Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
6 Essential Skills Cybersecurity Pros Need to Develop in 2019
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
User Rank: Ninja
4/22/2019 | 7:25:14 PM
Let's look at this list in greater detail
This is an elaborate list, let's look and address these areas that companies are looking for from a security standpoint.

Automation and Orchestration - Two major trends are driving enterprises toward greater security automation across the board. First of all, security is using automation to scale incident response and security analysis to keep up with ever-multiplying threats. Second, as DevOPs and continuous delivery of software become de riguer at many organizations, the table stakes for IT automation across the board has risen considerably
  • Ok, I agree with automation across the board, but there has been a lot of pushback from engineering groups because they say if an application changes the functionality of another application during a threat, they were not comfortable with that aspect of change. They turned off this capability because they wanted a human to make a change that could affect the environment; but what if the experience person who is the senior level is out of the office (evening, weekend, holiday), the individual on site has to wait to get authorization, again, we are back in the same position
  • DevOPs is different in certain regards to AO (Automation and Orchestration), writing scripts to help improve a process is not really DevOPs. AO is a process where specific functions from various realms (network, compute and storage) come together. I think in this case the security teams are looking to use an aspect of infrastructure to be part of their ramp-up process (Citrix, VMware, Hyper-V). But this is part of another group within the organization and not necessarily the security team, it is a nice to have.

Data Science - "Data science is as much a method and an approach
  • Aren't all aspects of computing now the same as this (compute, network, storage). I think it is important to have an understanding of the data life-cycle process and be able to discern inherent hidden message inside data streams, this provides invaluable information about vulnerabilities and threats but that is what SIEMs (Security Information and Event Management) are used for. Numerous companies are providing this capability and most security experts review this data regularly (basically this is being done). Definition of Data science -  "Data science is the study of where information comes from, what it represents and how it can be turned into a valuable resource in creating business and IT strategies. Mining large amounts of structured and unstructured data to identify patterns can help an organization rein in costs, increase efficiencies, recognize new market opportunities and increase the organization's competitive advantage." This is something the CIO/CISO/CTO should use if we are looking at it from an executive standpoint, but in this case I don't think we are.

Coding - First of all, it's crucial for application security in a DevSecOps environment that requires optimal collaboration between security and development functions.
  • I agree that organizations are asking more from the security departments to review code and coding practices to help mitigate external/internal attacks but what happened to separation of duties. There is a reason companies have separated tasks because if your DevOPs team and security team become one, then there a gray area where collusion could take place. The security teams need to have DevOPs experience especially when organizations have in-house programming experts but the comment the gentleman made about teaching DevOPs individuals security in a short time is delusional. There are many tools from different vendors that cause security experts to scratch their heads. Each group needs to understand the organization's expectations (mission) but there needs to be a clear demarcation point in place, this ensures the security team will remain autonomous.

Privacy Expertise - Almost one in four cybersecurity professionals surveyed by ISSA say they don't believe they've been given the right level of training on data privacy.
  • Wow, that is interesting because that is one of the first topics they teach you will go after your CISSP (8 domains) is Asset Security - "Asset Security focuses on: classification and ownership of information and assets; privacy; retention periods; data security controls; and handling requirements". It seems these individuals were not paying attention in class, lol.

Secure Cloud Management - According to Gartner experts, the drive to improve cloud security competencies in the face of massive enterprise shifts to the cloud is among the top seven security and risk management trends for 2019
  • Interesting, cloud computing companies have an assortment of tools in place to help the organization become more secure, they even have a tool that scans the network for security issues (logging, access controls, network access lists, MFA, design and VPN access). All of this is driven by a menu to help the end-user (security and infrastructure cloud expert) to address these issues. I think there needs to be training involved, but the learning curve is not as steep as stated, they can do this with a few clicks (AWS, Azure, Google all provide this capability)

Business Acumen - According to the ISACA study, "the most-prized hire in a cybersecurity team is a technically proficient individual who also understands business operations and how cybersecurity fits into the greater needs of the enterprise."
  • Shouldn't the CIO, CTO or CISO have this experience, that should be part of their daily activities? The individual who sits in front the executive staff will need to have this, the engineering security team reviews logs, determines the organization's security posture, implements tools and controls, provides education and elaborates on long-term goals (strategic thinking).

I have looked at this list, this seems to be unreasonable because the shortcomings of individuals who work in higher-level positions don't want to understand the intricate aspects of security. An article was written that talked about executives not having a clear strategic path or goal to address security issues. Now it is one of the main focuses as to how the business runs, the executives want to move their business requirements to staff members.

Let's be honest, with all the things organizations are asking from security experts, it sounds like they are trying to blur the lines instead of hiring competent personnel in those specific areas. Because if they want someone who has Data Science, AO, Business Acumen, Cloud Management, Privacy Expertise and coding, then why would they continue to work for that company, they should work for themselves because of their extensive skill-set (having all of that is invaluable).

The other thing that is not being addressed by companies is the fact that they don't want to pay for individuals who have years of experience with an assortment of skills. In the article where the gentlemen stated he wanted "coders", but what he did not say was that he wanted to hire those individuals fresh out of school or at a discounted rate (a lot of the coders are coming from overseas and their rates are much lower than the American rate). Companies want individuals who can look beyond code; but when it comes to compensation, the manager is the one who does the hiring and they often back away from bringing in a personnel with those skill-sets because that person would eventually take their job, it is sad, but it is just human nature.

Todd
Ai2ik
50%
50%
Ai2ik,
User Rank: Apprentice
4/3/2019 | 2:05:36 PM
Certificates
Hi Ericka, do you recommend any must have cyber security certificates for people looking for careers in Infosec?


Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: It is too bad the ceiling is made of glass!
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3686
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.