Teach everyone to spot the moonwalking bear

Are we thinking about cybersecurity talent – and the global skills shortage – in the wrong way?

At Black Hat MEA 2022, Dr. Alissa J. Abdullah (Deputy CISO at Mastercard) shared her experience of leading cybersecurity for global private and public organisations, including as the former Chief Information Officer for President Obama at the White House.

Abdullah opened her keynote with a video of two teams of basketball players, practising passes. The video asked us, the viewers, to count how many passes the white team made.

“The answer is 13,” said the narrator; “but did you see the moonwalking bear?”

We did not see the moonwalking bear.

“It’s easy to miss something you’re not looking for,” Abdullah said. “And that is what the adversary hopes that we do. That we’re so busy with all of our tasks, with trying to do the right thing, that we click on a phishing link — and that link is the moonwalking bear.”

The simple reality of cyber threat

It’s a simple illustration of how human focus and distraction works. Of how incredibly easy it is for us to miss a huge red flag if your mind isn’t actively looking for it, or if you are actively looking for something else.

And this effect can be heightened when it’s coupled with fatigue. “We’ve now moved into an era of multi-factor authentication,” Abdullah noted, “and one of the biggest and quietest scams coming out is called MFA fatigue.”

You get a notification on your device asking you to authenticate a login attempt. A threat actor is trying to get into the network – they’ve already got your password. You know you haven’t tried to login to anything – so you deny the request.

Two minutes later you get another prompt. You deny it again.

Another two minutes go by, and then the same thing happens. Now you’re tired of these notifications popping up, and you want them to stop – so you click accept. Not because you’ve made a login attempt, but just because you don’t want to see another prompt.

And just like that, the threat actor is in.

What’s the moonwalking bear got to do with talent?

“The adversary doesn’t say, you can be a hacker if you go to university, have a lab in your room, get this certification, etc. That’s not how the adversary works. That’s not how the dark web works.”

And yet within cybersecurity, there’s an expectation that roles must be filled with candidates who have degrees, and graduate degrees, and pieces of paper that promise they know what they’re doing. Even beyond that, when it comes to looping an organisation’s employees into an overall cybersecurity strategy, there’s often an assumption that most employees will never be able to do a good job in cyber.

Abdullah argued that this attitude is doing security a disservice.
If threat actors don’t need degrees and certifications in order to hack a network, “why are we putting that amount of pressure on our employees?”
“To be a successful hacker, all it takes is drive. And I’ll say in order to be successful in cybersecurity, all you need is drive.”
“So,” she added, “we have to stop this mindset that we don’t have enough talent. We’ve got the talent. We sometimes, as internal organisations, have to reframe how we ask for talent, how we pick talent, how we upskill our talent, and how we use the talent that we have.”

Teach everyone when to look for the moonwalking bear.