By Yanfeng Jin | April 11, 2018 • Atlanta, GA
Cybersecurity experts say that Internet of Things (IoT) security is today where information security was in the 70s. “But I don’t think we have 40-50 years [to wait] for mature IoT security,” noted one expert – Joshua Sorenson, manager of Delta Information Assurance Leaders (DIAL) at Delta Air Lines.
Sorenson delivered a lecture on “KineticThreat” and the rapidly changing landscape of information security to the Georgia Tech community on Friday, April 6, as part of the Cybersecurity Lecture Series. Organized by the Institute for Information Security and Privacy (IISP), the free and open-to-public Series invites thought leaders in the field of information security and privacy to give one-hour lectures about their research.
“Information security is a rapidly changing field,” said Sorenson. “It sits on a foundation of information technology, which is already very dynamic... Security further accelerates this pace as threat actors work to innovate and defenders are challenged to respond and stay ahead of the threat.”
According to Sorenson, one of the biggest problems in information security now is that attackers are shifting their focus from confidentiality to availability. Although attacks compromising confidentiality (such as breaches of credit card data and personally identifiable information) make the news regularly, there is a rapid growth of Distributed Denial of Service (DDoS) and ransomware attacks, he says, which aim to force a target to shut down. These attacks on availability are now financially impacting companies “on a magnitude previously reserved for data breaches,” Sorenson noted.
With the shift from confidentiality to availability, Sorenson argued that “KineticThreat” will become one of the biggest problems in information security. The term refers to a class of cyber attacks that can cause direct or indirect physical damage, injury, or death solely through the exploitation of vulnerable information systems and processes. Once only portrayed in science fiction, KineticThreat has already become a reality, as evidenced by StuxNet, a malicious computer worm that famously damaged Iran’s nuclear program, and the German Steel Mill cyberattack, which caused significant material damage to a steel mill site.
The trend is to continue, according to Sorenson, given the explosion of IoT and operations technology (OT), and the limited security maturity in both spaces.
Adapting in the Workplace
While most security professionals are skilled in Information Technology (IT), and those skills translate well to IoT, few have a skill set in OT.
“To be effective security professionals, we need to be able to span the IT, IoT, and OT worlds in order to secure our businesses and communities,” he said.
As the manager of DIAL, Sorenson works with most senior IT leaders in Delta to support their information security concerns and make information security a valued partner at the inception of new efforts. At such a global company as Delta, whose business lines range from the airline to oil refinery, the only way for Sorenson’s team to effectively apply security is to learn the business lines and ensure that security supports their needs.
Sorenson has an educational background in information technology and finance, and reports to have been the youngest graduate to date from the University of Iowa’s Tippie College of Business. He also earned a professional certificate in cybersecurity from Georgia Tech.
“The Georgia Tech Cybersecurity Certificate allowed me the opportunity to gain hands on experience in a number of areas where I [had] previously held leadership or advisory roles, but never hands on,” said Sorenson. “This deepened my understanding in this space and has allowed me to more effectively lead.”
How to Marry Tech + Leadership
Sorenson’s advice to current students is “to leverage Georgia Tech’s superior technical education” to gain both a broad and deep understanding of the technologies involved in information security, and how they fit together.
However, knowing the technology is only a start.
“I would recommend [that] everyone take at least one class in governance or security management,” said Sorenson. “This provides a great high-level view of how all the parts of security come together—it helps you explain ‘why’ we need technology rather than just ‘what’ we need.”
Sorenson also emphasized the importance of communication, especially with “non-technologists.” In order to gain support and funding for security, information security professionals need to become proficient at storytelling, and demonstrate the impact of information security in ways that non-technologists can resonate with.
“Trying to explain, to a non-technologist, the gory details of how polymorphic malware works… can be a losing battle,” he said. “Telling a story, effectively, about when this has happened and what impact happened to the business is a much more valuable skill.”
However, there is a growing shortage in the industry of what Sorenson called “talented talents” -- those who “really know what they’re doing, understand both the big picture and the details of security, understand technology beyond just security, and can relate all of that back to a business process or impact.”
The information security industry changes rapidly. The threats and technologies shift constantly, but, according to Sorenson, the concepts and principles remain. In order to thrive in such an environment, security professionals need to be adaptive, to teach themselves, and to apply their existing knowledge to new and unknown situations so that they can rapidly become proficient in a new space.
As Sorenson said, “the ability to learn, discover, and grow often sets the high performer[s] apart.”