Operations

2/9/2015
10:30 AM
Michelle Drolet
Michelle Drolet
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Bridging the Cybersecurity Skills Gap: 3 Big Steps

The stakes are high. Establishing clear pathways into the industry, standardizing jobs, and assessing skills will require industry-wide consensus and earnest collaboration.

There is a dangerous dearth of qualified Information Security talent in industry today. In the face of mounting threats and an unprecedented number of data breaches, organizations and governments simply aren't coping. Cybercrime is growing rapidly as sophisticated, targeted attacks flood in from diverse sources.

The exploitation of vulnerabilities has a very real economic toll that's often underestimated. Economic growth is restricted and job losses are common. For example, a study by the Center for Strategic and International Studies put the loss to business from cybercrime between $375 billion and $575 billion in 2013 alone. And yet, the industry is singularly unprepared to meet the challenge:

Clearly it's vital that something be done to redress the balance and make a career in cybersecurity more desirable. Here are three suggestions:

Clearly define job titles
Finding the right security expertise to enforce internal policies is not easy and the waters are muddied by a lack of standardized career definitions. Job titles differ from country to country and even from organization to organization. This makes it hard for employers to find the right talent, but it's also off-putting for graduating students who want to step onto the first rung of a career ladder.

Standardized job titles would help create a framework where skills sets and expectations can be clearly delineated. It would make it easier for prospective employees to target the skills and experience they really need. Common definitions would also boost the international flow of talent and foster cooperation between peers.

Build a career framework
The Information Systems Security Association (ISSA) has identified a career framework definition in the shape of the Cybersecurity Career Lifecycle (CSCL), but it can't be achieved in isolation. The industry must participate and help shape this framework to deliver clear career ladders for incomers to climb.

It’s important to note that this framework doesn’t necessarily map a direct path to a job as a CISO. There are a variety of rewarding careers in security, and an executive position will not be desirable or suitable for everyone. However, setting out clear career maps with room for growth and advancement in different directions is key to attracting more talent into the cybersecurity sphere. It's a fast-paced, challenging industry and there's no reason it shouldn't attract a more diverse talent base. But they need to be able to see a way in.

It's also important for organizations to be able to shop around for the skills they need and hire with confidence, which is also a strong argument for the establishment of accepted standards for assessments of security professionals to determine career levels and skills. Accreditation in specific areas needn't be confined to security specialists, either. Opening up security training for employees in other departments working with these systems on a daily basis also makes a great deal of sense.

Integrate InfoSec knowledge with IT infrastructure
Throwing money at security software is not the answer. To be effective, information security must be properly integrated with your infrastructure and configured correctly. So, to get a real return on investment you need people with security expertise to leverage that software and extract real value from it.

Think of it this way: a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization.

Establishing clear pathways into the industry, standardizing jobs, and assessing skills requires industry-wide consensus and earnest collaboration. The stakes are high. No one is predicting a decline in cyber-attacks. The problem is only going to grow. It's time we worked together to solve it.

[Read about How The Skills Shortage Is Killing Defense in Depth]

Michelle Drolet is founder of Towerwall, a full service information security provider with over 20 years of experience exclusively delivering security and risk management services to biotech, financial services, and education. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ClassC
50%
50%
ClassC,
User Rank: Apprentice
2/11/2015 | 4:41:17 PM
Re: Bridging the Cybersecurity Skills Gap
"... They had actionable data, but it appears that their threat intelligence and response matrix was lacking, and relative to that incident, they got zero value from that money they had spent."


@GonzSTL       That is a great way of describing what really is becoming quite confusing with all the recent breeches.  With so much noise around the situation, it difficult to remember what is important to consider and what was lacking.

Threat Intelligence and their response matrix surly came up short and I bet this is more common than most companies would ever admit.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/10/2015 | 12:28:45 PM
Re: Bridging the Cybersecurity Skills Gap
@InfoSec_Candy: Those were Michelle's words, not mine. However, I do agree that the shortage could be the greatest vulnerability in any organization.
InfoSec_Candy
100%
0%
InfoSec_Candy,
User Rank: Strategist
2/10/2015 | 11:36:24 AM
Re: Bridging the Cybersecurity Skills Gap
Great points GonzSTL!!!   "a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization."   I believe it IS the greatest threat!!!
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
2/9/2015 | 12:23:10 PM
Bridging the Cybersecurity Skills Gap
"Throwing money at security software is not the answer. To be effective, information security must be properly integrated with your infrastructure and configured correctly. So, to get a real return on investment you need people with security expertise to leverage that software and extract real value from it.

Think of it this way: a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization."

One word comes to mind - Bingo! The word is that Target spent many millions of dollars in IT security before they were breached. That is a lot of money to throw at security! However, one of their failures was in their Incident Response strategy. They had actionable data, but it appears that their threat intelligence and response matrix was lacking, and relative to that incident, they got zero value from that money they had spent.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Mirai Hackers' Sentence Includes No Jail Time
Dark Reading Staff 9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17243
PUBLISHED: 2018-09-20
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
CVE-2018-17232
PUBLISHED: 2018-09-20
SQL injection vulnerability in archivebot.py in docmarionum1 Slack ArchiveBot (aka slack-archive-bot) before 2018-09-19 allows remote attackers to execute arbitrary SQL commands via the text parameter to cursor.execute().
CVE-2018-17233
PUBLISHED: 2018-09-20
A SIGFPE signal is raised in the function H5D__create_chunk_file_map_hyper() of H5Dchunk.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17234
PUBLISHED: 2018-09-20
Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17235
PUBLISHED: 2018-09-20
The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp in libmp4v2 2.1.0 mishandles compatibleBrand while processing a crafted mp4 file, which leads to a heap-based buffer over-read, causing denial of service.