Operations

6/12/2015
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Survival Tips For The Security Skills Shortage

No matter how you slice it, creating a security professional with 10 years of experience takes, well, 10 years. Here are six suggestions for doing more with less.

Your organization’s greatest security resources are people. They see the trouble spots and can intelligently investigate incidents and raise red flags (often at a higher level than the green-yellow-red lights on system dashboards). They keep the lights on, the employees working, the customers satisfied, the bad guys at bay.

But organizations aren’t hiring as many security professionals as they need, and very often, it’s not because of budgetary pressures. It’s because they can’t find skilled people. No matter how you slice it, creating a security professional with 10 years of experience takes … well, 10 years. All of this makes it imperative to use your security professionals in the most effective way possible to make your organization as secure as possible and make their jobs interesting and rewarding so that you retain top talent.

Tip #1: Take humans away from the daily techno-drudgery
Start by freeing up your security professionals from mundane, repetitive tasks. That often means automation. I don’t mean automation to replace staff, but automation to elevate your most skilled professionals to focus on security initiatives that increasingly support the competitiveness of the business.

Work with your team to identify the tasks that are most ripe for automation, including those where security policies are followed in a straightforward manner, where it might be hard to spot an admin’s mistakes and where mistakes can threaten security and increase risk. If many “things” have to be touched in order to accomplish a task, that’s where automation can save precious human resources, a tremendous amount of time and significantly reduce errors.

Tip #2: Let software do the heavy, repetitive lifting
Validating security is a related area where automation can deliver huge efficiencies by eliminating human labor. Humans find this kind of work slow and laborious, and might take weeks to perform a routine audit. Automation can do that job in minutes. Not only that, but automation is far more likely to do an accurate job. Humans do not excel at repetitive, detail-oriented tasks such as updating a hundred firewall devices with a new policy, or validating that their settings conform to policies. Humans make mistakes, possibly miss a setting or forget to save a change. Automation will get it done not only faster, but more accurately — and can log everything it does, without complaining about the paperwork.

Tip #3: Automate audit preparation
Preparing for audits remains an incredibly time-consuming and potentially error-prone activity that takes precious times from strategic security initiatives. Audit preparation can vary from the mundane to the insane – like documenting backups, checking firewall configurations, validating that files are properly encrypted, making sure patches have been applied, and so-on. Audits can be all-consuming, and require significant human intervention but this time and effort can be saved through automation.

Tip #4: Offload security operational tasks to the IT operations teams
In many organizations, security teams often handle operational tasks that touch on security. Consider offloading these tasks to IT operations so that security staff can focus purely on security-related tasks. Since the general IT market has not witnessed the same growth in demand for skilled employees as security, hiring IT Ops personnel is often less of a challenge.

Tip #5: Make “tribal knowledge” available to all
In too many organizations, critical knowledge is not hoarded in notebooks or SQL databases, but in human memory. Think about the veteran network architects who know the system inside and out, including where the “official” plans don’t represent the physical reality. We call that information “tribal knowledge.” While those individuals (who I like to call Network Ned) are corporate treasures, it’s simply not good policy to silo tribal knowledge within cranial wetware. Not only are you going to have a bad day when these people leave the company, it also makes ramping up new and lesser-skilled engineers a lot slower and more difficult. If you can use software tools to document the reality of the network and its security configurations, Network Ned won’t have to be a corporate Wikipedia of critical data. Instead, Network Ned can apply his/her talents to driving innovation and adding value to the business.

Tip #6: Use scarce, hard-to-find security professionals smarter
We are all under pressure to improve the efficiency of our security teams. But we are also under pressure to strengthen the business by increasing competiveness and agility -- without increasing risk. Security professionals can play an important role in this through big-picture thinking, problem solving, and finding better ways to manage risk. My suggestion is to take repetitive tasks off their plates. This will free them to execute many of those tasks more efficiently and more accurately. That’s how we do more with less in today’s security-intensive world.

Originally a software engineer and then a product manager for security products, Nimrod (Nimmy) Reichenberg now heads global strategy for AlgoSec. Nimmy is a frequent speaker at information security events and a regular contributor to industry publications including Security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John S.J547
50%
50%
John S.J547,
User Rank: Apprentice
6/18/2015 | 2:09:52 PM
Computer security legal hazards
Within the last well, 10 years there were issues with computer security professionals getting prosecuted for doing their jobs, often due to political conflicts and kinks in the system, such as reporting of problems that made some executives look bad, or that they didn't want fixed. Hazardous-duty pay seemed appropriate.

I've heard much less of this recently. Have the problems been corrected (for example by clear guidelines and standards of professional organizations)? If so, maybe we need more effort to let people know, to avoid deterring future security professionals.

We will need their services for a long time.
Andre Gironda
50%
50%
Andre Gironda,
User Rank: Apprentice
6/14/2015 | 3:50:07 AM
Re: Budget Constraints
Free, open-source software can provide automation just the same as commercial or SaaS offerings can. 

For incident response, try Google Rapid Response. For network and app penetration testing and vulnerability assessment, try sixdub-Minions and Arachni, plus metasploitHelper. DLP, use OpenDLP. Firewall and IPS, try Untangle firewall or Suricata IPS. SIEM, use OSSIM. Log management with file integrity monitoring -- easy peasy with OSSEC. Access controls needed, then U2F is a must-have. smicallef-spiderfoot or the Collective Intelligence Framework for threat intelligence information and Soltra Edge to share it with your industry ISAC.

Yes, you will need people and processes. Tools should support people and proceses. The NIST CSF is a great framework and PASTA is a good process-oriented approach to security risk management. None of these documents are locked up by Gartner paywalls. It's time to say goodbye to the old-school methods and pick up an open-source project or ten to drive results.
HarryS596
50%
50%
HarryS596,
User Rank: Apprentice
6/13/2015 | 12:56:13 PM
Tip #4
While agree with you that there is a shortage, I think that security ops tasks can be beneficial for up and coming professionals. I am not talking about autmoated tasks but lower level analsys that the sec ops person has to perform. It is a good area to get your feet wet.
NimrodR501
50%
50%
NimrodR501,
User Rank: Apprentice
6/12/2015 | 3:00:15 PM
Re: Budget Constraints
HI Ryan,

Thanks for your comment. What I have noticed is that the recent publicized breaches have made budgets to be less of an issue than they used to be. The problem is twofold -  when there are not enough skilled security professionals, more budget does not help as much. Additionaly, executives are used to the idea that every problem can be solved if you just spend enough money on it, and unfortunately that is not the case with security.

 

Best,

Nimmy
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/12/2015 | 1:17:31 PM
Budget Constraints
Unfortunately, there are budget constraints with many of the points that are made in the article, especially around automation. I agree with these points whole-heartedly, but I've seen first hand security professionals performing the work that could be automated due to these budgetary constraints. Yes automating the laborious work is ideal but its costly in both dollars and man hours.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15583
PUBLISHED: 2019-03-25
Cross-Site Scripting (XSS) vulnerability in point_list.php in GNUBOARD5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML via the popup title parameter.
CVE-2017-7340
PUBLISHED: 2019-03-25
A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to execute unauthorized code or commands via the applicationSearch parameter in the FortiView functionality.
CVE-2014-9187
PUBLISHED: 2019-03-25
Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recomme...
CVE-2014-9189
PUBLISHED: 2019-03-25
Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell...
CVE-2019-10044
PUBLISHED: 2019-03-25
Telegram Desktop before 1.5.12 on Windows, and the Telegram applications for Android, iOS, and Linux, is vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters e...