Slashdot Mirror
How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com)
Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive:
The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Mr. President, we must not allow a mineshaft gap!
It doesn't matter if they know nothing, as long as the manager gets his bonus and is gone before the fallout of their crappy work becomes clear.
One network port at a time.
All that is needed is APKs HOSTS file generator and APPS that are guaranteed safe from the Microsoft store. I don't know why people and businesses keep making things harder for themselves with their NIH syndrome.
Talk to university and vocational education staff around the USA. Tell them what you need.
Ensure they have the software and tools that are needed over the short courses to allow students in the USA to transition to the workforce.
People outside the USA will have no loyalty to the USA and only work for money or to help their faith/cult/own government.
Thats not good for US security.
Its very hard to find out what some foreigner did in their own nation for years. What complex issues do they bring to your company?
Help get US education to a good standard so US students can find work. Or get further education to keep their skills up.
Domestic spying is now "Benign Information Gathering"
Just start hiring the very nine-year-olds that are causing the breaches in the first place. Child labor laws are ruining this country.
I recently completed a 5 month (~800 hours) intensive cyber security training and am very sensitive to this issue and have been actively looking. Many companies are advertising for senior positions which of course is beyond the experience level of someone breaking into the field. Its very difficult to slant an application to these requirements. It seems that all of the senior people would already have jobs. Some advertise associate positions and pay crap wages. So someone for someone who has been in s/w and specification development for many years would have a hard time accepting this kind of salary. I think one of the problems is that cyber security is a cost center and the execs don't realize that implementing good policies and mitigation strategies can be cost saving measures if/when their companies get attacked.
I put my penis
In his anus
in the springtime
but if you don't work on preventing fires, you can never have enough fire brigades.
That's it.
You can have all the diamonds, gold, and tungsten, you want, when you pay the market price. The same is true for labor. Eventually, people will stop doing what they were doing, and start doing what you want them to do, if you pay them enough.
Eventually, everything evens out when prices become high enough, new producers come on-line, and new (consumable?) resources are discovered, or extraction method are invented. How long does it take for someone to become a security expert? Five years? At least with human resources, there isn't the same concern with extraction, and consumption, costs. If they're already good at software development, and building infrastructure, maybe a year?
Seriously, this is like BASIC economics - they can close the gap by paying them vastly more, thus encouraging software developers to specialize in security. Using contractors is the short term version of this.
When prices become high enough, I'll start bidding on security contracts. As it is, if companies would rather fill those positions with W2s, and not contractors, and leave the work undone.
This title is seriously demonstration a lack of economic knowledge.
Want to close the Cybersecurity gap? It is very easy.
STOP BEING CHEAP ASSHOLES AND START PAYING FOR REAL SKILLED IT PROFESSIONALS.
This means the IT department on it's own Makes MORE than the CTO does. Yes the guys that are actively fighting the bad guys deserve a LOT more than the waste of space in the executive seat. Quadruple your IT budget, Start actually buying real fucking equipment and real security suites and software. Hire PROVEN EXPERTS that cost a lot of money.
InfoSEC that is effective is NOT CHEAP. Stop treating IT as the bastard red headed step kids. and start treating them as the Mission Critical staff they really are.
That and kick the CTO and CFO in the nuts, both those assholes deserve a good hard kick in the groin any time they suggest cutting the IT department's budget. If you hire and pay for the best, then you don't have the security problem that the companies that try and half ass it by paying as little as possible.
These executives know this, they just dont want to do it. and until they start making executives personally responsible for data breaches, it will not change. Yes personally responsible, if these assholes can get multi millions then they also deserve to carry all the personal financial risk.
Do not look at laser with remaining good eye.
Want cyber security? Go off line. Install pneumatic tubes and get lots of pens and paper. Can you trust anything not to be backdoored? We know all too well that these back doors, intentional or not, are not exploited by just the particular three letter agencies that may identify them.
No one in a far away land or Langley for that matter is gonna intercept paper sent in pneumatic tubes in the office and US mail for out side comms.
Stop using Windows.
Stop using unqualified, cheap foreign labor.
Make penalties for data loss attributed to hacking massive, and direct them at the board of directors, CEO, CFO, and CTO of any company.
Make geoblocking simple and easy to apply.
Enforce open source software standards to prevent the insertion of backdoors.
Enforce encryption, banning unencrypted website traffic (http).
Update by default.
How Can Businesses Close 'The Cybersecurity Gap' ?
