Slashdot Mirror
How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com)
Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive:
The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Mr. President, we must not allow a mineshaft gap!
It doesn't matter if they know nothing, as long as the manager gets his bonus and is gone before the fallout of their crappy work becomes clear.
One network port at a time.
Talk to university and vocational education staff around the USA. Tell them what you need.
Ensure they have the software and tools that are needed over the short courses to allow students in the USA to transition to the workforce.
People outside the USA will have no loyalty to the USA and only work for money or to help their faith/cult/own government.
Thats not good for US security.
Its very hard to find out what some foreigner did in their own nation for years. What complex issues do they bring to your company?
Help get US education to a good standard so US students can find work. Or get further education to keep their skills up.
Domestic spying is now "Benign Information Gathering"
You can have all the diamonds, gold, and tungsten, you want, when you pay the market price. The same is true for labor. Eventually, people will stop doing what they were doing, and start doing what you want them to do, if you pay them enough.
Eventually, everything evens out when prices become high enough, new producers come on-line, and new (consumable?) resources are discovered, or extraction method are invented. How long does it take for someone to become a security expert? Five years? At least with human resources, there isn't the same concern with extraction, and consumption, costs. If they're already good at software development, and building infrastructure, maybe a year?
Seriously, this is like BASIC economics - they can close the gap by paying them vastly more, thus encouraging software developers to specialize in security. Using contractors is the short term version of this.
When prices become high enough, I'll start bidding on security contracts. As it is, if companies would rather fill those positions with W2s, and not contractors, and leave the work undone.
This title is seriously demonstration a lack of economic knowledge.
Employers are always looking for five years of experience in a technology that came out six months earlier. Yes, Virginia, IT is regarded as a cost center by most bean counters.
Want to close the Cybersecurity gap? It is very easy.
STOP BEING CHEAP ASSHOLES AND START PAYING FOR REAL SKILLED IT PROFESSIONALS.
This means the IT department on it's own Makes MORE than the CTO does. Yes the guys that are actively fighting the bad guys deserve a LOT more than the waste of space in the executive seat. Quadruple your IT budget, Start actually buying real fucking equipment and real security suites and software. Hire PROVEN EXPERTS that cost a lot of money.
InfoSEC that is effective is NOT CHEAP. Stop treating IT as the bastard red headed step kids. and start treating them as the Mission Critical staff they really are.
That and kick the CTO and CFO in the nuts, both those assholes deserve a good hard kick in the groin any time they suggest cutting the IT department's budget. If you hire and pay for the best, then you don't have the security problem that the companies that try and half ass it by paying as little as possible.
These executives know this, they just dont want to do it. and until they start making executives personally responsible for data breaches, it will not change. Yes personally responsible, if these assholes can get multi millions then they also deserve to carry all the personal financial risk.
Do not look at laser with remaining good eye.
Any type of infrastructure management is NEVER a cost center. It can easily charged back to the user(s) of the infrastructure as a cost of doing business. So if a company always looks at IT management as a cost center, then they are doing their books wrong as they can easily charge back the cost to the users of the infrastructure.
Stop using Windows.
Stop using unqualified, cheap foreign labor.
Make penalties for data loss attributed to hacking massive, and direct them at the board of directors, CEO, CFO, and CTO of any company.
Make geoblocking simple and easy to apply.
Enforce open source software standards to prevent the insertion of backdoors.
Enforce encryption, banning unencrypted website traffic (http).
Update by default.
AC "senior positions" is code for one person who can sign off on any city, state or federal/mil project while the majority of the project is done at a low cost outside the USA.
That will be their made in the USA public face if they ever have to face congress for hours of questions.
Any questions will be taken back to their team.
Multinational brands do that a lot. Just enough expert staff in the USA to comply and win contracts.
They don't need or want low or mid level US staff if most of the work can be done outside the USA and then sold back into the USA for US wages.
Domestic spying is now "Benign Information Gathering"
campaigning for cuts to education so they can translate them into tax cuts. Then they can provide training, better pay and actual career paths. Why should anyone care about security in a job they're gonna have for 2 years before they have to leave to find better pay before inflation eats their earnings?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
That's just a left handed way of asking that all candidates be good bullshitters. I just consider: I do have more than five years experience claiming experience that I don't have, decades, if you get down to it.
