Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com)

Posted by EditorDavid on from the help-that's-hard-to-hire dept.

Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive: The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...

Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."

3 of 179 comments (clear)

  1. Does your business even NEED to be digital? by Khyber · · Score: 3, Informative

    That's the first thing you should probably consider. Is the cost of physical paperwork and security less than the cost of implementing proper cybersecurity?

    I see so many businesses trying to go digital when it's horribly obvious that they have no business doing so nor would their business actually benefit from such a thing.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  2. Step One -- Stop Requiring Advanced Degrees by chill · · Score: 4, Informative

    Quoth the article:

    First, from a hiring perspective, the trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues â" what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing.

    Anyone who is any good at cyber security didn't learn it in school. Most of what they know they learned on their own. The IT field lends itself to an apprenticeship model more than most other modern professions.

    Stop requiring degrees, as they aren't relevant to the actual work. I'd much prefer candidates with an AA and skills in communication, critical thinking, probability, and logic along with some certifications and core understandings:

    CCNA Routing & Switching to show you have at least a basic grasp of networking fundamentals.

    Something from SANS (GIAC) gets my attention. A CISSP will help get you an interview.

    Develop some skills in a Linux shell, with command-line tools. I need to know you know more than "I click the 2nd option in the 3rd menu".

    Understand the basics of required policies -- PCI, HIPAA, NIST 800-53, NYDFS, CJIS. Know what they are and where they apply. You don't have to memorize them, as that stuff can always be looked up.

    I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.

    For companies, they also need to accommodate more telework, flexible work schedules, and better pay. I'm sorry, but an InfoSec specialist with 5 years experience should be making about TWICE as much as a Project Manager or HR Specialist with 5 years experience. Starting pay for InfoSec should be at least 25% higher than most other professions -- simply based on supply and demand.

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:Step One -- Stop Requiring Advanced Degrees by geek · · Score: 3, Informative

      I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.

      This is the CEH(https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/) and OSCP(https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/)

      CISSP is a pile of shit. Its a management certificate, nothing else. A monkey can pass that test and judging by the CISSP's I know, frequently do.