Information Technology

Image: Apple
Apple clearly thought it was onto a winner with its child sexual abuse material (CSAM) detection system and, more than likely, it was expecting more of the usual gushing plaudits it is used to. It’s not hard to imagine Cupertino thinking it had solved the intractable problem of CSAM in a way that best suited itself and its users.Apple claims its system is more private because it doesn’t actively scan or monitor photos uploaded to its servers, unlike pretty much everyone else in the industry, but as the weeks go by, it looks increasingly like Apple has created a Rube Goldberg machine in order to differentiate itself. The consequences of this unilateral approach are far-reaching and will impact everyone, not just those in the Apple walled garden. Governments have been pushing for big tech to create decryption abilities for some time. One way to reach a compromise is to have an encrypted system but not allow the users to encrypt their own backups, thereby allowing some visibility into content, while another is to have a full end-to-end encrypted system and inspect content when it is decrypted on the user device for viewing. While the rest of the industry settled on the former, Apple has switched lanes onto the latter. This shift occurred just as Australia handed down its set of draft rules that will define how its Online Safety Act operates. “If the service uses encryption, the provider of the service will take reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful,” the draft states.

See also: Apple to tune CSAM system to keep one-in-a-trillion false positive deactivation thresholdCanada goes a step further in a similar draft. In its iteration, it is demanding proactive monitoring of content relating to CSAM, terrorism, violence-inciting, hate speech, and non-consensual image sharing, and creating a new Digital Safety Commissioner role to assess whether any AI used is sufficient, according to University of Ottawa law professor Dr Michael Geist. Should it become law, online communication services in Canada would also have 24 hours to make a decision on a piece of harmful content. How that potential law interacts with Apple’s decision to set a threshold of 30 CSAM images before injecting humans into the process and inspecting the content’s metadata will be something to watch in future. While the Canadian proposal has been deemed to be a collection of the worst ideas from around the world, the likes of India, the United Kingdom, and Germany are likewise pushing forward with internet regulation. Apple has said its CSAM system will start only with the United States when iOS 15, iPadOS 15, watchOS 8, and macOS Monterey arrive, meaning one might be able to argue Apple will be able to avoid the regulations of other western nations. But not so fast. Apple privacy chief Erik Neuenschwander said in a recent interview that the hash list used to identify CSAM will be built into the operating system.”We have one global operating system,” he said.  Even if Apple has consistently stated its policies aim to prevent overreach, use by corrupt regimes, or false suspensions, it’s not clear how Apple will answer one very important question: What happens when Apple is issued with a court order that goes against its policies?There’s no doubt non-US legislators will take a dim view if the sort of systems they want are available on Apple devices.  “We follow the law wherever we do business,” Tim Cook said in 2017 after the company pulled VPN apps from its Chinese app store.  Following the law: Citizen Lab finds Apple’s China censorship process bleeds into Hong Kong and Taiwan While there are plenty of worthy concerns and questions about Apple’s system itself, the consequences of the existence of such a system is cause for greater concern. For years, Apple has pushed back on demands from US authorities to help unlock phones of people alleged to be involved in mass shooting. When responding to FBI demands in 2016, Cook wrote a letter to customers that rebutted suggestions that unlocking one phone would be the end of the matter, and said the technique could be used over and over again.”In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession,” the CEO said. The key to Apple’s argument was the words between the emdashes, and now in August 2021, while that exact capability does not exist, an on-device capability is set to appear on all its devices, and that’s a good enough reason for concern. “Apple has unilaterally chosen to enrol its users in a global experiment of mass surveillance, seemingly underestimated the potential costs this could have on individuals who are not involved in the manufacture or storage of CSAM content, and externalised any such costs onto a user base of one billion-plus individuals around the world,” Citizen Lab senior research associate Christopher Parson wrote. “These are not the activities of a company that has meaningfully reflected on the weight of its actions but, instead, are reflective of a company that is willing to sacrifice its users without adequately balancing their privacy and security needs.” For the sake of argument, let’s give Apple a pass on all of its claims — perhaps the biggest of the tech giants can resist legislative pressure and the system remains fixated only on CSAM within the United States. However, this will take eternal vigilance from Apple and privacy advocates to ensure it follows through on this. The bigger problem is the rest of the industry. The slippery slope does exist, and Apple has taken the first step down. Maybe it has boots with ice grips and has tied itself to a tree to make sure it cannot descend any further, but few others do.Suddenly, on-device scanning has become a lot less repugnant because if a company as big as Apple can do it, and they promote themselves on the basis of privacy and continue to sell squillions of devices, it must therefore be acceptable to users. Building on that, shady businesses that want to upload data to their own servers now potentially have a nomenclature built out for them by Apple. It’s not the user’s data, it’s safety vouchers. What previously could have been deemed a form of exfiltration is now done to protect users, comply with government orders, and make the world a safer place.Those systems that follow in the wake of Apple are unlikely to have as much concern for user privacy, technical expertise and resources, ability to resist court orders, or just flat out good intentions that Cupertino appears to have. Even if Apple were to dump its plans tomorrow, it’s too late. The genie is now out of the bottle. Critics and those who want to pursue an on-device approach will simply say Apple has buckled to pressure from extreme sections of the privacy debate if it does decide to change its mind. Companies are going to compete over who can best poke around on devices, boast about how many of their users were arrested, and how that makes them safer than other choices. Missing in this will no doubt be the number of mistakes made, edge cases that are never properly considered, or anguish caused to some of those who pay for devices. It’s not going to be pretty. Apple doesn’t seem to grasp that it has turned its user’s relationship with its products from one of ownership into a potentially adversarial one. If your device is scanning content and uploading it somewhere, and you cannot turn it off, then who is the real owner? It’s a question we will need to answer soon, especially because client-side scanning is not going away. ZDNET’S MONDAY MORNING OPENER  The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.  PREVIOUSLY ON MONDAY MORNING OPENER: More

