Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How The Skills Shortage Is Killing Defense in Depth
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
BrysonLove
50%
50%
BrysonLove,
User Rank: Apprentice
2/6/2015 | 2:53:37 AM
Re: shortage or cheapness?
I saw this information at twitter
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/3/2015 | 4:12:37 PM
Re: There is no skills gap, theres a priorities gap...> taking a left turn here
Hey Marilyn, that's a very good question, and for me I would have to say that getting my boss to use the (little) influence he has to bring as much pressure as he can that will allow us in security to make effective change. I'm sure he does what he can, but if it's not a "Heartbleed" or global SSLv3 problem or something that really frightens the CIO, he really doesn't like to apply too much pressure on the IT groups and I think that's mostly because of organization and who reports to whom. We know what the holes\problems are but because he reports up to the CIO, nothing will change. We did just have an audit that recommends a change in that organization to move security out of the IT reporting silo, but until that happens...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/3/2015 | 4:01:13 PM
Re: There is no skills gap, theres a priorities gap...> taking a left turn here
@ODA155,-- If, as you say, "we need to stop making excuses for "why"... understand and admit our own flaws" what would you say is the biggest flaw in your security world?
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/3/2015 | 2:03:52 PM
Re: There is no skills gap, theres a priorities gap...
"Since 2010, security vendors have been developing ever more impressive, but specialized, security gizmos."... that gizmo will do almost everything under the sun, but will do NOTHING well enough to justify its cost. So instead of saying, "Looks like a nifty gizmo, but I can't deploy it—I just don't have the staff.", maybe that CSO should be asking him\herself, is this nifty gizmo really going to address the problem area(s) where where I need it? Maybe the problem is (I, you, we) have TOO MANY nifty gizmo's that sounded good and looked good in that sandboxed demo, not enough product research to make sure you were getting what you needed and not what somebody was selling you.

I also agree with what has been said about job descriptions and hiring. That should demand to be part of whatever that process is for his\her company, let them know that you're not going to accept whatever personnel are given to you based on a job description you did not approve or resumes that you did not approve for interview, HR's job is to find the talent based on YOUR requirements not theirs.

Even this article "David Holmes is an evangelist for F5 Networks' security solutions...", sorry Mr. Holmes I'm not calling you out or picking on you or trying to be rude or anything but, I'm not exactly sure what an evangelist for F5 Networks' security solutions is or does, to me it sounds like salesman, and if allowed a salesman will sale you exactly what you do not need, but for a small bump in price you can get the plugin for that at the next product update, I'm sorry if you're not a salesman.

I do not see a "Skills Shortage" anywhere killing anything, what I see are;

a) (some) vendors who don't even know their own products
b) Security departments who've allowed vendors in the door based solely on "The Magic Quadrant" and not what is required to address a problem
c) As someone else alluded to, bad or no relationship with the IT Department
d) CSO's with poor track records in evaluating, training and keeping good personell

But when you put it all together, even though every comment I've seen has it right, I think the problem as well as any solutions really does start with us, the security professional, we need to stop making excuses for "why"... understand and admit our own flaws and take responsibility where required and be strong and hold your ground when needed.

 

Pragmatic_Security
100%
0%
Pragmatic_Security,
User Rank: Apprentice
2/3/2015 | 10:50:41 AM
There is no skills gap, theres a priorities gap...
As it seems that every security article is written by a vendor, and not an enterprise practitioner, I'd like to lend a contrarian response.

Was Target or Home Depot (or arguably/probably) Sony breached because of super-advanced, nation-state "so good it must have come straight out of a Spy novel" kind of attack?.. No, they were breached because they had a poor-non defensive network infrastructure, and were not leveraging basic tools (of which they probably have many) to mitigate information risk.

As an industry, information security managers have done an overall bad job of creating actionable information for IT/Business leadership surrounding security practice.  Because of this, it is viewed that if they aren't spending money to implement *insert top right magic quadrant performer for CYBER APT *BUZZWORD* *BUZZWORD* then they aren't effectively mitigating risk.

May I ask, how many new tools does it take, aside from a solid security team collaboration with infrastructure partners, to SEGMENT YOUR NETWORK?  How many advanced vendor tools does it take to deploy the single, greatest wintel endpoint protection tool out there, Microsoft EMET (well... it's advanced, but its free)?  How many new, advanced tools does it take to tune your existing proxies or network controls to only execute javascript from trusted sources?

Maybe it's just because I took SANS 504 this one time... But a "Lessons Learned" session should usually follow any significant security incident.  "Well guys, looks like we should have paid <vendor, professional services> to do the thinking for us a little more" probably wasn't what came out of it. 

What was it?  Information Security leaders and teams were not prepared to do the "non-sexy" part of information security, such as implementing the simple—but most effective—controls, as listed above.  Granted, log aggregation and correlation is a big part of information security, and having business requirements to simply state 'what do we want to do with this tool' are often never asked before implementing a SIEM or log aggregation solution (which should have been capturing network/firewall logs showing encrypted traffic leaving the network, and tuned to find the anomalies)... proxies renegotiating SSL at the boundary anyone???

Respectfully, I don't let vendors drive my information security strategy, so I'll drop some IS management PRO-TIPS.  First, build relationships with your IT and business stakeholders.  Second, 'know thyself', understand your IT footprint through solid infrastructure and application management and inventory.  Third (and it's a big one), based on business goals and organizational risk tolerance, create a comprehensive set of business requirements surrounding relevant risks to the organization (determining what actual 'threats' are based on step 2 of this exercise), and assess the people, processes, and projects/resources needed to accomplish such goals.  New technology only fills the DELTA, it doesn't replace risk-centric management of your company's architecture.

Summary, "the APT" is irrelevant as long as organizations are getting crushed by basic attacks caused by a lapse in management of existing people, processes, and technology.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/31/2015 | 9:32:43 PM
Re: shortage or cheapness?
Alas, in companies with bad culture, outside consultants are paid for one of two purposes, generally -- to agree with and endorse everything the company is doing, and/or to be a scapegoat for everything that goes wrong.
JonH457
50%
50%
JonH457,
User Rank: Apprentice
1/31/2015 | 8:40:43 PM
Wages do not indicate a shortage of workers.
"The IT skills shortage has become epidemic."

This is not reflected in the wages paid.  Wages have stagnated in the IT industry for over 10 years.  Keep rasing wages and when they are sufficient, you will attract the talent needed.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2015 | 12:47:14 PM
Re: shortage or cheapness?
I couldn't agree with you more on this. I have seen the poor description practices proliferate throughout organizations to the point where job function is ambiguous and the employee accepts a postion under false pretenses. 

Not sure whether its a false perception of prestige that drives the poor descriptions or other factors but there would be a more efficient process if requirements reflected the function in a short, succinct manner.

To the point of bad hiring/firing practices, I know there are 3rd party companies now that are training organizations in best practics but to what extent these practices stick, I know not.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/30/2015 | 10:49:26 PM
Re: shortage or cheapness?
It's the HR department.  Look at any company that's faced a zillion reorgs in the past couple of decades.  Look at the survivors: All HR.

Bad recruiting practices.  Bad job description practices.  Bad hiring practices.  Bad firing practices.  Bad compensation practices.  Bad everything.  But they control the keys, so who's going to stop them?
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
1/30/2015 | 10:47:56 PM
Bah.
The problem is NOT a skills shortage.

The problem is a glut of HR staff.

www.networkcomputing.com/careers-and-certifications/the-tech-talent-shortage-myth/d/d-id/1317892
Page 1 / 2   >   >>


Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.