5 years at something six months old...translated...tell me 'sweet little lies', but no big ones (stern voice).
It's one of the more honest things employers put in job ads. It's one of the most basic things you can just have or not (effective bullshitting). It would suck to find it was a job requirement after you relocate.
Fortunately my bullshit is deep, when needed. I'd rather not, but what did the dude in team America say?..'I promise that I will never die'...no choice really.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
That's the first thing you should probably consider. Is the cost of physical paperwork and security less than the cost of implementing proper cybersecurity?
I see so many businesses trying to go digital when it's horribly obvious that they have no business doing so nor would their business actually benefit from such a thing.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
That's just a left handed way of asking that all candidates be good bullshitters. That's just a left handed way of asking that all candidates be good bullshitters.
It's a right handed way for technology companies to claim to the government that they can't find qualified Americans to hire and need to hire foreign workers instead. Never mind that foreign workers are any more qualified than American workers.
I've seen them capitalize IT. Called the entire expense system R&D. For about a decade, then sold the place, the worthless 'steaming pile' of software and the loan, to an even bigger group of vultures.
I think I personally lasted about two years...undeleting files off the state regulators scratch floppy disk when asked to print a file...good times. Never found anything I could trade on, just more sleaze, and the real dirt on 'the partners'.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Make every US security position have some national standard.
If your company wants US customers invest in US staff that are cleared to work in the USA.
Cover contractors too and ensure most of the security staff have a full, legal background in the USA.
That would fund US tech education, make US education responsive to the needs of US tech firms and create jobs in clearing staff background work.
Not a criminal? Loyal to the USA? Not on social media doing things that are not legal?
That would open a path to study and low level security jobs. Study more, find more work and good wages.
Remove the ability to outsource or use one expert US worker to cover huge groups of workers in other nations.
Make computer security work like medicine. Select only the people who can work and make sure they can do the work.
Just like a hospital or any medical service, find the US tech staff with some education.
US workers with skills would find jobs, US educators would respond to the need for more staff and brands in the USA would have to hire real US workers.
Domestic spying is now "Benign Information Gathering"
Programming gets easier with increasing abstraction, thus allowing the engineering portion to grow, but the haphazard, ever increasing abstraction also grows the attack surface - and you can't abstract vulnerabilities away as you can abstract away simple programming tasks. To find exploits in a system, you first need to *know* *most* the abstractions in and out in the first place.
Meaning abstraction makes security harder as there will be proportionally less people understanding the system compared to all participants in the system.
The gap will only widen under current arrangement.
It's a bit like keeping order in unruly country by keeping a lot of policemen around, which simply isn't sustainable. The sustainable thing to do is to reform the unruly culture. In this case, have rigorous enforcement of security in abstractions to avoid the widening gap. This is extremely costly, but the only way to avoid the security deficit runoff when facing physical shortage to cope otherwise.
Could be, if part of a long, very specific purple unicorn type list. Those jobs are easy to recognize.
If part of a more normal required skills list, it translates as: 'Provide bullshit as needed. No dogooders.' Believe me, I know how to spot those jobs...
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
As such, you want the best possible service for the lowest possible cost.
I once worked at a Fortune 500 company that insisted that the help desk provider "double the performance for half the cost" as the primary metric. Last I heard they went through six help desk providers, downsized from 30 people to a half-dozen, and still haven't met that metric..
Quoth the article:
Anyone who is any good at cyber security didn't learn it in school. Most of what they know they learned on their own. The IT field lends itself to an apprenticeship model more than most other modern professions.
Stop requiring degrees, as they aren't relevant to the actual work. I'd much prefer candidates with an AA and skills in communication, critical thinking, probability, and logic along with some certifications and core understandings:
CCNA Routing & Switching to show you have at least a basic grasp of networking fundamentals.
Something from SANS (GIAC) gets my attention. A CISSP will help get you an interview.
Develop some skills in a Linux shell, with command-line tools. I need to know you know more than "I click the 2nd option in the 3rd menu".
Understand the basics of required policies -- PCI, HIPAA, NIST 800-53, NYDFS, CJIS. Know what they are and where they apply. You don't have to memorize them, as that stuff can always be looked up.
I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.
