Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/12/2015
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Survival Tips For The Security Skills Shortage

No matter how you slice it, creating a security professional with 10 years of experience takes, well, 10 years. Here are six suggestions for doing more with less.

Your organization’s greatest security resources are people. They see the trouble spots and can intelligently investigate incidents and raise red flags (often at a higher level than the green-yellow-red lights on system dashboards). They keep the lights on, the employees working, the customers satisfied, the bad guys at bay.

But organizations aren’t hiring as many security professionals as they need, and very often, it’s not because of budgetary pressures. It’s because they can’t find skilled people. No matter how you slice it, creating a security professional with 10 years of experience takes … well, 10 years. All of this makes it imperative to use your security professionals in the most effective way possible to make your organization as secure as possible and make their jobs interesting and rewarding so that you retain top talent.

Tip #1: Take humans away from the daily techno-drudgery
Start by freeing up your security professionals from mundane, repetitive tasks. That often means automation. I don’t mean automation to replace staff, but automation to elevate your most skilled professionals to focus on security initiatives that increasingly support the competitiveness of the business.

Work with your team to identify the tasks that are most ripe for automation, including those where security policies are followed in a straightforward manner, where it might be hard to spot an admin’s mistakes and where mistakes can threaten security and increase risk. If many “things” have to be touched in order to accomplish a task, that’s where automation can save precious human resources, a tremendous amount of time and significantly reduce errors.

Tip #2: Let software do the heavy, repetitive lifting
Validating security is a related area where automation can deliver huge efficiencies by eliminating human labor. Humans find this kind of work slow and laborious, and might take weeks to perform a routine audit. Automation can do that job in minutes. Not only that, but automation is far more likely to do an accurate job. Humans do not excel at repetitive, detail-oriented tasks such as updating a hundred firewall devices with a new policy, or validating that their settings conform to policies. Humans make mistakes, possibly miss a setting or forget to save a change. Automation will get it done not only faster, but more accurately — and can log everything it does, without complaining about the paperwork.

Tip #3: Automate audit preparation
Preparing for audits remains an incredibly time-consuming and potentially error-prone activity that takes precious times from strategic security initiatives. Audit preparation can vary from the mundane to the insane – like documenting backups, checking firewall configurations, validating that files are properly encrypted, making sure patches have been applied, and so-on. Audits can be all-consuming, and require significant human intervention but this time and effort can be saved through automation.

Tip #4: Offload security operational tasks to the IT operations teams
In many organizations, security teams often handle operational tasks that touch on security. Consider offloading these tasks to IT operations so that security staff can focus purely on security-related tasks. Since the general IT market has not witnessed the same growth in demand for skilled employees as security, hiring IT Ops personnel is often less of a challenge.

Tip #5: Make “tribal knowledge” available to all
In too many organizations, critical knowledge is not hoarded in notebooks or SQL databases, but in human memory. Think about the veteran network architects who know the system inside and out, including where the “official” plans don’t represent the physical reality. We call that information “tribal knowledge.” While those individuals (who I like to call Network Ned) are corporate treasures, it’s simply not good policy to silo tribal knowledge within cranial wetware. Not only are you going to have a bad day when these people leave the company, it also makes ramping up new and lesser-skilled engineers a lot slower and more difficult. If you can use software tools to document the reality of the network and its security configurations, Network Ned won’t have to be a corporate Wikipedia of critical data. Instead, Network Ned can apply his/her talents to driving innovation and adding value to the business.

Tip #6: Use scarce, hard-to-find security professionals smarter
We are all under pressure to improve the efficiency of our security teams. But we are also under pressure to strengthen the business by increasing competiveness and agility -- without increasing risk. Security professionals can play an important role in this through big-picture thinking, problem solving, and finding better ways to manage risk. My suggestion is to take repetitive tasks off their plates. This will free them to execute many of those tasks more efficiently and more accurately. That’s how we do more with less in today’s security-intensive world.

