Comments
Newest First | Oldest First | Threaded View
CISO consideration
Yet another consideration under "lack of competent in-house staff" is the CISO him/her self. By lacking competence, I mean competence surrounding the innerworkings of the lines of business and their respective objectives. CISO's get burnt at the stake so often and shuffled so frequently that building the necessary knowledge to support the business in an insightful and innovative way is almost impossible. Same goes for your business-facing security pros. The cyber job market remains white hot and it makes sense to jump roles/firms every 1.5 to 2 years just for the pay increase alone. When someone leaves, the accumulated knowledge that is valuable to the business is lost.
CISO's vision
Interesting survey and analysis but made by CISOs, therefore somehow biased. Does having a CISSP and an MSc in information security qualify you as a good CISO? Recruiters also are mainly focusing on those degrees and certifications when selecting candidates. Many CISOs are (mostly) technical people, very much focused on technology and lack more soft skills like communication, negotiations or strategic vision. How do you get funding for enlarging teams, change IT working processes and install new security systems if you are not able to convince people holding the funds?
Re: Don't look for plug-and-play employees, or discount all outsourcing
You touch on one aspect of the hiring, training, in-house/outsource issue: the character of the people, or more to the point, of each individual.
While passion for the work is important, so are other attributes. You don't have to look far into the annals of cybersecurity failures to find examples of an employee or contract worker wreaking havoc through acts of negligence or outright betrayal of trust. What they share is poor character, and that they were put in a position of trust.
Evaluating a person's character can't be automated, and shouldn't be assumed by national origin. Benedict Arnold was as competent, as effective, had at least as good a CV, and was as much an American as George Washington - the difference was character.
While passion for the work is important, so are other attributes. You don't have to look far into the annals of cybersecurity failures to find examples of an employee or contract worker wreaking havoc through acts of negligence or outright betrayal of trust. What they share is poor character, and that they were put in a position of trust.
Evaluating a person's character can't be automated, and shouldn't be assumed by national origin. Benedict Arnold was as competent, as effective, had at least as good a CV, and was as much an American as George Washington - the difference was character.
Re: Don't look for plug-and-play employees, or discount all outsourcing
I would never endorse outsourcing for a cyber-security model - for it fails enough and often for just standardized (read that dumb) IT support. The educational resource of most IT outsource houses (Tata, Wipro, Infosys) just are not up to any par and theyhave trouble with just a standard IT technician. (I recently departed a lovely little office - paycheck job - that was outsourced to Wipro and A DISASTER in every way. Took the all powerful GSD (General Service Desk) NINE DAYS!!!!!!! TRUE ---- to route a ticket from one user to ME and we were on the same floor and office. BAD. So don't expect cybersecurity professionals to emerge from this venue.
And don't get me started on IBM - used to be a proud IBMer many years ago (the Akers era) and the firm is now a shadow of what it was. Ginny, 22 quarters of revenue decline. State of Indiana for example - lawsuit. More staff in INDIA than in the United States.
American trained IT professoinals who CARE PASSIONATELY about the subject is what is needed.
And don't get me started on IBM - used to be a proud IBMer many years ago (the Akers era) and the firm is now a shadow of what it was. Ginny, 22 quarters of revenue decline. State of Indiana for example - lawsuit. More staff in INDIA than in the United States.
American trained IT professoinals who CARE PASSIONATELY about the subject is what is needed.
Too much work, not enough people!!!
Great article Dawn. As a security veteran with over 16 years of CISO experience I can attest how big a problem staffing is. You can't find the people and when you do, you train them and then lose them.
While we clearly need to train more personnel, the only way companies will be able to solve this problem is to replace legacy tools with new AI based systems that can leverage cognitive computing to perform many of the tasks that security personnel perform while also eliminating the false positives which not only increase workloads but often allows important events to slip through with the noise.
They will also leverage MSSPs to outsource as much of the workload as possible. MSSPs are much better positioned to hire and retain top personnel providing CISOs more resiliency, flexibility and scalability. The CISO just needs to maintain proper independent oversight to ensure they are getting what they are paying for because if the MSSP fails to deliver, it's the CISOs neck on the line.
While we clearly need to train more personnel, the only way companies will be able to solve this problem is to replace legacy tools with new AI based systems that can leverage cognitive computing to perform many of the tasks that security personnel perform while also eliminating the false positives which not only increase workloads but often allows important events to slip through with the noise.
They will also leverage MSSPs to outsource as much of the workload as possible. MSSPs are much better positioned to hire and retain top personnel providing CISOs more resiliency, flexibility and scalability. The CISO just needs to maintain proper independent oversight to ensure they are getting what they are paying for because if the MSSP fails to deliver, it's the CISOs neck on the line.
Don't look for plug-and-play employees, or discount all outsourcing
Whether I would be allowed to enroll in a programmer/analyst curriculum at a specialized computer training school in the 1970s, was determined by aptitude tests. Once in the program, I could see that degrees, even advanced degrees, in what's now called STEM, were not reliable indicators of the analytic and logical skills required in this field. This is even more true today.