For companies, they also need to accommodate more telework, flexible work schedules, and better pay. I'm sorry, but an InfoSec specialist with 5 years experience should be making about TWICE as much as a Project Manager or HR Specialist with 5 years experience. Starting pay for InfoSec should be at least 25% higher than most other professions -- simply based on supply and demand.
Learning HOW to think is more important than learning WHAT to think.
"That's just a left handed way of asking that all candidates be good bullshitters."
Which exactly the kind of people required for "cybersecurity" anyway.
There are only two kinds of "cybersecurity":
1) Passive, after the fact, which you will find on Microsoft shops. this kind of "security" is based on buying and more or less implementing the "securi-crap" programs and appliances from the vendor with the highest marketing budget. For that you don't need "cybersecurity experts"; any windows monkey with a bit of specific training will do that.
2) Effective ground-up security. For this you don't need "cybersecurity experts" either, as security is built from the blueprints on. Then you need just "seasoned professionals" that know their stuff.
In any case, the cybersecurity dedicated staff is nothing more than dead weight that strives by being good bullshitters so no wonder recruitment is specifically looking for them.
"We've thought about training, but the three guys we did hire and train all left for higher paying jobs immediately after taking advantage of us."
Taking advantage of yours!!!???
You mean, they used your systems to find a new employer and hacking their systems so they got more than they deserved'
Why didn't you sue them to hell!!!???
Or was it that, as you was paying quite below market rates, your trainees didn't had any problem to find someone other paying better than you?
post-secondary schools what about tech schools??
No the HR people just pass them over but if you went the the theory loaded schools you get pass in and then the hiring people say they don't know anything and then the HR starts the H1B want ad's
1) Pay a good salary.
2) Seriously consider remote workers.
3) Hire more than one person.
4) Consider people who are outside the "security" realm. A lot of sysadmins have to do security by default and know just as much about it as a person with the cert.
Even in the best of setups, you need someone to monitor the intrusion detection and test patches and updates. Effective 'ground up security' requires extra granularity of permissions. This has a cost as well, even done efficiently.
And it's all worthless if someone lets a stranger tailgate past a card reader and that stranger finds a logged in machine he can plug a rubber ducky into. So add in the cost of real physical security. Don't forget that background checking the janitorial staff isn't free.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Many companies are advertising for senior positions which of course is beyond the experience level of someone breaking into the field. Its very difficult to slant an application to these requirements.
If it's not a pretty large company or a specialized security firm, they don't know what skill set they're looking for so they go way overboard on the listed qualifications.
It seems that all of the senior people would already have jobs.
Yep, and why would they want to work somewhere as the token security person anyway, when they could be somewhere with a budget and people who listen to their recommendations?
My personal feeling is that companies should train their own people but--let's be honest--they wouldn't pay them what they're worth at that point anyway.
The Daddy casts sleep on the Baby. The Baby resists!
here we go again..
Step 1 - Exclaim shortage of some IT skill in the media (and of course don't raise compensation to the market clearing rate or train anyone)
Step 2 - Send to same media various disaster stories and threats to civilization due to said 'shortage'
Step 3 - Lobby congress for Visas from some third world country (probably India, but could be elsewhere)
Step 4 - Get rid of all your Americans currently in the roles (hey, they were useless anyways!) and replace with cheaper said visa workers
Step 5 - PROFIT!
This attitude is why companies no longer train people. Paying people a large salary for months while they're not productive then having them backstab you is why companies stop training people.
Well there are really only two problems when it comes to training:
1) You train your people and they leave.
2) You don't train your people and they stay.
Number one is much better. Much better.
The Daddy casts sleep on the Baby. The Baby resists!
Just create evicence based awareness. Make sure that users understand the risk that's involved in using office files or using Adobe software. Those 2 points alone would help a great deal.
We've thought about training, but the three guys we did hire and train all left for higher paying jobs immediately after taking advantage of us.
The moral is that it doesn't matter if you trained them or not; pay them what they are worth. The companies they went to seem to have solved their staffing problems.
The Daddy casts sleep on the Baby. The Baby resists!
And don't be so cheap.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Before a white hat, you have to be a grey hat.
However this is all highly illegal these days.
And yes, I admit to having broken into some U.S. Air Force computers just to look around, back before there were "criminal trespass" laws, and it became illegal as hell to "go in and look".
Perhaps you'd have more security experts available, if they'd already leaned to think like a grey hat by doing.
