Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

1/30/2015
03:30 PM
David Holmes
David Holmes
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How The Skills Shortage Is Killing Defense in Depth

It used to be easy to sell specialized security gizmos but these days when a point product gets pitched to a CSO, the response is likely "looks nifty, but I don't have the staff to deploy it."

You would think that this is the perfect time to be a security vendor. Humiliating breaches lurk around every corner. Denial of service attacks grow ever larger. Bedrock platforms turn out to have (shell)shocking holes. The media love the scent of blood in the water and they keep the papers black, white, and red. It is boom times for security vendors. So what is there to complain about?

We’re going to have to change the way we sell security, that’s what.

Since 2010, security vendors have been developing ever more impressive, but specialized, security gizmos. It used to be easy to sell targeted security products because every gizmo would get air cover from the concept of defense in depth. Conceived of by the military prior to the digital age, defense in depth is the idea that more layers of defense equal a stronger security posture. For vendors, defense in depth meant it was all right if their gizmo didn’t offer wide protection because some other vendor’s gizmos would plug the holes. Forrester analyst Rick Holland called this philosophy “Expense in Depth – the multilayered approach to ensuring minimal return on investment.''

These days, when a point product gets pitched to a CSO, the response is likely to be, “Looks like a nifty gizmo, but I can’t deploy it—I just don’t have the staff.”

The IT skills shortage has become epidemic. There simply aren’t any security people available to hire. For five years now, the unemployment rate for InfoSec professionals has been less than 2% (and often 0%). The tight job market for people with security skills has had a predictable impact on wages: According to Payscale, in 2014, half of all security architects made more than $120K: that’s 50% more than the average software engineer—and a whopping 300% what a licensed nurse practitioner makes. People with security skills command more pay, leave for startups, or get poached for cushier jobs with better titles (ahem). ESG’s Jon Oltsik wrote that his #1 prediction for 2015 is “Widespread impact from the cybersecurity skills shortage.”

Normally the market fixes problems like this: rising wages in any field should attract new applicants to the business. But security doesn’t work that way. Security is harder to teach than other skills. Security is a mindset. A zeitgeist. Even a religion for some. People with the mindset are rare; like good coders and clever similes, they are hard to come by. Case in point, MasterCard is suing one of its own customers, Nike, for $5 million for poaching two of its cyber security managers.

So now what?
What should CSOs do? Without a dotcom crash, they can’t get the security people back from the startups that poached them.

Some smart CSOs are consolidating their security platforms. Partners and resellers offer packages around common platforms. The Next Generation Firewall (NGFW) vendors are collapsing network firewall and outbound web security into a single platform. IDS vendors are also integrating NGFW functionality. As Forrester Analyst John Kindervag said in his Dec. 2013 “Market Overview: Network Segmentation Gateways,” consolidating adjacent security functions into platforms like network segmentation gateways help organizations move toward what Forrester calls a ‘Zero Trust Model.’

Organizations are also starting to turn to cloud providers not just for availability but for security, as well. The cloud companies can gather security staff and then amortize that experience across hundreds of customers. Cloud architecture is relatively new, as well, since today’s clouds don’t necessarily have to take into account the ancient legacy applications that many of yesterday’s businesses are built around. This leads to a smaller threat surface for cloud platforms.

The forces pushing against defense in depth are unlikely to change in the near term. The skills shortage will continue, and cloud adoption rates will rise, which will exert pressure on IT organizations for other skillsets they lack. In 2015, the term “defense in depth” may decline in broader usage. Like the security personnel who used to practice it, defense in depth may find a new home among the clouds, where it will likely take a different name.

“Your propeller-head infosec techie that can crack packets wide open is more important than any tool you can buy,” said Ken Athanasiou, CSO of AutoNation, during a recent panel at an FBI Infragard event. “If you’ve got someone like that, make sure you keep them happy.”

But, in the meantime, for all other CSOs, “defense in depth” falls on deaf ears. Because for them, it’s all about the skills shortage.

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
dholmesf5
50%
50%
dholmesf5,
User Rank: Author
1/30/2015 | 5:24:40 PM
Re: shortage or cheapness?
You make an interesting point Thomas. Security personnel don't typically fall within a profit center (sometimes, but not usually) which makes valuation even more difficult. But in my experience, it is quite difficult to retain security people - they have been job hopping quite eagerly the last two years.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
1/30/2015 | 5:15:43 PM
shortage or cheapness?
Companies gladly shellout millions for executive suite personnel who often aren't paid for performance. Maybe computer security professionals are just wildly underpaid compared to the actual value they bring to a company. 
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8015
PUBLISHED: 2020-04-02
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the &acirc;&euro;&oelig;backup&acirc;&euro;&#65533; and &acirc;&euro;&oelig;wizard&acirc;&euro;&#65533; endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...