[BreachExchange] The Cyberskills Shortage: Threats, Compromises And The Need For Cooperation

Audrey McNeil audrey at riskbasedsecurity.com
Wed Oct 19 19:37:02 EDT 2016


http://www.businesscomputingworld.co.uk/the-cyberskills-shortage-
threats-compromises-and-the-need-for-cooperation/

There has been much talk of closer cooperation between the educational
institutions, that provide the training, and corporations that have the
burgeoning technical skills shortage, to try to solve this disparity. This
process will take time and a concerted effort by both industry and the
educational sector to provide workable solutions for the benefit of
graduates, universities and employers alike. But until some of these joint
accreditation and mentoring schemes begin to yield the right combination of
skills and experience for these roles, the question is how do companies
shore up defences if short on the specialist talent?

Testing, Testing

Organisations looking to increase their cyber defences need fully-trained
experts who are able to hit the ground running and with the current skills
gap this isn’t always feasible. With increasingly sophisticated malware and
ransomware threats targeting all manner of critical data, the required
InfoSec skills are becoming a much sought after commodity in the technology
human resources market.

A recent National Crime Agency (NCA) report estimates that the cost of
cybercrime to the UK economy is billions of pounds per annum – and growing.
In the report, the NCA calls for more cooperation among businesses and law
enforcement, while the UK’s Ministry of Defence (MOD) is launching its own
“Defence Cyber Aptitude Test” —designed to uncover hidden cyberskills in
otherwise untrained workers —to try to tap their natural skills to put to
use in combating malicious actors.

The problem? Good intentions don’t always equal great results. Though this
type of corporation is a step in the right direction, telling organisations
to link up with law enforcement is one thing—even with solid data to back
it up — but for companies to overcome their natural reticence for opening
up to scrutiny by a public body is another. As for finding those “hidden
gems,” well it all seems a bit pie-in-the-sky, so can the answer for the
time being lie within technology itself?

Budget Breakers

Enterprises have been grappling for some time now with the looming skills
shortage against a backdrop of increasing attack rates. To reflect this,
most senior IT professionals expect their security budgets to increase over
the next year, but that money needs to be spent wisely. Sometimes even the
most costly tools can be more of a liability.

A significant number of IT pros would admit to ignoring security alerts
when some of these tools start generating too many false positives. Given
that 20 percent of companies now leverage more than 10 tools at once that
generate these alerts, it’s no wonder InfoSec pros have had it dealing with
these non-starter issues. They would much rather be trying to track down
real-time threats that have serious ramifications and could end up costing
the organisation both financially and in the loss of trust from their
customers. Put simply, bigger budgets don’t guarantee better outcomes if
security professionals and their tools don’t get on.

Automatic Advantage?

So how do skills-strapped and budget-conscious companies tackle the
challenge of improved IT security even as the gap between needed and
available talent continues to grow? One solution is automation; many
security tools come with automation capabilities for intrusion detection,
network access or endpoint defence, but too many companies are either
reluctant to give up even a small measure of security control or haven’t
taken the time to properly configure and test these options. It’s a solid
starting point — by removing some of the unnecessary workload from the
lives of InfoSec professionals, companies can encourage a shift from
reactive security policies to more a more proactive approach.

But automation is only half the battle, especially as network complexity
and endpoint numbers increase thanks to the emerging Internet of Things.
Traditional, top-down security solutions are out of their element in this
environment; new offerings are now on the rise that track end-user
behaviour and experience in real-time to help identify threats and shore up
the skills gap.

Bottom line? The cyberskills shortage isn’t a permanent state of affairs
but it’s going to take some time for cooperation and training efforts to
match corporate demand. Beyond bigger budgets, companies can bolster
InfoSec success with increased focus on automation and attention to the
end-user experience.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161019/28af4bee/attachment.html>


More information about the BreachExchange mailing list