How Can Businesses Close 'The Cybersecurity Gap'?

Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive: The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...

Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."

More H1B's anyone?

[johanw]

It doesn't matter if they know nothing, as long as the manager gets his bonus and is gone before the fallout of their crappy work becomes clear.

Re:More H1B's anyone?

[swb]

My first thought was how can businesses possibly be considered to taking IT security seriously when their first and only impulse is how to do things even cheaper than they do now?

I'm still amazed at the dichotomy between shaving pennies and then the utter panic when there is downtime or a security breech. If its so important that you basically can't do business without properly functioning IT systems then why is it treated as if they don't want to spend money on it? Do they really think it's free?

H1Bs are of course just one example of this mindset.

Re:More H1B's anyone?

[phantomfive]

When was the last time your agile sprint gave you time to look for security problems?
When was the last time any manager told you to look for security problems?

That's why we don't have secure software.

Fund education, talk to educators

[AHuxley]

Talk to university and vocational education staff around the USA. Tell them what you need.
Ensure they have the software and tools that are needed over the short courses to allow students in the USA to transition to the workforce.

People outside the USA will have no loyalty to the USA and only work for money or to help their faith/cult/own government.
Thats not good for US security.
Its very hard to find out what some foreigner did in their own nation for years. What complex issues do they bring to your company?
Help get US education to a good standard so US students can find work. Or get further education to keep their skills up.

Re:Fund education, talk to educators

[Lumpy]

"Talk to university and vocational education staff around the USA. Tell them what you need."

They have... They want high skilled people that will accept very low wages and not complain about it.

There are skilled people out there, the companies dont want to pay for them.

Never shortages, or surpluses, only at arbitrary p

[brian.stinar]

You can have all the diamonds, gold, and tungsten, you want, when you pay the market price. The same is true for labor. Eventually, people will stop doing what they were doing, and start doing what you want them to do, if you pay them enough.

Eventually, everything evens out when prices become high enough, new producers come on-line, and new (consumable?) resources are discovered, or extraction method are invented. How long does it take for someone to become a security expert? Five years? At least with human resources, there isn't the same concern with extraction, and consumption, costs. If they're already good at software development, and building infrastructure, maybe a year?

Seriously, this is like BASIC economics - they can close the gap by paying them vastly more, thus encouraging software developers to specialize in security. Using contractors is the short term version of this.

When prices become high enough, I'll start bidding on security contracts. As it is, if companies would rather fill those positions with W2s, and not contractors, and leave the work undone.

This title is seriously demonstration a lack of economic knowledge.

I have the answer and it is a SIMPLE answer.

[Lumpy]

Want to close the Cybersecurity gap? It is very easy.

STOP BEING CHEAP ASSHOLES AND START PAYING FOR REAL SKILLED IT PROFESSIONALS.

This means the IT department on it's own Makes MORE than the CTO does. Yes the guys that are actively fighting the bad guys deserve a LOT more than the waste of space in the executive seat. Quadruple your IT budget, Start actually buying real fucking equipment and real security suites and software. Hire PROVEN EXPERTS that cost a lot of money.

InfoSEC that is effective is NOT CHEAP. Stop treating IT as the bastard red headed step kids. and start treating them as the Mission Critical staff they really are.

That and kick the CTO and CFO in the nuts, both those assholes deserve a good hard kick in the groin any time they suggest cutting the IT department's budget. If you hire and pay for the best, then you don't have the security problem that the companies that try and half ass it by paying as little as possible.

These executives know this, they just dont want to do it. and until they start making executives personally responsible for data breaches, it will not change. Yes personally responsible, if these assholes can get multi millions then they also deserve to carry all the personal financial risk.

Re:Step One -- Stop Requiring Advanced Degrees

[chill]

Experience with any vulnerability scanner, really. Nessus, Qualys, Rapid 7, OpenVAS, whatever. The key is to learn how to interpret the reports, dig down into the results, and figure out what is really a problem and how to fix it.

I'm happy to teach junior people, but if someone is claiming to be an experienced analyst or senior InfoSec specialist and just hand me a canned Nessus report, I'm going to be looking to replace you. I can schedule the default reports, I 'm not willing to pay a premium to do that.

While zero-day vulns and movie-plot hacks get all the attention and press coverage, the simple truth is that vast majority of compromises happen due to improperly patched and misconfigured systems.

If you can weed thru a few hundred pages of scanner output to tell me which systems are missing what patches as opposed to patched but need a registry update or config change, that is valuable. Which are false positives and why? How can we prioritize what limited resources we have to get the most impact?

Attention to detail and critical thinking I'll pay a premium for and vulnerability scanner output is a great place to demonstrate that. But keep handing me canned reports and I'll replace you with a script.