Originally a software engineer and then a product manager for security products, Nimrod (Nimmy) Reichenberg now heads global strategy for AlgoSec. Nimmy is a frequent speaker at information security events and a regular contributor to industry publications including Security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John S.J547
50%
50%
John S.J547,
User Rank: Apprentice
6/18/2015 | 2:09:52 PM
Computer security legal hazards
Within the last well, 10 years there were issues with computer security professionals getting prosecuted for doing their jobs, often due to political conflicts and kinks in the system, such as reporting of problems that made some executives look bad, or that they didn't want fixed. Hazardous-duty pay seemed appropriate.

I've heard much less of this recently. Have the problems been corrected (for example by clear guidelines and standards of professional organizations)? If so, maybe we need more effort to let people know, to avoid deterring future security professionals.

We will need their services for a long time.
Andre Gironda
50%
50%
Andre Gironda,
User Rank: Apprentice
6/14/2015 | 3:50:07 AM
Re: Budget Constraints
Free, open-source software can provide automation just the same as commercial or SaaS offerings can. 

For incident response, try Google Rapid Response. For network and app penetration testing and vulnerability assessment, try sixdub-Minions and Arachni, plus metasploitHelper. DLP, use OpenDLP. Firewall and IPS, try Untangle firewall or Suricata IPS. SIEM, use OSSIM. Log management with file integrity monitoring -- easy peasy with OSSEC. Access controls needed, then U2F is a must-have. smicallef-spiderfoot or the Collective Intelligence Framework for threat intelligence information and Soltra Edge to share it with your industry ISAC.

Yes, you will need people and processes. Tools should support people and proceses. The NIST CSF is a great framework and PASTA is a good process-oriented approach to security risk management. None of these documents are locked up by Gartner paywalls. It's time to say goodbye to the old-school methods and pick up an open-source project or ten to drive results.
HarryS596
50%
50%
HarryS596,
User Rank: Apprentice
6/13/2015 | 12:56:13 PM
Tip #4
While agree with you that there is a shortage, I think that security ops tasks can be beneficial for up and coming professionals. I am not talking about autmoated tasks but lower level analsys that the sec ops person has to perform. It is a good area to get your feet wet.
NimrodR501
50%
50%
NimrodR501,
User Rank: Apprentice
6/12/2015 | 3:00:15 PM
Re: Budget Constraints
HI Ryan,

Thanks for your comment. What I have noticed is that the recent publicized breaches have made budgets to be less of an issue than they used to be. The problem is twofold -  when there are not enough skilled security professionals, more budget does not help as much. Additionaly, executives are used to the idea that every problem can be solved if you just spend enough money on it, and unfortunately that is not the case with security.

 

Best,

Nimmy
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/12/2015 | 1:17:31 PM
Budget Constraints
Unfortunately, there are budget constraints with many of the points that are made in the article, especially around automation. I agree with these points whole-heartedly, but I've seen first hand security professionals performing the work that could be automated due to these budgetary constraints. Yes automating the laborious work is ideal but its costly in both dollars and man hours.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4108
PUBLISHED: 2019-11-14
Multiple unspecified vulnerabilities in Cryptocat Project Cryptocat 2.0.18 have unknown impact and attack vectors.
CVE-2018-12207
PUBLISHED: 2019-11-14
Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.
CVE-2019-0117
PUBLISHED: 2019-11-14
Insufficient access control in protected memory subsystem for Intel(R) SGX for 6th, 7th, 8th, 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor E3-1500 v5, v6 Families; Intel(R) Xeon(R) E-2100 & E-2200 Processor Families with Intel(R) Processor Graphics may allow a ...
CVE-2019-0123
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting SGX, may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2019-0124
PUBLISHED: 2019-11-14
Insufficient memory protection in Intel(R) 6th Generation Core Processors and greater, supporting TXT, may allow a privileged user to potentially enable escalation of privilege via local access.