Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

CISOs' No. 1 Concern in 2018: The Talent Gap
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/3/2019 | 10:58:07 PM
Uncontrolled growth
There are many other growing pains for CISO's aside from shortage of skill set in the market. Shadow IT, IOT and edge devices, poor governance, cloud computing and negligence are nightmares for security leaders today. The surface area for attack has grown and perimeter security is no longer enough. I have written more about this in my article: https://peer2peercloud.com/ciso-top-concern-about-public-cloud/
User Rank: Ninja
1/17/2018 | 2:38:44 PM
Re: CISO consideration
Understanding the business - yes!  That's the key. 

Too often security is "applied" to the surface, like patching a leaking life raft.  Without the means to perceive the components of the business, as a system, you can't come to grips with the circumstances that put you in that life raft in the first place. 

That lack of awareness isn't just a problem for the CISO or security departments, or IT, but for all the knowledge workers, from the C-level on down.  It's not that knowledge of how the components actually work in an enterprise isn't there; but that the interdependencies haven't been formalized and documented, in a way that would properly inform.  The only methodology I know of toward achieving that is fact-based, conceptual modeling
User Rank: Strategist
1/16/2018 | 3:07:18 PM
CISO consideration
Yet another consideration under "lack of competent in-house staff" is the CISO him/her self.  By lacking competence, I mean competence surrounding the innerworkings of the lines of business and their respective objectives.  CISO's get burnt at the stake so often and shuffled so frequently that building the necessary knowledge to support the business in an insightful and innovative way is almost impossible.  Same goes for your business-facing security pros.  The cyber job market remains white hot and it makes sense to jump roles/firms every 1.5 to 2 years just for the pay increase alone.  When someone leaves, the accumulated knowledge that is valuable to the business is lost.  
Dimitri Chichlo
Dimitri Chichlo,
User Rank: Apprentice
1/15/2018 | 4:00:38 AM
CISO's vision
Interesting survey and analysis but made by CISOs, therefore somehow biased. Does having a CISSP and an MSc in information security qualify you as a good CISO? Recruiters also are mainly focusing on those degrees and certifications when selecting candidates. Many CISOs are (mostly) technical people, very much focused on technology and lack more soft skills like communication, negotiations or strategic vision. How do you get funding for enlarging teams, change IT working processes and install new security systems if you are not able to convince people holding the funds? 
User Rank: Ninja
1/13/2018 | 10:22:16 AM
Re: Don't look for plug-and-play employees, or discount all outsourcing
You touch on one aspect of the hiring, training, in-house/outsource issue: the character of the people, or more to the point, of each individual. 

While passion for the work is important, so are other attributes. You don't have to look far into the annals of cybersecurity failures to find examples of an employee or contract worker wreaking havoc through acts of negligence or outright betrayal of trust.   What they share is poor character, and that they were put in a position of trust. 

Evaluating a person's character can't be automated, and shouldn't be assumed by national origin.  Benedict Arnold was as competent, as effective, had at least as good a CV, and was as much an American as George Washington - the difference was character.   
User Rank: Ninja
1/12/2018 | 3:09:03 PM
Re: Don't look for plug-and-play employees, or discount all outsourcing
I would never endorse outsourcing for a cyber-security model - for it fails enough and often for just standardized (read that dumb) IT support.  The educational resource of most IT outsource houses (Tata, Wipro, Infosys) just are not up to any par and theyhave trouble with just a standard IT technician.  (I recently departed a lovely little office - paycheck job - that was outsourced to Wipro and A DISASTER in every way.  Took the all powerful GSD (General Service Desk) NINE DAYS!!!!!!!   TRUE ---- to route a ticket from one user to ME and we were on the same floor and office.  BAD.  So don't expect cybersecurity professionals to emerge from this venue.

And don't get me started on IBM - used to be a proud IBMer many years ago (the Akers era) and the firm is now a shadow of what it was.  Ginny, 22 quarters of revenue decline.  State of Indiana for example - lawsuit.  More staff in INDIA than in the United States.