Business have no problems closing gaps !!!
campaigning for cuts to education so they can translate them into tax cuts. Then they can provide training, better pay and actual career paths. Why should anyone care about security in a job they're gonna have for 2 years before they have to leave to find better pay before inflation eats their earnings?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
That's the first thing you should probably consider. Is the cost of physical paperwork and security less than the cost of implementing proper cybersecurity?
I see so many businesses trying to go digital when it's horribly obvious that they have no business doing so nor would their business actually benefit from such a thing.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This. I haven't been to a conference in 19 years. I used to keep up with new things, but when I can't even take a single day off and have to work every weekend, there's no way I could get away.
We've had open security positions for five years without having a single qualified candidate apply. We've thought about training, but the three guys we did hire and train all left for higher paying jobs immediately after taking advantage of us. I'm currently trying to keep-up with a little under four hundred developers that are constantly creating security problems like cross-site scripting and SQL injection vulnerabilities. I'm terrified what I'm missing since I'm always so tired and have more to do than I could possibly hope to do.
Make every US security position have some national standard.
If your company wants US customers invest in US staff that are cleared to work in the USA.
Cover contractors too and ensure most of the security staff have a full, legal background in the USA.
That would fund US tech education, make US education responsive to the needs of US tech firms and create jobs in clearing staff background work.
Not a criminal? Loyal to the USA? Not on social media doing things that are not legal?
That would open a path to study and low level security jobs. Study more, find more work and good wages.
Remove the ability to outsource or use one expert US worker to cover huge groups of workers in other nations.
Make computer security work like medicine. Select only the people who can work and make sure they can do the work.
Just like a hospital or any medical service, find the US tech staff with some education.
US workers with skills would find jobs, US educators would respond to the need for more staff and brands in the USA would have to hire real US workers.
Domestic spying is now "Benign Information Gathering"
Programming gets easier with increasing abstraction, thus allowing the engineering portion to grow, but the haphazard, ever increasing abstraction also grows the attack surface - and you can't abstract vulnerabilities away as you can abstract away simple programming tasks. To find exploits in a system, you first need to *know* *most* the abstractions in and out in the first place.
Meaning abstraction makes security harder as there will be proportionally less people understanding the system compared to all participants in the system.
The gap will only widen under current arrangement.
It's a bit like keeping order in unruly country by keeping a lot of policemen around, which simply isn't sustainable. The sustainable thing to do is to reform the unruly culture. In this case, have rigorous enforcement of security in abstractions to avoid the widening gap. This is extremely costly, but the only way to avoid the security deficit runoff when facing physical shortage to cope otherwise.
Quoth the article:
Anyone who is any good at cyber security didn't learn it in school. Most of what they know they learned on their own. The IT field lends itself to an apprenticeship model more than most other modern professions.
Stop requiring degrees, as they aren't relevant to the actual work. I'd much prefer candidates with an AA and skills in communication, critical thinking, probability, and logic along with some certifications and core understandings:
CCNA Routing & Switching to show you have at least a basic grasp of networking fundamentals.
Something from SANS (GIAC) gets my attention. A CISSP will help get you an interview.
Develop some skills in a Linux shell, with command-line tools. I need to know you know more than "I click the 2nd option in the 3rd menu".
Understand the basics of required policies -- PCI, HIPAA, NIST 800-53, NYDFS, CJIS. Know what they are and where they apply. You don't have to memorize them, as that stuff can always be looked up.
I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.
For companies, they also need to accommodate more telework, flexible work schedules, and better pay. I'm sorry, but an InfoSec specialist with 5 years experience should be making about TWICE as much as a Project Manager or HR Specialist with 5 years experience. Starting pay for InfoSec should be at least 25% higher than most other professions -- simply based on supply and demand.
Learning HOW to think is more important than learning WHAT to think.
Would that be a "tertiary school?" That's usually a pejorative term.
We don't even care about the security of elections and you want corporations to care??
post-secondary schools what about tech schools??
No the HR people just pass them over but if you went the the theory loaded schools you get pass in and then the hiring people say they don't know anything and then the HR starts the H1B want ad's
Translation: We don't want to spend money and time on university graduates and probably don't want to pay market price for experienced personnel.
The US has 'everybody must code' promotions, why not 'everybody must penetration test' promotion? US Businesses can also complain that no-one teaches penetration testing and the government doesn't pay for penetration tester training. The answer is the same: Industry involvement; a task force sets the requirements for teaching and partners with some institution to provide it. If industry really wants employees, there's the skilled visa option (which is a very indirect form of government welfare), or horror; the traineeship.
This has happened to the job of financial clerk: In the past one did and accounting and learnt to be a financial clerk on the job. Now, one has to pay for $6,000 diploma before sending in a resume.
1) Pay a good salary.