StackCommerce
Has the frustration of the last 18 months or so made you want to completely change your life? If you’re ready to get serious about that, you’ll find everything you need to get started in The StackSkills, KeepSolid VPN Unlimited, & Sticky Password Lifetime Subscription Bundle.

StackSkills Unlimited Online CoursesThe StackSkills Unlimited Online Courses will train you in skills ranging from marketing, business, and finance to blockchain technology, and more. They are designed for all levels of experience, from complete novices to advanced professionals. You’ll get over 1,000 existing courses plus more than 50 new ones are added every single month. Best of all, these classes offer certifications that will make your resume shine and you will have access to premium customer support.Use the engaging content delivered by StackSkills Unlimited Online Courses to generate a side income or to completely change careers. The impressive 4.5 out of 5 stars rating on TrustPilot says it all.VPN Unlimited: Lifetime SubscriptionIf you’re hoping to use your new skills to work remotely from exotic locations, then you will need to be super cautious about security. A lifetime subscription to VPN Unlimited can relieve you of a great deal of worry. You can enjoy blazing connection speeds with no bandwidth or speed limits. With access to over 400 servers in 80 locations, you can watch any content you like, without buffering or geo-restrictions.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

You’ll get military-grade encryption, a kill switch, and a strict zero-logging policy, plus 24/7 customer support. It’s no wonder that VPN Special said:”KeepSolid VPN Unlimited offers amazing services and its advanced features make it a solid VPN service provider.”Sticky Password Premium: Lifetime SubscriptionStill, to guarantee the ultimate protection, you really should have a strong password manager. A lifetime subscription to Sticky Password Premium ensures that you’ll never forget another password again. You’ll get an automatic one-click log-in and mega-secure data protected by AES-256 and true two-factor authentication. Cloud backup is included as well as syncing on both cloud and local WiFi. Priority support means there is really nothing left to ask for.

If you’d prefer to spend your hard-earned funds on gaming accessories instead of commuting expenses, don’t miss this opportunity to change your life and protect your data. Get The StackSkills, KeepSolid VPN Unlimited, and Sticky Password Lifetime Subscription Bundle while it’s on sale for just $49.99.

ZDNet Recommends More

China has pushed through a new personal data protection law that details regulations around collection, use, and storage. It includes data processing by companies based outside of China and encompasses requirements for organisations, including multinational cooperations, operating China to appoint someone responsible for its compliance.The Chinese government on Friday passed the Personal Information Protection Law (PIPL), outlining a set of rules on how personal data should be collected, used, and stored. It had gone through a couple of revisions since it was first pitched last year.To come into effect from November 1, the bill was approved amidst the “chaos” data had created, with online platforms over-collecting personal data, according to a report by Xinhua News Agency. The state-run news outlet noted that some businesses had deployed facial recognition systems without authorisation, “secretly” capturing consumers’ faces and other biometrics data. China is home to 989 million online users as of end-2020.

“China has always attached great importance to personal information security. The law on personal information protection clarifies rules on the processing and cross-border providing of personal information,” Xinhua quoted Zang Tiewei, a spokesperson for the Legislative Affairs Commission of the NPC Standing Committee, which approved the bill Friday. Zang noted that there had been increased scrutiny on technologies that carried out user profiling and ran recommendation algorithms, which had led to issues such as data-powered price discrimination. The new law aimed to address such problems, he added.According to Xinhua, the PIPL stipulated that brands must not deploy marketing tactics that targeted “personal characteristics” and must provide consumers with options to decline targeted marketing. 