You really have to think somewhat sideways or slantwise in order to know how to look for security holes, so that you can then plug them. Because most holes are in the gaps between what systems are intended to do, and what you can actually make them do instead.
I once hacked a web-accessible thermostat control for a large popular restaurant 3,000 miles away. I was able to control it all. It had the default username and password.
Instead of being a total asshat and setting the heat and AC to cycle at opposite ends of the clock to make a rollercoaster of climate control that also ran up their heat/AC costs... I tracked down the owner and informed him of the situation. He said thanks and that was it.
2 years later... that thermostat is still wide open to the web (if you do your home work and figure out the default username/password).
When should I enable the rollercoaster climate control experience for that restaurant?
If you want 5 years experience in a field that exists for 6 months, I know that I do not want to work for you, since you don't even know what you want. How should you know what you can reasonably expect?
This is security, baby, not Webdesign. I can actually choose who I want to work for, I needn't take a job with a company that I KNOW is shit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Get out while you can. The closer you're to the CISO chair, the sooner.
Such companies will sink. Get off the fire ship while you can.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Perhaps we should talk. I've been working in and around security for 20 years. Currently I develop a scanner which competes with Nessus and Rapid 7. We run comparison scans comparing our product to those two weekly. Where are you located?
A security professional is the person who has to argue with management that the cheapest hardware and software are insecure, then has to somehow make them secure after management ignores everything they said, then gets the blame when the company's systems get hacked.
Basically, they're hired on as the red headed stepchild, then ushered out as the scapegoat.
Why the fuck would anyone in their right mind want that as their career?
The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with.
The fundamental problem with business computer security is that businesses (and their executives) don't really value security. First, they won't pay for it. If you ask them to buy any security products, they want to buy the cheapest one. If you ask them to pay for a security product that isn't 100% necessary, they'll say no. If you ask them to hire a security expert, they'll complain about that expert's salary. If you present them with a security audit that includes a lot of problems, they won't fund the project to fix those problems.
But almost as importantly, the executives will place their own convenience at a higher importance than security. I've seen CEOs order that they be exempted from password requirements because they use their child's first name for every password on every service and computer, and they don't want to have to remember a different password. I've seen executives refuse to make multi-factor authentication mandatory because they, personally, find it annoying to use. I've seen executives insist that they can't have any kind of antivirus product installed on their computer, because it would supposedly slow them down too much. If a company's management refuses to have reasonable security policies placed on them, it creates a gaping security hole.
If you want businesses to have better security, the first step is to convince them that they need to fund security and make it a priority for the whole company.
You know. If you can't find anyone, and people you train leave for other employers. You might need a more attractive package for those positions, and it sounds as though you are not practicing basic logic.
"...whenever any Form of Government becomes destructive...it is the Right of the People to alter or to abolish it..."
Cyber Command is just getting ramped up, but trained soldiers are already becoming available as they choose to not re-enlist. This is a source of non-college educated trained professionals we did not have in the past that make ideal watch-floor admins who are coming from all of the services. Most of them are going on to college after their service, you can try catching them before, after or during college.
Start holding upper management and their bonuses accountable.
Otherwise it is going to take regulatory action to force companies to maintain a minimum level of security.
People just don't care until disaster hits.
In every other industry, trade, or profession, in the entirety of human history, labor shortages have been solved in a fairly standard way - offer enough money to attract the best candidates. I wonder how the "cybersecurity" industry will handle this crisis?
Proud neuron in the Slashdot hivemind since 2002.
1) Stop Outsourcing
2) Hire qualified IT personal
3) Fire anyone in IT who doesn't have security focus
4) Fire any developers, who focus in security development and who don't have security focus
5) Make sure your CTO is an expert and qualified
6) Allow training for all in house IT and development staff
7) Pay your staff properly so they want to do a proper job
8) Don't allow BYOD, IT controls the devices, not the end user
9) Lock down your infrastructure and design it properly for security
If you don't need to bullshit, don't. But someone genuinely unqualified can make a jump, if they can backfill the bullshit once on the job fast enough.
In other words, if you have six months and they're asking for five years, don't. But if you have zero? Go for it...
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
This isn't a hard problem. Companies need to be willing to better reward their security staff so more people will be interested in getting into the field and less apt to walk.