2) Seriously consider remote workers.
3) Hire more than one person.
4) Consider people who are outside the "security" realm. A lot of sysadmins have to do security by default and know just as much about it as a person with the cert.
I was a security specialist for embedded systems at a few big companies for the last few years. Honestly, there's too much work and they pay isn't any better. I went back to building software (albeit security related). Pay more, and I might have stayed. It's annoying to hear about this labor shortage in security and all I see is more work but not more pay. So, I left! It was a great move.
If they had enough staff? Would they even make the effort that is required to transform infrastructure, operations, and the business to create a defensible enterprise?
here we go again..
Step 1 - Exclaim shortage of some IT skill in the media (and of course don't raise compensation to the market clearing rate or train anyone)
Step 2 - Send to same media various disaster stories and threats to civilization due to said 'shortage'
Step 3 - Lobby congress for Visas from some third world country (probably India, but could be elsewhere)
Step 4 - Get rid of all your Americans currently in the roles (hey, they were useless anyways!) and replace with cheaper said visa workers
Step 5 - PROFIT!
Just create evicence based awareness. Make sure that users understand the risk that's involved in using office files or using Adobe software. Those 2 points alone would help a great deal.
How exactly do you prove someone wrong by asking irrelevant questions?
Do I prove you wrong here by asking why you wanted to kill the president?
And don't be so cheap.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Install smoke alarms? But we've never had a fire!
Seems like they just want to hire experienced security professionals directly out of undergrad programs and are confused why this isn't happening.
With all those long unfilled positions, one wonders how long it would take to train a person with a reasonably useful background.
Before a white hat, you have to be a grey hat.
However this is all highly illegal these days.
And yes, I admit to having broken into some U.S. Air Force computers just to look around, back before there were "criminal trespass" laws, and it became illegal as hell to "go in and look".
Perhaps you'd have more security experts available, if they'd already leaned to think like a grey hat by doing.
You really have to think somewhat sideways or slantwise in order to know how to look for security holes, so that you can then plug them. Because most holes are in the gaps between what systems are intended to do, and what you can actually make them do instead.
Obviously, you have the spools to look at, but the point is that most cyber security concerns can easily go away by not upgrading to a new system that no lay-person knows how to use every few months, especially IoT stuff. It's geeks trying to look special by having the latest tech only they know how to use, but are secretly YouTubing how to use it all. Because, we all know the hot girl in the office is clearly a sapiosexual. Dance monkeys DANCE! Besides, it's frightening how many places use the default login and password for stuff and the millions of identities stolen because of it. I'm probably going to tell this wrong since I haven't heard the story in a while, but I knew a guy that could get into a particular hospital's PowerShell and change file permissions. That's the kind of security work he did for a living. He called their IT department to warn them to change their setup, but they snickered and said they knew about it. There's your cyber security gap. The narcissistic laziness of the average "work smarter, not harder" IT guy and when you can't bedazzle with brilliance, you baffle with bullshit. An interesting example is one from 1962 to 1977 in which the combination to a nuke's PAL was 00000000, and I guess someone thought it was funny to have most BT devices default password as 0000.
Ur mom.
I work cyber security for a large organization and my hardest problem is selling the importance of what I do. Upper management seems to write off realistic threat vectors and attack profiles as "jason bourne shit" even though they are probably the reason we will get owned if we haven't already. My own management tries to work me to the bone. I've tried to set aside a few hours each week for professional self-development related to our environment by doing research into emerging vulnerabilities, threat vectors, and trends that relate to my environment and everytime my direct manager sees me doing that or asks what I'm doing he comes up with some busy work that he needs me to do immediately and fobs off what I'm doing as unimportant and tells me I can do it in my own non-existent spare time.
This also flows back into what the article hit on and that's hiring. I'm expected to do the job of 3-4 workers. They want me to do a full analysis of all log files before lunch and then work on whatever project they want me to get on plus deal with whatever comes up. My team also has to cover down on help desk support when the help desk gets behind. Cyber security is an afterthought and the urgency of filling positions is laughable to management. I'd honestly rather have a brand new grad with zero experience that I can have handle things like log file analsys so I can work on more experience-required tasks and I can hopefully nuture the new worker into something useful.
The typical management approach to cyber security is mostly reactive, from what I've seen. Isn't cyber security supposed to be proactive? I know the military doesn't start setting up defenses of a base in a combat theater AFTER they've been attacked, so why do we?
Perhaps we should talk. I've been working in and around security for 20 years. Currently I develop a scanner which competes with Nessus and Rapid 7. We run comparison scans comparing our product to those two weekly. Where are you located?