American trained IT professoinals who CARE PASSIONATELY about the subject is what is needed.
[email protected],
User Rank: Author
1/12/2018 | 2:22:01 PM
Too much work, not enough people!!!
Great article Dawn. As a security veteran with over 16 years of CISO experience I can attest how big a problem staffing is. You can't find the people and when you do, you train them and then lose them.

While we clearly need to train more personnel, the only way companies will be able to solve this problem is to replace legacy tools with new AI based systems that can leverage cognitive computing to perform many of the tasks that security personnel perform while also eliminating the false positives which not only increase workloads but often allows important events to slip through with the noise.

They will also leverage MSSPs to outsource as much of the workload as possible.  MSSPs are much better positioned to hire and retain top personnel providing CISOs more resiliency, flexibility and scalability.  The CISO just needs to maintain proper independent oversight to ensure they are getting what they are paying for because if the MSSP fails to deliver, it's the CISOs neck on the line.   
User Rank: Ninja
1/12/2018 | 1:46:36 PM
Don't look for plug-and-play employees, or discount all outsourcing
Whether I would be allowed to enroll in a programmer/analyst curriculum at a specialized computer training school in the 1970s, was determined by aptitude tests.  Once in the program, I could see that degrees, even advanced degrees, in what's now called STEM, were not reliable indicators of the analytic and logical skills required in this field.  This is even more true today. 

Is it farfetched to say that the primary reasons companies limit their IT candidate searches, to applicants with CS degrees or other certifications, are to make it easier on HR departments, and to provide cover for hiring the wrong people?  Remember the adage: "No one was ever fired for buying IBM".  Was IBM always the best choice?  No, but it was the safe one, for those who signed off on it. 

That there is a talent gap might well be because companies have forgotten where and how to look for it, nurture and protect it. 

Regarding "in house": First recognize the distinction between outsourcing and offshoring - the later implies the former, but not the other way round.  In both cases, companies must use good and informed judgement as to which tasks are suitable for either, and about who they are taking on as partners - because all IT relationships are intimate. 

The concerns particular to offshoring center on jurisdictional control.  Look no further than the recent Kaspersky Lab restrictions (justified or not), for an example.  Of course, there are compliance requirements; but go beyond the letter of the law, and consider the rationale for them.  In most cases, the law comes too late to prevent the damage that lead to the need for the law.  [Leave the debate on if a particular law makes matters worse, for another discussion] 

The basis for a decision on in-house, outsource, offshore should be data access driven; and that holds true for inside in-house, too.    When thinking through that one, remember that all public-cloud is outsource, and may be offshore.  That goes for all the public-cloud components for your company, your employees and your partners.   

When it comes to outsourcing, the right choice is going to take some careful consideration.   
User Rank: Ninja
1/11/2018 | 8:25:23 AM
I would trace the talent gap to the career path destruct that corporate America has placed on IT professionals over the years.  Why go into a field when, eventually, management will outsource you and that is that.  CyberSecurity is a NEW field and it is a tough one to get a degree in.  I am currently with a malware forensics unit and have learned alot in short time.  

That said, good logical restore and rebuild protocols are LONG in order.  Data exfiltration aside, ransomware attacks are the same as hard drive failure.   Think about it.

Backup and disaster resocvery plans are often OUT of data if used at all and, worse, rarely tested.  

Workstation recovery is easy IF you have a good protocol and it can be anything from simple GHOST image to PXE login to server.  

As an independent consultant, I was very proud of a 3 hour recovery window when one of my accounts, a 501C3, got Cryptolocked in January of 2014.  Because I had good off-site storage protocols in place, I was able to restore all SERVER DATA within 2 hurs of on-site arrival the next day.  Plus my recovery protocol was SIMPLE AND TESTED so I knew what to do. 


I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.