What Does the Colonial Pipeline Ransomware Attack Mean for Cybersecurity Hiring?
In May 2021, Colonial Pipeline suffered a ransomware attack, which shut down gas pipelines throughout the eastern United States. While 2020 and 2021 have seen a string of publicly reported ransomware attacks, this one was particularly high-profile, because it impacted ordinary people’s lives. Panic-buying of gasoline led to shortages in numerous states and resulting in rising gas prices nationwide.
How will the high-profile Colonial Pipeline ransomware attack impact cybersecurity hiring and you, the cybersecurity career seekers? It’s easy to say high-profile cyber attacks lead to increased investment in cybersecurity, but let’s dig a little deeper. We can infer a few things about the state of Colonial Pipeline’s cybersecurity staffing from public reporting.
Colonial Pipeline Cybersecurity Staffing
First, Colonial Pipeline does not appear to have a Chief Information Security Officer (CISO), despite being a critical infrastructure company. The 2018 results of a tech audit recommended they hire a CISO. Instead those responsibilities were reportedly given to a direct report of the Chief Information Officer (CIO).
Second, Colonial Pipeline has had a job posting listed for a Cybersecurity Manager for 30+ days. The position was posted to LinkedIn two months ago and had over 80 applicants on that platform. (At the time of this writing the position is still posted.)
Third, based on public reporting and LinkedIn searches Colonial Pipeline appears to have almost no dedicated cybersecurity staff.
What Is Different This Time?
The Colonial Pipeline ransomware attack is the latest publicly visible cyberattack on US public and private technology systems. This latest cyberattack pushed the Biden Administration to issue Executive Order on Improving the Nation’s Cybersecurity. The Executive Order is intended to:
Remove Barriers to Threat Information Sharing Between Government and the Private Sector
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
Improve Software Supply Chain Security
Establish a Cybersecurity Safety Review Board
Create a Standard Playbook for Responding to Cyber Incidents
Improve Detection of Cybersecurity Incidents on Federal Government Networks
Improve Investigative and Remediation Capabilities
There is indication the cybersecurity legislation may follow this Executive Order. The landscape of US responses to cybersecurity appears to be shifting. (The White House released a helpful Fact Sheet, for anyone not inclined to read the whole Executive Order.)
How Will This Impact Cybersecurity Hiring?
The Colonial Pipeline ransomware attack has every reason to spark increased interest in cybersecurity. Corporate boards of directors across the US and the world got a well-publicized view of what can happen, when cybersecurity is treated like an additional duty for IT. Why highlight the board of directors? Because they have a fiduciary responsibility to oversee good governance practices, risk management, and to protect stakeholders.
There is an increasing school of thought that board members risk opening themselves to personal liability (i.e., they could be sued personally) over cyberattacks, which result from corporate negligence. No board member wants that, so boards will likely start asking more questions about their company’s cybersecurity program. This is particularly likely, as some view the new Executive Order as a prelude to cybersecurity federal legislation.
Colonial Pipeline’s lack of success hiring a Cybersecurity Manager demonstrates that cybersecurity hiring is hard, especially when you have no cybersecurity professionals to lead and prioritize it. When pursuing opportunities at companies with nascent cybersecurity programs, be aggressive in getting in front of them. After all, they don’t have the infrastructure in place to streamline cybersecurity hiring.
Speaking of infrastructure, the Colonial Pipeline ransomware attack occurred at the intersection of information technology (IT) and operational technology (OT). This highlights opportunities for career changers with previous experience with OT. While it is important for companies with physical infrastructure (like gas pipelines), most cybersecurity professionals don’t have experience with OT. It’s a niche, which can be leveraged by career changers already in the space.
In the wake of the Colonial Pipeline ransomware attack, you’ll likely find numerous companies—which were already struggling to hire or underinvested in cybersecurity—willing to take a chance on career changers and first-time cybersecurity professionals. However, don’t expect the heavens to open and start raining cybersecurity jobs. It will be even more important to network to find these opportunities. These companies are less likely to have mature hiring processes. They can however offer some really good experience early in your cybersecurity career. Good luck!