Slashdot Mirror
How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com)
Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive:
The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Mr. President, we must not allow a mineshaft gap!
It doesn't matter if they know nothing, as long as the manager gets his bonus and is gone before the fallout of their crappy work becomes clear.
Talk to university and vocational education staff around the USA. Tell them what you need.
Ensure they have the software and tools that are needed over the short courses to allow students in the USA to transition to the workforce.
People outside the USA will have no loyalty to the USA and only work for money or to help their faith/cult/own government.
Thats not good for US security.
Its very hard to find out what some foreigner did in their own nation for years. What complex issues do they bring to your company?
Help get US education to a good standard so US students can find work. Or get further education to keep their skills up.
Domestic spying is now "Benign Information Gathering"
You can have all the diamonds, gold, and tungsten, you want, when you pay the market price. The same is true for labor. Eventually, people will stop doing what they were doing, and start doing what you want them to do, if you pay them enough.
Eventually, everything evens out when prices become high enough, new producers come on-line, and new (consumable?) resources are discovered, or extraction method are invented. How long does it take for someone to become a security expert? Five years? At least with human resources, there isn't the same concern with extraction, and consumption, costs. If they're already good at software development, and building infrastructure, maybe a year?
Seriously, this is like BASIC economics - they can close the gap by paying them vastly more, thus encouraging software developers to specialize in security. Using contractors is the short term version of this.
When prices become high enough, I'll start bidding on security contracts. As it is, if companies would rather fill those positions with W2s, and not contractors, and leave the work undone.
This title is seriously demonstration a lack of economic knowledge.
Want to close the Cybersecurity gap? It is very easy.
STOP BEING CHEAP ASSHOLES AND START PAYING FOR REAL SKILLED IT PROFESSIONALS.
This means the IT department on it's own Makes MORE than the CTO does. Yes the guys that are actively fighting the bad guys deserve a LOT more than the waste of space in the executive seat. Quadruple your IT budget, Start actually buying real fucking equipment and real security suites and software. Hire PROVEN EXPERTS that cost a lot of money.
InfoSEC that is effective is NOT CHEAP. Stop treating IT as the bastard red headed step kids. and start treating them as the Mission Critical staff they really are.
That and kick the CTO and CFO in the nuts, both those assholes deserve a good hard kick in the groin any time they suggest cutting the IT department's budget. If you hire and pay for the best, then you don't have the security problem that the companies that try and half ass it by paying as little as possible.
These executives know this, they just dont want to do it. and until they start making executives personally responsible for data breaches, it will not change. Yes personally responsible, if these assholes can get multi millions then they also deserve to carry all the personal financial risk.
Do not look at laser with remaining good eye.
...so in other words, hire someone competent while you empty out the storage locker?
When I cleared out the storage closet for a local hospital, I found a 56" plasma TV that cost $10K brand new and was "lost" for seven years because it was buried in 600-sqft of IT crap. When I brought it to the attention of the IT manager, he had his IT guys test it and then put it up on the wall that it was originally supposed to go on. :/
Was that just before they fired you three months early because you were doing the janitor's work?
Nope. I finished the one-year contract three months ahead of schedule and fired myself. Thank God that I did. I've never worked in a hostile environment where every single person hated the IT department. I had to point out to everyone that I was a contractor and I was there to help them.
AC "senior positions" is code for one person who can sign off on any city, state or federal/mil project while the majority of the project is done at a low cost outside the USA.
That will be their made in the USA public face if they ever have to face congress for hours of questions.
Any questions will be taken back to their team.
Multinational brands do that a lot. Just enough expert staff in the USA to comply and win contracts.
They don't need or want low or mid level US staff if most of the work can be done outside the USA and then sold back into the USA for US wages.
Domestic spying is now "Benign Information Gathering"
That's the first thing you should probably consider. Is the cost of physical paperwork and security less than the cost of implementing proper cybersecurity?
I see so many businesses trying to go digital when it's horribly obvious that they have no business doing so nor would their business actually benefit from such a thing.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
As such, you want the best possible service for the lowest possible cost.