Major online platforms that owned personal data of a large customer base also must establish an independent body, comprising mainly of external parties, to oversee how the information was handled. In addition, these companies would have to lay out data protection policies that were based on “openness, fairness, and justice” as well as regularly publish reports on their data protection initiatives. With regards to facial recognition systems, the law required signs” to be prominently displayed at public locations where such equipment and images mages would be implemented and captured. Furthermore, the collection and use of such data must be limited to “safeguarding public security”. Companies dealing with Chinese consumers have to ensure complianceModelled broadly after Europe’s General Data Protection Regulation (GDPR), the PIPL set a range of obligations, administrative guidelines, and enforcement actions regarding the processing of personal data, according to a blog post published Friday by Future of Privacy Forum (FPF). The report was jointly authored by FPF’s Asia-Pacific director Clarisse Girot, global privacy director Gabriela Zanfir-Fortuna, and policy analyst for global privacy, Hunter Dorwart. They noted that the PIPL applied to personal data transferred outside of China by imposing obligations on handlers before such data was moved abroad, such as complying with a security assessment by relevant authorities. It also included mandatory risk assessments for specific processes, such as automated decision-making that could have “a major influence” on consumers. Organisations must establish a dedicated entity or appoint a representative in China responsible for issues related to their data processing. The name and contact details of such representatives would have to be provided to the relevant authorities overseeing the implementation of the law.The PIPL also extended to data processing by companies based outside of China when one of three conditions was met, such as instances where the data processing was carried out for the provision of products or services to consumers in China as well as when the data was used to analyse or assess the activities of consumers in China. The third condition, in particular, referred to “other circumstances provided in laws or administrative regulations”, which the FPF said left a “margin of discretion” to Chinese authorities to “further extend the long-arm jurisdiction of the law in cross-border scenarios”.The FPF further noted a “distinct national security flavour” in the PIPL, which was most apparent in reference to provisions on data localisation and cross-border transfers. “The law incorporates provisions that affirm China’s intention to defend its digital sovereignty,” the authors wrote. “Overseas entities that infringe on the rights of Chinese citizens, or jeopardise the national security or public interests of China, will be placed on a blacklist and any transfers of personal information of Chinese citizens to these entities will be restricted or even barred.””China will also reciprocate against countries or regions that take ‘discriminatory, prohibitive, or restrictive measures against China in respect of the protection of personal information’.”According to the FPF report, the new Chinese law had a complex enforcement framework that included financial penalties of up to 5% of an organisation’s turnover as well as punitive actions, such as orders to stop processing data and confiscation of unlawfully attained profits. If a business refused to correct the violation, it could be fined up to 1 million yuan ($150,000). Employees directly responsible and overseeing the data violation also might be slapped with a fine of 10,000 yuan ($1,500) to 100,000 yuan ($15,000). In more serious violations, financial penalties could go up to 50 million yuan ($7.5 million) or 5% of annual revenue in the company’s previous fiscal year.Omer Tene, vice president and chief knowledge officer at International Association of Privacy Professionals (IAPP), said the new law would require the submission of cross-data data transfers to Cyberspace Administration of China (CAC) for security assessment. In addition, organisations that handled large data volumes, which Tene noted would be defined by CAC, had to be stored locally in China. In a series of Tweets posted a day before the PIPL was passed, he added that the law was “heavily based on consent”, with no provision for data processing based on “legitimate interest”–though, this did not include the need to fulfil contracts or compliance with a legal obligation. “If you’re doing business in China, get legal advice. They’re not playing around,” he cautioned.Didi Global has been removed from appstores in China following an order from the government to do so. The move comes just days after the popular Chinese ride-sharing app made its debut on the New York Stock Exchange. The CAC last month ordered Chinese ride-sharing platform Didi to remove its app from local appstores for breaching regulations governing the collection and use of personal data. Did was further instructed to rectify “existing problems” and “effectively protect” users’ personal data. Earlier in May, the CAC had singled out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which included Baidu and Tencent Holdings, also were told to plug the gaps. Citing complaints from the public, the government agency said operators of the apps were found to have infringed the rules after authorities assessed several popular apps, including map navigation apps. RELATED COVERAGE More

IT training company Global Knowledge has released a ranking of the 15 top-paying certifications in 2021 based on the responses of 3,700 US-based respondents, finding that some Google, AWS and Microsoft certifications often led to six-figure salaries.Number one on the list was the Google Certified Professional Data Engineer, which the survey found can bring in $171,749. Google Certified Professional Cloud Architect was next on the list with a salary of $169,029 followed closely by Associate AWS Certified Solutions Architects, who bring in $159,033.

