Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
6 Essential Skills Cybersecurity Pros Need to Develop in 2019
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
 User Rank: Ninja
4/22/2019 | 7:25:14 PM
Let's look at this list in greater detail
This is an elaborate list, let's look and address these areas that companies are looking for from a security standpoint.

Automation and Orchestration - Two major trends are driving enterprises toward greater security automation across the board. First of all, security is using automation to scale incident response and security analysis to keep up with ever-multiplying threats. Second, as DevOPs and continuous delivery of software become de riguer at many organizations, the table stakes for IT automation across the board has risen considerably
  • Ok, I agree with automation across the board, but there has been a lot of pushback from engineering groups because they say if an application changes the functionality of another application during a threat, they were not comfortable with that aspect of change. They turned off this capability because they wanted a human to make a change that could affect the environment; but what if the experience person who is the senior level is out of the office (evening, weekend, holiday), the individual on site has to wait to get authorization, again, we are back in the same position
  • DevOPs is different in certain regards to AO (Automation and Orchestration), writing scripts to help improve a process is not really DevOPs. AO is a process where specific functions from various realms (network, compute and storage) come together. I think in this case the security teams are looking to use an aspect of infrastructure to be part of their ramp-up process (Citrix, VMware, Hyper-V). But this is part of another group within the organization and not necessarily the security team, it is a nice to have.

Data Science - "Data science is as much a method and an approach
  • Aren't all aspects of computing now the same as this (compute, network, storage). I think it is important to have an understanding of the data life-cycle process and be able to discern inherent hidden message inside data streams, this provides invaluable information about vulnerabilities and threats but that is what SIEMs (Security Information and Event Management) are used for. Numerous companies are providing this capability and most security experts review this data regularly (basically this is being done). Definition of Data science -  "Data science is the study of where information comes from, what it represents and how it can be turned into a valuable resource in creating business and IT strategies. Mining large amounts of structured and unstructured data to identify patterns can help an organization rein in costs, increase efficiencies, recognize new market opportunities and increase the organization's competitive advantage." This is something the CIO/CISO/CTO should use if we are looking at it from an executive standpoint, but in this case I don't think we are.

Coding - First of all, it's crucial for application security in a DevSecOps environment that requires optimal collaboration between security and development functions.
  • I agree that organizations are asking more from the security departments to review code and coding practices to help mitigate external/internal attacks but what happened to separation of duties. There is a reason companies have separated tasks because if your DevOPs team and security team become one, then there a gray area where collusion could take place. The security teams need to have DevOPs experience especially when organizations have in-house programming experts but the comment the gentleman made about teaching DevOPs individuals security in a short time is delusional. There are many tools from different vendors that cause security experts to scratch their heads. Each group needs to understand the organization's expectations (mission) but there needs to be a clear demarcation point in place, this ensures the security team will remain autonomous.

Privacy Expertise - Almost one in four cybersecurity professionals surveyed by ISSA say they don't believe they've been given the right level of training on data privacy.
  • Wow, that is interesting because that is one of the first topics they teach you will go after your CISSP (8 domains) is Asset Security - "Asset Security focuses on: classification and ownership of information and assets; privacy; retention periods; data security controls; and handling requirements". It seems these individuals were not paying attention in class, lol.

Secure Cloud Management - According to Gartner experts, the drive to improve cloud security competencies in the face of massive enterprise shifts to the cloud is among the top seven security and risk management trends for 2019
  • Interesting, cloud computing companies have an assortment of tools in place to help the organization become more secure, they even have a tool that scans the network for security issues (logging, access controls, network access lists, MFA, design and VPN access). All of this is driven by a menu to help the end-user (security and infrastructure cloud expert) to address these issues. I think there needs to be training involved, but the learning curve is not as steep as stated, they can do this with a few clicks (AWS, Azure, Google all provide this capability)

Business Acumen - According to the ISACA study, "the most-prized hire in a cybersecurity team is a technically proficient individual who also understands business operations and how cybersecurity fits into the greater needs of the enterprise."
  • Shouldn't the CIO, CTO or CISO have this experience, that should be part of their daily activities? The individual who sits in front the executive staff will need to have this, the engineering security team reviews logs, determines the organization's security posture, implements tools and controls, provides education and elaborates on long-term goals (strategic thinking).

I have looked at this list, this seems to be unreasonable because the shortcomings of individuals who work in higher-level positions don't want to understand the intricate aspects of security. An article was written that talked about executives not having a clear strategic path or goal to address security issues. Now it is one of the main focuses as to how the business runs, the executives want to move their business requirements to staff members.

Let's be honest, with all the things organizations are asking from security experts, it sounds like they are trying to blur the lines instead of hiring competent personnel in those specific areas. Because if they want someone who has Data Science, AO, Business Acumen, Cloud Management, Privacy Expertise and coding, then why would they continue to work for that company, they should work for themselves because of their extensive skill-set (having all of that is invaluable).

The other thing that is not being addressed by companies is the fact that they don't want to pay for individuals who have years of experience with an assortment of skills. In the article where the gentlemen stated he wanted "coders", but what he did not say was that he wanted to hire those individuals fresh out of school or at a discounted rate (a lot of the coders are coming from overseas and their rates are much lower than the American rate). Companies want individuals who can look beyond code; but when it comes to compensation, the manager is the one who does the hiring and they often back away from bringing in a personnel with those skill-sets because that person would eventually take their job, it is sad, but it is just human nature.

Todd
Ai2ik
50%
50%
Ai2ik,
 User Rank: Apprentice
4/3/2019 | 2:05:36 PM
Certificates
Hi Ericka, do you recommend any must have cyber security certificates for people looking for careers in Infosec?


Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.