That's the difference - his questions are relevant, yours isn't.
The problem is not the lack of security people. The problem is the lack of willingness to do anything to be secure until it's too late. My entire security career has been made up of reporting on vulnerabilities, while fielding demands to exclude this, that, and the other from anti-virus scanning and patching. Then when a big threat pops up, it's, "Oh my gawd! How did this happen". The industry doesn't need more security analysts, it needs to perform the tasks already part of it's policy.
A security professional is the person who has to argue with management that the cheapest hardware and software are insecure, then has to somehow make them secure after management ignores everything they said, then gets the blame when the company's systems get hacked.
Basically, they're hired on as the red headed stepchild, then ushered out as the scapegoat.
Why the fuck would anyone in their right mind want that as their career?
The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with.
The fundamental problem with business computer security is that businesses (and their executives) don't really value security. First, they won't pay for it. If you ask them to buy any security products, they want to buy the cheapest one. If you ask them to pay for a security product that isn't 100% necessary, they'll say no. If you ask them to hire a security expert, they'll complain about that expert's salary. If you present them with a security audit that includes a lot of problems, they won't fund the project to fix those problems.
But almost as importantly, the executives will place their own convenience at a higher importance than security. I've seen CEOs order that they be exempted from password requirements because they use their child's first name for every password on every service and computer, and they don't want to have to remember a different password. I've seen executives refuse to make multi-factor authentication mandatory because they, personally, find it annoying to use. I've seen executives insist that they can't have any kind of antivirus product installed on their computer, because it would supposedly slow them down too much. If a company's management refuses to have reasonable security policies placed on them, it creates a gaping security hole.
If you want businesses to have better security, the first step is to convince them that they need to fund security and make it a priority for the whole company.
The solution is very simple - open more entry level CyberSecurity jobs that have no experience requirements. Just look for training and let them cut their teeth. Allow recent grads and career changers to switch careers into CyberSecurity and let them rock for you.
The idiotic belief that an empty chair is more effective at solving CyberSecurity problems than a rookie needs to go away fast.
Cyber Command is just getting ramped up, but trained soldiers are already becoming available as they choose to not re-enlist. This is a source of non-college educated trained professionals we did not have in the past that make ideal watch-floor admins who are coming from all of the services. Most of them are going on to college after their service, you can try catching them before, after or during college.
I have two masters degrees, one in cybersecurity and one in analyst. And I am told I do not have enough skills for a cybersecurity opening.
Start holding upper management and their bonuses accountable.
Otherwise it is going to take regulatory action to force companies to maintain a minimum level of security.
People just don't care until disaster hits.
In every other industry, trade, or profession, in the entirety of human history, labor shortages have been solved in a fairly standard way - offer enough money to attract the best candidates. I wonder how the "cybersecurity" industry will handle this crisis?
Proud neuron in the Slashdot hivemind since 2002.
1) Stop Outsourcing
2) Hire qualified IT personal
3) Fire anyone in IT who doesn't have security focus
4) Fire any developers, who focus in security development and who don't have security focus
5) Make sure your CTO is an expert and qualified
6) Allow training for all in house IT and development staff
7) Pay your staff properly so they want to do a proper job
8) Don't allow BYOD, IT controls the devices, not the end user
9) Lock down your infrastructure and design it properly for security
This isn't a hard problem. Companies need to be willing to better reward their security staff so more people will be interested in getting into the field and less apt to walk.
Slashdot and Techdirt both have bunchteen stories about security researchers being threatened with $$$ lawsuits for revealing vulns in corporate software.
Does that behavior sound as if businesses really want/need security people? I'm sure it's a big encouragement for students to go into security so they can add lawsuits to their student debt.
Management. They're not willing to pay for someone(s), they don't want to listen to the answers, and then they complain about the cost.
When something happens, instead of putting was was tailored for them in place, they go so overboard that it interferes with the employees' ability to do work.
And then they point to that, and say they can't afford that, again.
Remove Microsoft Windows and the Intel chipset from anywhere on your network ..
"It is very hard to get a business manager to understand something, when his salary depends upon him or her not understanding it."
In their fervent desire to not spend money, business managers forget ECON 101, the Laws of Supply & Demand, Capitalism, and For Every Action There Is An Equal And Opposite Reaction (Newton's Third Law).
Simply amazing!
I have a CS masters degree with a concentration in information security assurance. I find better opportunities as a full stack web developer with emphasis on the front end.
>You can have all the diamonds, gold, and tungsten, you want, when you pay the market price. The same is true for labor.
Yes, it is the same: you cannot have all want in a finite pool if you want more than the size of the pool.