to help supplement those organizations and really meet their needs,” Matthews says. “They just can’t afford to have a full-time cybersecurity team, particularly with people who have the kind of expertise we have.”
To ensure that he has the experienced staff members to serve his clients, Matthews has turned towards hiring former FBI special agents to lead his teams.
Matthews says Arizona is also home to some of the biggest cybersecurity users in the nation. There are military bases, federal contractors, manufacturers, large healthcare organizations and a vibrant financial services industry and all of them are potential cybercrime targets.
Matthews says cybersecurity jobs tend to follow the areas where there are large concentrations of these industries because many of these companies have a higher obligation for cybersecurity and there is a lot of money at risk.
Despite the large concentration of potential cybersecurity users in Arizona, it isn’t necessarily one of the top cybersecurity employers, Matthews says. But he does see aspirations from Gov. Doug Ducey, and other state leaders to encourage growth in the cybersecurity industry.
If Arizona continues on its low-cost of business path and recruits large cybersecurity users, the state can continue to become a leader in the cybersecurity space, Matthews says.
But even now, Arizona’s cybersecurity industry isn’t just present, it’s growing.
It’s no secret that the technology sector has been thriving in Arizona. From 2010 to 2012, the Phoenix area’s tech job growth was among the strongest in the country, according to CBRE’s annual tech talent report.
Neill Feather, CEO of Scottsdale-based SiteLock, a cybersecurity firm that works to secure clients’ websites, says that growth from cybersecurity firms has been impressive recently.
Arizona is a good place for SiteLock, Feather says, because it is able to attract the much-needed talent to help his firm grow, while still residing in an area that’s off the beaten track. Hiring is extremely competitive, but it is easier to do so in Arizona, Feather says.
SiteLock has been in expansion mode lately. The firm recently purchased a Netherlands-based startup called Patchman. The startup’s technology automatically detects and patches vulnerabilities for hosting providers and their customers. Since the purchase, SiteLock boasts the largest threat database in the industry.
“You’re starting to see more and more cybersecurity firms, either headquarter or at least have offices here in Arizona,” Feather says. “We see the continued growth not only in our business, but across the street is a cybersecurity firm and there a few others cropping up and creating this Cybersecurity-Silicon Desert kind of concept.”
The challenge ahead
Like any industry, Arizona’s budding cybersecurity cluster faces challenges.
There’s a disconnect between the industry and local leaders, Moshir says.
He notes that when local governments utilize local technology, such as a state entity using a locally based cybersecurity solution, the industry can really gain steam. But local authorities aren’t tapping into local cybersecurity solutions.
“Somehow, they need to come to the table and start utilizing some of the technology here in Arizona to promote the industry,” Moshir says. “To me, it makes a lot of sense for state and local governments and businesses to use Arizona-based software because the money generated from that stays in Arizona and it boosts the economy as well as local businesses.”
Moshir says the local industry also needs more investment, something technology companies have been struggling to attract for some time.
And then, at the end of the day, there’s a marketing problem, Moshir says. Just not enough folks know about Arizona’s growing cybersecurity industry. But Cyber Security Canyon is working on this issue and members are starting to see traction in that field, he says.
Cyber Security Canyon has created a space to promote local leaders, post jobs and brag about how nice it is to live, work and play in Arizona.
But the industry still has that pesky talent problem. There just isn’t enough of it to fill key roles at companies.
One way to create more talent for the industry’s future is to increase awareness, while also reaching out to students.
One group, Women in Cyber Security, recently hosted its Women in Cyber Security Conference in Tucson. This was the first time the conference was held in Tucson and hosted women from across Arizona and the country, who were mostly students.
The industry as a whole is lacking prospective hires, but women’s representation in the industry is alarmingly low. Wendi Whitmore, a global partner and lead at IBM’s X-Force Incident Response and Intelligence Services, spoke at this year’s conference.
She has seen the conference grow every year, with more and more female students attending in hopes of learning and being inspired to further their cybersecurity studies.
Whitmore says creating more awareness around the cybersecurity industry is crucial to attracting tomorrow’s workers. Many schools have been adding cybersecurity into their curriculums and the next step is encouraging and creating more education initiatives around the space.
One key to creating a local industry, Whitmore notes, it to host more cybersecurity competitions for younger kids.
“This is a national defense issue, and we need to continue to encourage that level of awareness and competition to allow people to really exercise those cybersecurity skills,” she says.
Arizona’s education leadership
The talent issue cybersecurity faces isn’t just a local issue. It’s a national one.
But to better protect the nation, Arizona has been playing a unique role in educating future talent, focusing on not just creating new cybersecurity talent for an industry starving for talent, but by also researching new ways to combat rising cybercrime.
Phoenix is home to the Arizona Cyber Warfare Range, which works to help cybersecurity professionals work on their skills through self-paced training, mentoring and real-world experience.
The University of Advancing Technology offers a wide range of cybersecurity degrees, which are recognized by government entities and the industry for creating the workforce of the future.
And all three of the state’s universities are playing a part in workforce development and research.
The University of Arizona has one of the nation’s biggest cybersecurity programs with the AZSecure Cybersecurity Fellowship Program, which offers full scholarships for qualified U.S. students in exchange for public service.
There are also programs where students can get certificates in cybersecurity, all the way up to a master’s in cybersecurity. UA has been designated by the National Security Agency and Department of Homeland Security as a National Centers of Academic Excellence in Cyber Defense. This program works to reduce the United States’ vulnerabilities in its information infrastructure.
UA is also playing a unique role with its research by taking a holistic approach to better prepare cybersecurity professionals for future threats.
One of the university’s leaders is Hsinchun Chen, director of UA Cyber Security Initiatives. Chen’s research is focusing on cyber threat intelligence, something in which he has experience. During the late 1990s, Chen developed the software behind COPLINK, which created a database of known criminals to help law enforcement agencies across the nation track criminal movements.
Chen is now working on creating a similar database of cybercriminals. His research is scanning hacker forums and databases that hackers share to better understand upcoming threats.
This is needed, especially since any cybersecurity system is only as strong as its weakest link, which means you will be breached, Chen says.
“Arizona has a more holistic perspective of looking at the cyber threat actors, understanding the emerging threats, not just taking a passive engineering approach,” Chen says. “Taking a more holistic approach between governments, industries and protecting your identity can help us become the leaders in this space.”
Because of this, Arizona is on the cutting edge of the next generation of cybersecurity, education and research, he says.
With the cybersecurity industry planting roots in Tucson and Phoenix, Arizona has a real opportunity, Chen says. The University of Arizona will be able to create more benefits for the industry through its research, while the Phoenix area attracts more funding and creates more opportunities for the next generation of students.
“When you combine both areas together, you’ll have a good pipeline for cybersecurity,” he says.