One could say if you have zero experience and claim 5 years, and do it with a company that requires those 5 years when the technology has been out 6 months, you sure deserve each other.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Slashdot and Techdirt both have bunchteen stories about security researchers being threatened with $$$ lawsuits for revealing vulns in corporate software.
Does that behavior sound as if businesses really want/need security people? I'm sure it's a big encouragement for students to go into security so they can add lawsuits to their student debt.
Exactly my point. The trick is to move on once you've got actual solid experience, as the place surely sucks. Also assumes you've got the basic understanding to backfill the practicals quick enough. I pulled this off a couple of times when I was younger.
I have 30 years professional experience 'figuring shit out' by now...not much scares me...it can't be worse than Netmare 2 was. Also: I've seen what the average 'seasoned, certified pro' produces.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
"Even in the best of setups, you need someone to monitor the intrusion detection"
What requires that the ones monitoring (or getting alerts) to be different people than the ones getting the operating envelope ones?
"test patches and updates"
That's what QA is for (if even QA is required instead of being part of a developer's or system administrator duty: you coded/designed/deployed it? You make sure it fits the requirements).
"Effective 'ground up security' requires extra granularity of permissions."
Which is part of the architecture role's duties.
"This has a cost as well, even done efficiently"
No doubt it has a cost, and then is product management the one to set the sweet spot and architecture to design it, etc. No "security guys" involved.
"And it's all worthless if someone lets a stranger tailgate past a card reader"
If no tailgating it is required, then it's an architecture concern.
"Don't forget that background checking the janitorial staff isn't free."
Don't forget you are answering to a comment that didn't enter into cost consideration, only that "security staff" has no place in any healthy organization.
Management. They're not willing to pay for someone(s), they don't want to listen to the answers, and then they complain about the cost.
When something happens, instead of putting was was tailored for them in place, they go so overboard that it interferes with the employees' ability to do work.
And then they point to that, and say they can't afford that, again.
"This attitude is why companies no longer train people."
No. Companies no longer train people because they are myopic beyond salvation.
"Paying people a large salary for months while they're not productive then having them backstab you is why companies stop training people."
No. It is paying peanuts while training them and then pretending to continue paying peanuts once they are trained why they flee.
You can:
1) Pay them peanuts while on training and automatically rise their wages to current market value once they get their training.
2) Pay them average or a bit below average while on training with a clause that makes them work for you for a reasonable period at that level, then rise their wages to their new market value.
You see, changing jobs is always a risk, higher for the employee than the employer, and still your people prefer taking that risk even knowing your company will continue training them? you, sir, are paying peanuts.
How is it that a company paying the lowest it can come with is "free market, offer and demand" and then the employee getting the highest wages they can command is "backstabbing"?
Finally, you think training is expensive? Try incompetence!
Remove Microsoft Windows and the Intel chipset from anywhere on your network ..
There is also value in having your ex-employees in positions at other companies. Assuming you treated them well. Just ask any wall street bank.
Cheap storage VM.
I always wondered if the "seasoned" in some resumes had anything to do with culinary preparation. Because it very often has nothing to do with experience.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Good luck with that. Yikes.
No security staff, test your own damn code, 'architects' and project managers do security, admins 'validate' everything they deploy.
Who runs backups? The receptionist?
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
'Certified' is too obvious to riff on.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
So for someone who has been in s/w and specification development for many years would have a hard time accepting this kind of salary.
It sounds like this comes from personal experience. If you have some years in IT in general you could leverage that to getting your CISSP. the ISC2 requires 5 years experience in two of the eight domains. Since it sounds like you were a developer before you can claim experience in software development security, and another likely domain would be Identity and asset management if your applications had login requirements.
From there go sit for the CISSP (after a bit of self study if needed). Then if you pass find an ISC2 member to endorse you, or if you do not know one you can ask the ISC2 to endorse you themselves, which mainly consists of sending them a resume justifying why you claim you have 5 years of experience in two or more of the knowledge domains. While people have varying opinions on the usefulness of a CISSP it does help get your resume past the HR goons for more senior positions. Good luck.
Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
"Who runs backups? The receptionist?"
The backups are never the problem.
Testing them is.
And, of course, nobody runs the backups: they are automated. The results are tested by junior staff and validated by senior sysadmins.