Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
6 Essential Skills Cybersecurity Pros Need to Develop in 2019
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
 User Rank: Ninja
4/22/2019 | 7:25:14 PM
Let's look at this list in greater detail
This is an elaborate list, let's look and address these areas that companies are looking for from a security standpoint.

Automation and Orchestration - Two major trends are driving enterprises toward greater security automation across the board. First of all, security is using automation to scale incident response and security analysis to keep up with ever-multiplying threats. Second, as DevOPs and continuous delivery of software become de riguer at many organizations, the table stakes for IT automation across the board has risen considerably
  • Ok, I agree with automation across the board, but there has been a lot of pushback from engineering groups because they say if an application changes the functionality of another application during a threat, they were not comfortable with that aspect of change. They turned off this capability because they wanted a human to make a change that could affect the environment; but what if the experience person who is the senior level is out of the office (evening, weekend, holiday), the individual on site has to wait to get authorization, again, we are back in the same position
  • DevOPs is different in certain regards to AO (Automation and Orchestration), writing scripts to help improve a process is not really DevOPs. AO is a process where specific functions from various realms (network, compute and storage) come together. I think in this case the security teams are looking to use an aspect of infrastructure to be part of their ramp-up process (Citrix, VMware, Hyper-V). But this is part of another group within the organization and not necessarily the security team, it is a nice to have.

Data Science - "Data science is as much a method and an approach
  • Aren't all aspects of computing now the same as this (compute, network, storage). I think it is important to have an understanding of the data life-cycle process and be able to discern inherent hidden message inside data streams, this provides invaluable information about vulnerabilities and threats but that is what SIEMs (Security Information and Event Management) are used for. Numerous companies are providing this capability and most security experts review this data regularly (basically this is being done). Definition of Data science -  "Data science is the study of where information comes from, what it represents and how it can be turned into a valuable resource in creating business and IT strategies. Mining large amounts of structured and unstructured data to identify patterns can help an organization rein in costs, increase efficiencies, recognize new market opportunities and increase the organization's competitive advantage." This is something the CIO/CISO/CTO should use if we are looking at it from an executive standpoint, but in this case I don't think we are.

Coding - First of all, it's crucial for application security in a DevSecOps environment that requires optimal collaboration between security and development functions.
  • I agree that organizations are asking more from the security departments to review code and coding practices to help mitigate external/internal attacks but what happened to separation of duties. There is a reason companies have separated tasks because if your DevOPs team and security team become one, then there a gray area where collusion could take place. The security teams need to have DevOPs experience especially when organizations have in-house programming experts but the comment the gentleman made about teaching DevOPs individuals security in a short time is delusional. There are many tools from different vendors that cause security experts to scratch their heads. Each group needs to understand the organization's expectations (mission) but there needs to be a clear demarcation point in place, this ensures the security team will remain autonomous.

Privacy Expertise - Almost one in four cybersecurity professionals surveyed by ISSA say they don't believe they've been given the right level of training on data privacy.
  • Wow, that is interesting because that is one of the first topics they teach you will go after your CISSP (8 domains) is Asset Security - "Asset Security focuses on: classification and ownership of information and assets; privacy; retention periods; data security controls; and handling requirements". It seems these individuals were not paying attention in class, lol.

Secure Cloud Management - According to Gartner experts, the drive to improve cloud security competencies in the face of massive enterprise shifts to the cloud is among the top seven security and risk management trends for 2019
  • Interesting, cloud computing companies have an assortment of tools in place to help the organization become more secure, they even have a tool that scans the network for security issues (logging, access controls, network access lists, MFA, design and VPN access). All of this is driven by a menu to help the end-user (security and infrastructure cloud expert) to address these issues. I think there needs to be training involved, but the learning curve is not as steep as stated, they can do this with a few clicks (AWS, Azure, Google all provide this capability)

Business Acumen - According to the ISACA study, "the most-prized hire in a cybersecurity team is a technically proficient individual who also understands business operations and how cybersecurity fits into the greater needs of the enterprise."
  • Shouldn't the CIO, CTO or CISO have this experience, that should be part of their daily activities? The individual who sits in front the executive staff will need to have this, the engineering security team reviews logs, determines the organization's security posture, implements tools and controls, provides education and elaborates on long-term goals (strategic thinking).

I have looked at this list, this seems to be unreasonable because the shortcomings of individuals who work in higher-level positions don't want to understand the intricate aspects of security. An article was written that talked about executives not having a clear strategic path or goal to address security issues. Now it is one of the main focuses as to how the business runs, the executives want to move their business requirements to staff members.

Let's be honest, with all the things organizations are asking from security experts, it sounds like they are trying to blur the lines instead of hiring competent personnel in those specific areas. Because if they want someone who has Data Science, AO, Business Acumen, Cloud Management, Privacy Expertise and coding, then why would they continue to work for that company, they should work for themselves because of their extensive skill-set (having all of that is invaluable).

The other thing that is not being addressed by companies is the fact that they don't want to pay for individuals who have years of experience with an assortment of skills. In the article where the gentlemen stated he wanted "coders", but what he did not say was that he wanted to hire those individuals fresh out of school or at a discounted rate (a lot of the coders are coming from overseas and their rates are much lower than the American rate). Companies want individuals who can look beyond code; but when it comes to compensation, the manager is the one who does the hiring and they often back away from bringing in a personnel with those skill-sets because that person would eventually take their job, it is sad, but it is just human nature.

Todd
Ai2ik
50%
50%
Ai2ik,
 User Rank: Apprentice
4/3/2019 | 2:05:36 PM
Certificates
Hi Ericka, do you recommend any must have cyber security certificates for people looking for careers in Infosec?


I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19033
PUBLISHED: 2019-11-21
Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password.
CVE-2019-19191
PUBLISHED: 2019-11-21
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
CVE-2019-15511
PUBLISHED: 2019-11-21
An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed....
CVE-2019-16405
PUBLISHED: 2019-11-21
Centreon Web 19.04.4 allows Remote Code Execution by an administrator who can modify Macro Expression location settings.
CVE-2019-16406
PUBLISHED: 2019-11-21
Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.