I once worked at a Fortune 500 company that insisted that the help desk provider "double the performance for half the cost" as the primary metric. Last I heard they went through six help desk providers, downsized from 30 people to a half-dozen, and still haven't met that metric..
Quoth the article:
Anyone who is any good at cyber security didn't learn it in school. Most of what they know they learned on their own. The IT field lends itself to an apprenticeship model more than most other modern professions.
Stop requiring degrees, as they aren't relevant to the actual work. I'd much prefer candidates with an AA and skills in communication, critical thinking, probability, and logic along with some certifications and core understandings:
CCNA Routing & Switching to show you have at least a basic grasp of networking fundamentals.
Something from SANS (GIAC) gets my attention. A CISSP will help get you an interview.
Develop some skills in a Linux shell, with command-line tools. I need to know you know more than "I click the 2nd option in the 3rd menu".
Understand the basics of required policies -- PCI, HIPAA, NIST 800-53, NYDFS, CJIS. Know what they are and where they apply. You don't have to memorize them, as that stuff can always be looked up.
I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.
For companies, they also need to accommodate more telework, flexible work schedules, and better pay. I'm sorry, but an InfoSec specialist with 5 years experience should be making about TWICE as much as a Project Manager or HR Specialist with 5 years experience. Starting pay for InfoSec should be at least 25% higher than most other professions -- simply based on supply and demand.
Learning HOW to think is more important than learning WHAT to think.
"We've thought about training, but the three guys we did hire and train all left for higher paying jobs immediately after taking advantage of us."
Taking advantage of yours!!!???
You mean, they used your systems to find a new employer and hacking their systems so they got more than they deserved'
Why didn't you sue them to hell!!!???
Or was it that, as you was paying quite below market rates, your trainees didn't had any problem to find someone other paying better than you?
1) Pay a good salary.
2) Seriously consider remote workers.
3) Hire more than one person.
4) Consider people who are outside the "security" realm. A lot of sysadmins have to do security by default and know just as much about it as a person with the cert.
Before a white hat, you have to be a grey hat.
However this is all highly illegal these days.
And yes, I admit to having broken into some U.S. Air Force computers just to look around, back before there were "criminal trespass" laws, and it became illegal as hell to "go in and look".
Perhaps you'd have more security experts available, if they'd already leaned to think like a grey hat by doing.
You really have to think somewhat sideways or slantwise in order to know how to look for security holes, so that you can then plug them. Because most holes are in the gaps between what systems are intended to do, and what you can actually make them do instead.
If you want 5 years experience in a field that exists for 6 months, I know that I do not want to work for you, since you don't even know what you want. How should you know what you can reasonably expect?
This is security, baby, not Webdesign. I can actually choose who I want to work for, I needn't take a job with a company that I KNOW is shit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A security professional is the person who has to argue with management that the cheapest hardware and software are insecure, then has to somehow make them secure after management ignores everything they said, then gets the blame when the company's systems get hacked.
Basically, they're hired on as the red headed stepchild, then ushered out as the scapegoat.
Why the fuck would anyone in their right mind want that as their career?
"This attitude is why companies no longer train people."
No. Companies no longer train people because they are myopic beyond salvation.
"Paying people a large salary for months while they're not productive then having them backstab you is why companies stop training people."
No. It is paying peanuts while training them and then pretending to continue paying peanuts once they are trained why they flee.
You can:
1) Pay them peanuts while on training and automatically rise their wages to current market value once they get their training.
2) Pay them average or a bit below average while on training with a clause that makes them work for you for a reasonable period at that level, then rise their wages to their new market value.
You see, changing jobs is always a risk, higher for the employee than the employer, and still your people prefer taking that risk even knowing your company will continue training them? you, sir, are paying peanuts.
How is it that a company paying the lowest it can come with is "free market, offer and demand" and then the employee getting the highest wages they can command is "backstabbing"?
Finally, you think training is expensive? Try incompetence!