CRISC, CISSP, CISM, PMP, CISA, MCSE, CompTIA Security+, CCA-V and other certifications all made their way onto the list, with salaries ranging from $151,000 to $110,000. Certifications for Azure, Cisco, Nutanix and VMware were also featured on the list. The company surveyed US IT workers from November to February this year and only included certifications that got at least 68 responses. The researchers behind the study noted that many of the top-paying certifications relate to cloud computing and cybersecurity. ITIL Foundation is the most widely held certification, the survey found. More than 65% of IT leaders said the annual economic value of having an employee with the additional skills and contributions made by being certified over a non-certified employee is over $10,000 while another 22% said the annual value is $25,000 and above.”Technology is only as powerful as the capabilities of the people trained to use it,” said Michael Yoo, general manager of technology & developer skills at Skillsoft, which owns Global Knowledge. “With this in mind, certifications are an excellent way of infusing vital skills into an organization, while boosting employee productivity and investing in ongoing professional development.”

More than 75% of IT leaders said they struggle to find employees who match the skills they’re looking for, particularly now that hacks and technology-related outages have become more commonplace and damaging, Yoo explained. Yoo added the certifications on the list are all accredited by industry-leaders, including AWS, Cisco, Google Cloud, ISACA and Microsoft. 

Yoo told ZDNet that project management and virtualization are perennial entries in this list, which he said is not surprising given how mission critical those skills are. “With Virtualization, it is the technical backbone of any modern technical infrastructure that hopes to run efficiently at scale, and it’s essential whether you are working on-premises, in the cloud, or in a hybrid of both,” Yoo said. “The no. 1 reason mentioned by IT professionals who changed jobs and why organizations who support continuous learning/upskilling will have an easier time attracting and retaining talent while deriving more value from its employees. If IT professionals don’t see a future with your company, they’ll leave.” This was backed up by the findings of the survey, where 52% of respondents had two to four positions they were unable to fill in the last 12 months. Yoo noted that the pandemic has accelerated cloud adoption and made it clear that enhanced digital security measures have become fundamental to business operations. “Cybersecurity risks paired with the high rate of skills gaps and growing talent wars, you can understand why organizations are willing to pay higher salaries to skilled IT professionals who can protect them,” Yoo said. “In regards to cloud computing, worldwide end-user spending on public cloud services is forecast to grow 23.1% in 2021 to total $332.3 billion, up from $270 billion in 2020, according to Gartner, Inc.. The crisis was a catalyst for establishing the value and flexibility of cloud computing. However, with cloud adoption, IT now faces a the challenge of finding skilled talent.”IT departments, Yoo explained, are now investing more in hiring externally or upskilling employees with the necessary certifications.  More

The acronym VPN stands for virtual private network. Those three words tell a lot about how a VPN works.Let’s start with network. VPNs provide network connections, meaning they move data to and from your device. Private means they make that movement private, helping prevent hackers from seeing what you’re sending. And virtual means that you’re doing it all in software. You’re not running a new set of wires. Instead, you’re creating a software-based network connection that then moves data over the physical connection (whether that’s wireless or wired). Also: NordVPN review: A market leader with consistent speed and performance What a VPN actually does is take data that you’re sending out over the Internet and encrypt it before it leaves your machine. That encrypted data is sent to the VPN provider’s servers, where it’s decrypted, and then sent on to, say, Google or Netflix. NordVPN, which is the service we’re talking about today, has more than 5,200 servers across the world. Also: Meet NordSec: The company behind NordVPN wants to be your one-stop privacy suite On the flip side, a VPN takes data from a server on the internet, encrypts it on one of Nord’s servers, sends that encrypted data to your computer, which decrypts it when it arrives. This is what provides protection against, in particular, Wi-Fi snoops at airports, hotels, and schools. By virtue of your data leaving the VPN provider’s server (which, for NordVPN, can be in your choice of 60 countries), your actual location can be hidden, and the final server sees as your location what’s actually the location of your provider’s server.

Also: Inside a VPN service: How NordVPN conducts the business of Internet privacy That’s how VPNs obfuscate your location. Although it’s sometimes illegal, many people use this capability to change their apparent region to watch blacked-out sports or region-locked TV. Far more important is that activists and those concerned about stalkers use it to hide their location for their personal security. OK, so with that introduction into how VPNs — and, specifically, NordVPN — works, let’s look at how to set up and install NordVPN. We’re going to do this on a Windows machine, but the practice is very similar for Macs, Linux, and mobile devices.