Is it farfetched to say that the primary reasons companies limit their IT candidate searches, to applicants with CS degrees or other certifications, are to make it easier on HR departments, and to provide cover for hiring the wrong people? Remember the adage: "No one was ever fired for buying IBM". Was IBM always the best choice? No, but it was the safe one, for those who signed off on it.
That there is a talent gap might well be because companies have forgotten where and how to look for it, nurture and protect it.
Regarding "in house": First recognize the distinction between outsourcing and offshoring - the later implies the former, but not the other way round. In both cases, companies must use good and informed judgement as to which tasks are suitable for either, and about who they are taking on as partners - because all IT relationships are intimate.
The concerns particular to offshoring center on jurisdictional control. Look no further than the recent Kaspersky Lab restrictions (justified or not), for an example. Of course, there are compliance requirements; but go beyond the letter of the law, and consider the rationale for them. In most cases, the law comes too late to prevent the damage that lead to the need for the law. [Leave the debate on if a particular law makes matters worse, for another discussion]
The basis for a decision on in-house, outsource, offshore should be data access driven; and that holds true for inside in-house, too. When thinking through that one, remember that all public-cloud is outsource, and may be offshore. That goes for all the public-cloud components for your company, your employees and your partners.
When it comes to outsourcing, the right choice is going to take some careful consideration.
Is it farfetched to say that the primary reasons companies limit their IT candidate searches, to applicants with CS degrees or other certifications, are to make it easier on HR departments, and to provide cover for hiring the wrong people? Remember the adage: "No one was ever fired for buying IBM". Was IBM always the best choice? No, but it was the safe one, for those who signed off on it.
That there is a talent gap might well be because companies have forgotten where and how to look for it, nurture and protect it.
Regarding "in house": First recognize the distinction between outsourcing and offshoring - the later implies the former, but not the other way round. In both cases, companies must use good and informed judgement as to which tasks are suitable for either, and about who they are taking on as partners - because all IT relationships are intimate.
The concerns particular to offshoring center on jurisdictional control. Look no further than the recent Kaspersky Lab restrictions (justified or not), for an example. Of course, there are compliance requirements; but go beyond the letter of the law, and consider the rationale for them. In most cases, the law comes too late to prevent the damage that lead to the need for the law. [Leave the debate on if a particular law makes matters worse, for another discussion]
The basis for a decision on in-house, outsource, offshore should be data access driven; and that holds true for inside in-house, too. When thinking through that one, remember that all public-cloud is outsource, and may be offshore. That goes for all the public-cloud components for your company, your employees and your partners.
When it comes to outsourcing, the right choice is going to take some careful consideration.
Reality
I would trace the talent gap to the career path destruct that corporate America has placed on IT professionals over the years. Why go into a field when, eventually, management will outsource you and that is that. CyberSecurity is a NEW field and it is a tough one to get a degree in. I am currently with a malware forensics unit and have learned alot in short time.
That said, good logical restore and rebuild protocols are LONG in order. Data exfiltration aside, ransomware attacks are the same as hard drive failure. Think about it.
Backup and disaster resocvery plans are often OUT of data if used at all and, worse, rarely tested.
Workstation recovery is easy IF you have a good protocol and it can be anything from simple GHOST image to PXE login to server.
As an independent consultant, I was very proud of a 3 hour recovery window when one of my accounts, a 501C3, got Cryptolocked in January of 2014. Because I had good off-site storage protocols in place, I was able to restore all SERVER DATA within 2 hurs of on-site arrival the next day. Plus my recovery protocol was SIMPLE AND TESTED so I knew what to do.
That said, good logical restore and rebuild protocols are LONG in order. Data exfiltration aside, ransomware attacks are the same as hard drive failure. Think about it.
Backup and disaster resocvery plans are often OUT of data if used at all and, worse, rarely tested.
Workstation recovery is easy IF you have a good protocol and it can be anything from simple GHOST image to PXE login to server.
As an independent consultant, I was very proud of a 3 hour recovery window when one of my accounts, a 501C3, got Cryptolocked in January of 2014. Because I had good off-site storage protocols in place, I was able to restore all SERVER DATA within 2 hurs of on-site arrival the next day. Plus my recovery protocol was SIMPLE AND TESTED so I knew what to do.
White Papers
Video
0 Comments
Current Issue
Flash Poll
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security — even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2018-10839
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
From DHS/US-CERT's National Vulnerability Database CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This
User Rank: Ninja
1/17/2018 | 2:38:44 PM
Too often security is "applied" to the surface, like patching a leaking life raft. Without the means to perceive the components of the business, as a system, you can't come to grips with the circumstances that put you in that life raft in the first place.
That lack of awareness isn't just a problem for the CISO or security departments, or IT, but for all the knowledge workers, from the C-level on down. It's not that knowledge of how the components actually work in an enterprise isn't there; but that the interdependencies haven't been formalized and documented, in a way that would properly inform. The only methodology I know of toward achieving that is fact-based, conceptual modeling.