Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

4/3/2019
09:00 AM
Connect Directly
Twitter
RSS
E-Mail

6 Essential Skills Cybersecurity Pros Need to Develop in 2019

In a time of disruption in the security and tech worlds, cybersecurity professionals can't afford to become complacent - even in the face of a skills shortage.
3 of 7

Data Science
There's a role that's increasingly hitting the job search sites: cybersecurity data scientist. As organizations become more disciplined about using threat intelligence, threat modeling, and risk metrics to guide their security practices, data scientists are increasingly helping both enterprises and security vendors take a data-driven approach to security. In many instances, these are career data scientists who are learning security on the fly - but security pros who can bring deep domain expertise to the table and begin to hone data science skills concurrently would be setting themselves up with two of the hottest skill sets in all of IT.
'Data science is as much a method and an approach - a mindset that can help security practitioners scale and automate their activity by training machines to copy the experts, and a means of augmenting those experts,' says Simon Elliston Ball, data scientist and cybersecurity product manager at data software firm Hortonworks.

Image Source: Adobe Stock (ra2 studio)

Data Science

There's a role that's increasingly hitting the job search sites: cybersecurity data scientist. As organizations become more disciplined about using threat intelligence, threat modeling, and risk metrics to guide their security practices, data scientists are increasingly helping both enterprises and security vendors take a data-driven approach to security. In many instances, these are career data scientists who are learning security on the fly but security pros who can bring deep domain expertise to the table and begin to hone data science skills concurrently would be setting themselves up with two of the hottest skill sets in all of IT.

"Data science is as much a method and an approach a mindset that can help security practitioners scale and automate their activity by training machines to copy the experts, and a means of augmenting those experts," says Simon Elliston Ball, data scientist and cybersecurity product manager at data software firm Hortonworks.

Image Source: Adobe Stock (ra2 studio)

3 of 7
Comment  | 
Print  | 
Comments
Threaded  |  Newest First  |  Oldest First
Ai2ik
50%
50%
Ai2ik,
User Rank: Apprentice
4/3/2019 | 2:05:36 PM
Certificates
Hi Ericka, do you recommend any must have cyber security certificates for people looking for careers in Infosec?
tdsan
100%
0%
tdsan,
User Rank: Ninja
4/22/2019 | 7:25:14 PM
Let's look at this list in greater detail
This is an elaborate list, let's look and address these areas that companies are looking for from a security standpoint.

Automation and Orchestration - Two major trends are driving enterprises toward greater security automation across the board. First of all, security is using automation to scale incident response and security analysis to keep up with ever-multiplying threats. Second, as DevOPs and continuous delivery of software become de riguer at many organizations, the table stakes for IT automation across the board has risen considerably
  • Ok, I agree with automation across the board, but there has been a lot of pushback from engineering groups because they say if an application changes the functionality of another application during a threat, they were not comfortable with that aspect of change. They turned off this capability because they wanted a human to make a change that could affect the environment; but what if the experience person who is the senior level is out of the office (evening, weekend, holiday), the individual on site has to wait to get authorization, again, we are back in the same position
  • DevOPs is different in certain regards to AO (Automation and Orchestration), writing scripts to help improve a process is not really DevOPs. AO is a process where specific functions from various realms (network, compute and storage) come together. I think in this case the security teams are looking to use an aspect of infrastructure to be part of their ramp-up process (Citrix, VMware, Hyper-V). But this is part of another group within the organization and not necessarily the security team, it is a nice to have.

Data Science - "Data science is as much a method and an approach
  • Aren't all aspects of computing now the same as this (compute, network, storage). I think it is important to have an understanding of the data life-cycle process and be able to discern inherent hidden message inside data streams, this provides invaluable information about vulnerabilities and threats but that is what SIEMs (Security Information and Event Management) are used for. Numerous companies are providing this capability and most security experts review this data regularly (basically this is being done). Definition of Data science -  "Data science is the study of where information comes from, what it represents and how it can be turned into a valuable resource in creating business and IT strategies. Mining large amounts of structured and unstructured data to identify patterns can help an organization rein in costs, increase efficiencies, recognize new market opportunities and increase the organization's competitive advantage." This is something the CIO/CISO/CTO should use if we are looking at it from an executive standpoint, but in this case I don't think we are.

Coding - First of all, it's crucial for application security in a DevSecOps environment that requires optimal collaboration between security and development functions.
  • I agree that organizations are asking more from the security departments to review code and coding practices to help mitigate external/internal attacks but what happened to separation of duties. There is a reason companies have separated tasks because if your DevOPs team and security team become one, then there a gray area where collusion could take place. The security teams need to have DevOPs experience especially when organizations have in-house programming experts but the comment the gentleman made about teaching DevOPs individuals security in a short time is delusional. There are many tools from different vendors that cause security experts to scratch their heads. Each group needs to understand the organization's expectations (mission) but there needs to be a clear demarcation point in place, this ensures the security team will remain autonomous.

Privacy Expertise - Almost one in four cybersecurity professionals surveyed by ISSA say they don't believe they've been given the right level of training on data privacy.
  • Wow, that is interesting because that is one of the first topics they teach you will go after your CISSP (8 domains) is Asset Security - "Asset Security focuses on: classification and ownership of information and assets; privacy; retention periods; data security controls; and handling requirements". It seems these individuals were not paying attention in class, lol.

Secure Cloud Management - According to Gartner experts, the drive to improve cloud security competencies in the face of massive enterprise shifts to the cloud is among the top seven security and risk management trends for 2019
  • Interesting, cloud computing companies have an assortment of tools in place to help the organization become more secure, they even have a tool that scans the network for security issues (logging, access controls, network access lists, MFA, design and VPN access). All of this is driven by a menu to help the end-user (security and infrastructure cloud expert) to address these issues. I think there needs to be training involved, but the learning curve is not as steep as stated, they can do this with a few clicks (AWS, Azure, Google all provide this capability)

Business Acumen - According to the ISACA study, "the most-prized hire in a cybersecurity team is a technically proficient individual who also understands business operations and how cybersecurity fits into the greater needs of the enterprise."
  • Shouldn't the CIO, CTO or CISO have this experience, that should be part of their daily activities? The individual who sits in front the executive staff will need to have this, the engineering security team reviews logs, determines the organization's security posture, implements tools and controls, provides education and elaborates on long-term goals (strategic thinking).

I have looked at this list, this seems to be unreasonable because the shortcomings of individuals who work in higher-level positions don't want to understand the intricate aspects of security. An article was written that talked about executives not having a clear strategic path or goal to address security issues. Now it is one of the main focuses as to how the business runs, the executives want to move their business requirements to staff members.

Let's be honest, with all the things organizations are asking from security experts, it sounds like they are trying to blur the lines instead of hiring competent personnel in those specific areas. Because if they want someone who has Data Science, AO, Business Acumen, Cloud Management, Privacy Expertise and coding, then why would they continue to work for that company, they should work for themselves because of their extensive skill-set (having all of that is invaluable).

The other thing that is not being addressed by companies is the fact that they don't want to pay for individuals who have years of experience with an assortment of skills. In the article where the gentlemen stated he wanted "coders", but what he did not say was that he wanted to hire those individuals fresh out of school or at a discounted rate (a lot of the coders are coming from overseas and their rates are much lower than the American rate). Companies want individuals who can look beyond code; but when it comes to compensation, the manager is the one who does the hiring and they often back away from bringing in a personnel with those skill-sets because that person would eventually take their job, it is sad, but it is just human nature.

Todd
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
CVE-2019-16768
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
CVE-2012-1105
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
CVE-2019-16769
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...