Servers: 5242Countries: 60Simultaneous connections: 6Kill switch: yesLogging: Email address and billing information onlyPrice: $11.95 per monthBest Price: $89 for two years ($3.30/mo)Trial: 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, game consoles, smart TVs, more

Installing NordVPN To kick things off, point your browser at the NordVPN website. The company does run promotions from time to time, so the promotion shown here may or may not be on the site when you visit. Once you click in, you’ll need to choose your plan, create an account, and purchase the service. At this point, it’s time to dig into the dashboard to get your download. Once you log into your account, you’ll see the dashboard. Unfortunately, unlike most of the other VPN services we looked at, the most appropriate download isn’t immediately presented. You’ll need to click View Details first. There are some helpful resources shown on this next page, but what you want is the Download link. And now, finally, you can download the Windows client. Once downloaded, go ahead and hit the Open File link. And tell Windows that yes, you did want to do what you just did. And then tell Windows where to put the client program. You can choose to add a desktop icon and a start menu entry. This is a test Windows install that was setup just for this demo, so we’ll drop both the icon on the desktop and into the Start menu. Normally, on my production Windows machines, I don’t let installers put icons on the desktop (if given the option). It’s your machine, so choose as you wish. And just to quench your need to click even more, here’s one more screen before the install actually happens. Nope. I was wrong. This is the last screen you have to click before the install is done. Yes, Virginia, there really is an application at the end of all those clicks. Go ahead and log in using the same account and password you established when purchasing the service. Checking Settings OK, now that we’re finally in the client application, hit the almost hidden gear at the top of the window to get into the settings area. This first page allows you to choose whether the client is always running when you start Windows and whether the screen is minimized. If you want things to happen behind the screen, turn on minimized. If you want a reminder that NordVPN is present, let it show up on you’re your screen at normal size. Let’s move down to the Auto-connect tab. This is pretty powerful. You can decide that your computer is always routing traffic through the VPN or not. You can also turn it on if you’re using Wi-Fi instead of a hard-wired connection. You can also tell that certain Wi-Fi networks (like your home or office network) don’t need to be set up with the VPN service. That way, when you leave home and go to, say, a coffee shop, it will automatically connect via the VPN. Powerful option. The last settings pane we’re going to look at today is the Kill-Switch. This shuts down your Internet connection if the VPN link is severed. This is important because you don’t want data to suddenly go across the network unencrypted and unprotected.  Using NordVPN And, with that, let’s get started using the VPN service. The easiest thing to do is hit Quick Connect. You can also choose the country you want to connect via. I’m in the US Pacific Northwest, so it makes sense that NordVPN connected me to a reasonably close server. When done, you can punch the Disconnect button. Finally, there’s a hidden feature under the Disconnect button. You can disconnect from the VPN for a specified period of time. This is good if you have to access something over a local network, but want to make sure the VPN is turned back on after. So, there you go. That’s how to use NordVPN. Let us know what you think in the comments below. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Cybersecurity expertise is in high demand. Faced with threats like phishing, ransomware and data breaches, businesses need information security staff on their teams to help protect their networks from attacks. While the intention to build and improve cybersecurity teams is there, recent research demonstrates how businesses often make mistakes when hiring, leading to difficulties recruiting and retaining IT security staff.  

The number of unfilled vacancies doesn’t just make it harder for businesses to keep networks secure – it also has an impact on the people already working on cybersecurity teams, who are expected to do everything necessary to maintain network security, but with just a fraction of the required personnel. SEE: A winning strategy for cybersecurity (ZDNet special report) That’s leading to burnout, making it much harder for people to do their jobs at a time when a growing need to secure remote workers is adding to their workload. In some cases, burnout means people could walk away from the industry altogether when their skills are needed most. So why are organisations struggling to fill vacancies when there’s a workforce available, at a time when hiring cybersecurity staff is arguably more important than ever before? Because businesses often don’t understand what they’re looking for, leading to mistakes when trying to hire. Job adverts outside of cybersecurity come with requirements for the role, including experience and qualifications. Human resources departments are taking those templates and applying them to information security, which often doesn’t follow the same stringent requirements for qualifications.  

It’s possible to be highly qualified and highly experienced in cybersecurity without formal qualifications, yet many businesses attempting to hire security staff see qualifications and certifications as a requirement. Alyssa Miller, a business information security officer and public speaker on cybersecurity, has done extensive research into hiring practices in the industry, as well as presenting a TED talk on the issue. She says almost three-quarters of entry-level job vacancies she looked at ask for a Certified Information Systems Security Professional (CISSP) certification, something which takes years of training, costs money to take an exam – and isn’t realistic for someone looking for their first job in the industry. “Of the supposed entry-level job descriptions that I looked at, 71% of them call for a CISSP. That’s not entry-level, because you have to have five years of experience to get a CISSP,” says Miller. 

In some cases, companies are advertising to fill internship positions – something that in usual circumstances allows people to learn on-the-job while also helping the company. However, even when it comes to advertising for internships in cybersecurity, there are adverts that require an applicant has five years of working in the field. People with years of professional experience are being asked to take jobs for little or even no pay. “If you have five years of experience in cybersecurity, you’re not an intern anymore, you’re an advanced professional at that point – do you think you’re going to get a five-year veteran in cybersecurity for intern pay? No, of course not,” says Miller. SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiringCybersecurity involves a particular set of skills, which people have put in time and effort to learn. The nature of the industry means that, when it comes to skilling up, many information security professionals have ended up in the career path because of a keen interest in cybersecurity – and some are self-taught, showcasing the aptitude required to succeed, even if they don’t have any specific certifications. That can be confusing for human resources departments, which are used to viewing and hiring applicants based on the candidate having certain qualifications that information security people might not have. Someone could have years of experience in the industry, but if HR doesn’t see what they perceive as the correct qualifications, their application could be discarded, despite the hands-on experience. Cybersecurity, in short, is following the same pattern as other careers in computing and technology before it. “We went through all of that with software engineering 10 years ago and now cybersecurity is right at that point,” says Adam Enbar, CEO and co-founder of Flatiron School, which teaches on-campus and online bootcamps in software engineering, data science and cybersecurity. “You have employers who are hiring but they don’t really know what they’re hiring for, and they don’t even know what to look for.” This doesn’t just come down to expecting experienced professionals to work for little or nothing – some businesses simply have unrealistic expectations around what’s required for the job. In addition to requiring certifications, it isn’t uncommon to see job adverts asking for lengthy experience in disciplines that have only existed for a few years. “Job descriptions have got to get better. They need to be focused on the right things – they can’t be asking for 10 years of Kubernetes experience when Kubernetes has only existed for six years. There are plenty of examples of those job descriptions out there that do silly things like that,” says Miller. Then there’s the issue of timing. Some companies will go on major hiring sprees in the aftermath of a major cybersecurity incident, or because they fear becoming the next victim of a massive data breach, ransomware campaign or other cyberattack. In this scenario, the hiring companies want instant results from cybersecurity professionals with years of experience in a security operations centre (SOC). “Most postings are written for people with five to 10 years of experience. This happens because employers often begin to invest and dedicate time to hiring cybersecurity professionals when they’re facing a crisis – at which point, you don’t want someone with minimal experience, you need someone with experience to come and clean up very fast,” says Christine Izuakor, founder and CEO of Cyber Pop-up, a company that provides on-demand cybersecurity services, and a cybersecurity instructor for Udacity.  A strategy that would be better than attempting to panic-hire cybersecurity personnel following an incident would be to have them on staff to begin with – people who know the company well and can help protect incidents from occuring in the first place, or can react in the right way if something goes wrong. “The solution is for organisations to be more proactive in finding these individuals to build a cybersecurity team, instead of just waiting for a cyberattack or other security crisis to happen. In doing so, employees have time to learn and grow into roles,” says Izuakor. 

ZDNet Recommends

That’s going to require a change in attitude around hiring. Companies can’t just expect experienced cybersecurity professionals to materialise out of nowhere and accept working on an entry-level salary. Businesses need to accept they must begin hiring people at the very start of their careers. While they may have less experience, they can learn on the job and, if taken care of, can be a positive investment for an organisation – even if they don’t have any technical qualifications to begin with. SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) In her TED talk, Miller explains how someone like a barista could have the necessary skills to thrive in a cybersecurity career. They can do many different things at once making and serving coffee, so what’s to say they can’t take that experience and use it in a security analyst role? “I’m looking for somebody who’s really good at taking those multiple inputs, like a barista – they can take that myriad of things that comes at them, and synthesise that into tasks and then prioritise and execute on those tasks. That’s what I ask a SOC analyst to do,” she says. By expanding the search for cybersecurity staff in this way, organisations have a better chance of diversifying the workforce, which can help improve cybersecurity for everyone by bringing different viewpoints and considerations into the room, as well as being able to respond better to new threats and issues. “Organisations need to look at recruiting individuals who come from a variety of backgrounds, and can adapt to the growing threat landscape and new challenges. A versatile workforce will assist in battling any cyber threats and maturing current cyber capabilities,” says Izuakor, who adds that investing in training these employees is also key.  “Due to the pace at which technology is evolving, constant development of talent is critical. By implementing a robust training and upskilling program, individuals are given the opportunity to learn and progress in their own careers while organisations can get ahead of the growing competition in the industry by building up internal talent.” Cybersecurity is a vital part of modern business, so businesses should invest in hiring the right people. Demanding five years of experience for an entry-level role isn’t going to work, neither is a tick-box exercise of demanding particular qualifications in an industry famous for people joining in unconventional ways, and where new threats mean new skill sets are always required. In which case, businesses need to think ahead when it comes to cybersecurity hiring. Recruitment isn’t something to be done just to patch things up after an incident – it’s a major part of running a business and should be treated as such. That’s why hiring the right people and treating them with respect and care is necessary. Get it wrong, and your existing cybersecurity team could become burned out and walk away – and the only people who will benefit are cyber criminals. MORE ON CYBERSECURITY More

IT training company Global Knowledge has released a ranking of the 15 top-paying certifications in 2021 based on the responses of 3,700 US-based respondents, finding that some Google, AWS and Microsoft certifications often led to six-figure salaries.Number one on the list was the Google Certified Professional Data Engineer, which the survey found can bring in $171,749. Google Certified Professional Cloud Architect was next on the list with a salary of $169,029 followed closely by Associate AWS Certified Solutions Architects, who bring in $159,033.

CRISC, CISSP, CISM, PMP, CISA, MCSE, CompTIA Security+, CCA-V and other certifications all made their way onto the list, with salaries ranging from $151,000 to $110,000. Certifications for Azure, Cisco, Nutanix and VMware were also featured on the list. The company surveyed US IT workers from November to February this year and only included certifications that got at least 68 responses. The researchers behind the study noted that many of the top-paying certifications relate to cloud computing and cybersecurity. ITIL Foundation is the most widely held certification, the survey found. More than 65% of IT leaders said the annual economic value of having an employee with the additional skills and contributions made by being certified over a non-certified employee is over $10,000 while another 22% said the annual value is $25,000 and above.”Technology is only as powerful as the capabilities of the people trained to use it,” said Michael Yoo, general manager of technology & developer skills at Skillsoft, which owns Global Knowledge. “With this in mind, certifications are an excellent way of infusing vital skills into an organization, while boosting employee productivity and investing in ongoing professional development.”

More than 75% of IT leaders said they struggle to find employees who match the skills they’re looking for, particularly now that hacks and technology-related outages have become more commonplace and damaging, Yoo explained. Yoo added the certifications on the list are all accredited by industry-leaders, including AWS, Cisco, Google Cloud, ISACA and Microsoft. 

Yoo told ZDNet that project management and virtualization are perennial entries in this list, which he said is not surprising given how mission critical those skills are. “With Virtualization, it is the technical backbone of any modern technical infrastructure that hopes to run efficiently at scale, and it’s essential whether you are working on-premises, in the cloud, or in a hybrid of both,” Yoo said. “The no. 1 reason mentioned by IT professionals who changed jobs and why organizations who support continuous learning/upskilling will have an easier time attracting and retaining talent while deriving more value from its employees. If IT professionals don’t see a future with your company, they’ll leave.” This was backed up by the findings of the survey, where 52% of respondents had two to four positions they were unable to fill in the last 12 months. Yoo noted that the pandemic has accelerated cloud adoption and made it clear that enhanced digital security measures have become fundamental to business operations. “Cybersecurity risks paired with the high rate of skills gaps and growing talent wars, you can understand why organizations are willing to pay higher salaries to skilled IT professionals who can protect them,” Yoo said. “In regards to cloud computing, worldwide end-user spending on public cloud services is forecast to grow 23.1% in 2021 to total $332.3 billion, up from $270 billion in 2020, according to Gartner, Inc.. The crisis was a catalyst for establishing the value and flexibility of cloud computing. However, with cloud adoption, IT now faces a the challenge of finding skilled talent.”IT departments, Yoo explained, are now investing more in hiring externally or upskilling employees with the necessary certifications.  More

(Image: Surfshark)The acronym VPN stands for virtual private network. Those three words tell a lot about how a VPN works. Let’s start with network. VPNs provide network connections, meaning they move data to and from your device. Private means they make that movement private, helping prevent hackers from seeing what you’re sending. And virtual means that you’re doing it all in software. You’re not running a new set of wires. Instead, you’re creating a software-based network connection that then moves data over the physical connection (whether that’s wireless or wired). What a VPN actually does is take data that you’re sending out over the Internet and encrypt it before it leaves your machine. That encrypted data is sent to the VPN provider’s servers, where it’s decrypted, and then sent on to, say, Google or Netflix. Surfshark, which is the service we’re talking about now, has more than 3,200 servers across the world. On the flip side, a VPN takes data from a server on the internet, then encrypts it on one of Surfshark’s servers, and sends that encrypted data to your computer, which decrypts it when it arrives. Must read:This is what provides protection against, in particular, Wi-Fi snoops at airports, hotels, and schools. By virtue of your data leaving the VPN provider’s server (which, for Surfshark, can be in your choice of 65 countries), your actual location can be hidden, and the final server sees as your location what’s actually the location of your provider’s server. That’s how VPNs obfuscate your location. Although it’s sometimes illegal, many people use this capability to change their apparent region to watch blacked-out sports or region-locked TV. Far more important is that activists and those concerned about stalkers use it to hide their location for their personal security.

OK, so with that introduction into how VPNs, and specifically Surfshark works, let’s look at how to set up and install Surfshark. We’re going to do this on a Windows machine, but the practice is very similar for Macs, Linux, and mobile devices.

Servers: 3200 Countries: 65Simultaneous connections: unlimitedKill switch: yesLogging: noBest Price: $59.76 for 24 months ($2.49 per month)Trial: 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, FireTV

Installing Surfshark Let’s get started. Point your browser to Surfshark’s website and click the Get Surfshark button. Next, go ahead and choose a plan. If you’re planning on using Surfshark for more than five or six months, you might as well go ahead and sign up for the two-year plan, since it’ll be about the same price as going month-to-month. Remember, there is a 30-day money-back guarantee. We strongly recommend you test everything you think you might want Surfshark to do in that time, to decide if this is really for you. Surfshark does have an upsell, for antivirus and account monitoring. It’s up to you whether you want to sign up for it. We’re only covering the VPN-related features in this tutorial. Once you’ve completed the sign-up process, go back to the Surfshark.com home page and log in. Once you do, you’ll be on the main account page. We’re installing Surfshark for Windows, so we’ll click the Windows download button. Once it downloads, hit Open File. Let Windows know you did that on purpose. Starting Surfshark And there we go. Next, log into the program using the same credentials you used to sign up for your account. You’ll get a nice welcome message to start. Before you see the main interface, you’ll be given a number of configuration options. The main decision you should make now is whether you want your Internet connection to run through Surfshark as soon as you boot up or not. If you always want the connection over a VPN, turn this on now. Using Surfshark And with that, you’re ready to use Surfshark. Here’s the main screen. Unless you’re trying to spoof your location or surf as if you’re in another country, your best results will be found by clicking on Fastest Server. That will start the connection. My fastest connection was in Bend, Oregon. Since I live in Oregon, that makes sense. There’s a pie shop in Bend that makes the best grilled cheese sandwich I’ve ever had. Unfortunately, Bend is a few hours from here by car, so I’ve only had that sandwich once. But a boy can dream, can’t he? So, that’s it for the basic operation of Surfshark. To end a connection, just click the Disconnect button as shown above. Next, let’s look at a few settings. Must read: Checking Surfshark’s settings You can access the Settings menu in the lower-left corner. The other icons on the left dashboard panel are for the antimalware and identity scan upgrades Surfshark offers. For now, let’s tap the gear icon. Here you can get to your account and plan information. Let’s scroll down because that’s where the good settings live. As you can see, you can change the language used, and turn on dark mode. But what we’re focusing on is the Connectivity and Advanced menus. It’s the Connectivity Settings pane where you should pay the most attention. As you can see, you can decide to launch Surfshark on login and, once again, here’s the button that lets you decide whether to auto-connect when you log in. Further down, though, is the most important option, the Killswitch option. This is critical because if you’re connected and counting on VPN security and that VPN connection drops, you don’t want your computer to send data in the clear. Make sure to turn on Killswitch when you need to stay secure. It’s critical. Next, let’s look at the Advanced pane. The NoBorders option normally comes on when necessary. It basically spoofs international connections when you’re surfing. Here’s more detail on that feature, should you need it. At the very bottom of the Advanced pane, you’ll see speed test. We’re going to look at that next. Speed test lets you run connection tests for various regions. Here, I went ahead and clicked Run Test and the feature is gathering data on servers in Europe. So, there you go. That’s how to use Surfshark. Let us know what you think in the comments below. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More