[BreachExchange] Digital organizations face a huge cybersecurity skills gap

[Audrey McNeil]

https://venturebeat.com/2017/06/18/digital-organizations-
face-a-huge-cybersecurity-skills-gap/

Over the past five years, organizations have become more aware of
cybersecurity, and yet DDoS, spear-phishing attacks, botnets, and other
attack vectors have continued to get worse. Digital insecurity will
continue for the foreseeable future, with the biggest reason being that we
don’t have enough well-trained, skilled cybersecurity professionals to go
around.

There are a few reasons for this gap.

First, from a hiring perspective, the trickle of security students emerging
from post-secondary schools may not be fully prepared to tackle complicated
security issues — what we need are people who can protect businesses
environments from everything from spam and BYOD vulnerabilities to complex
threats like APTs and spear phishing.

Second, certain companies may not know what to look for in a professional.

Third, when skilled professionals are hired, they can often be overworked
to the point where they don’t have the time to keep up with the latest
developments in the field — and even in their own security tools.

The result is that most positions go unfilled. In fact, according to the
Information Audit and Control Association (IACA), about a quarter of all
cybersecurity positions are left unfilled for about six months. The IACA
study isn’t the only report with these dismal takeaways.

Another study by the Information Systems Security Association and
Enterprise Strategy Group, reports that about 70 percent of surveyed
organizations say the cybersecurity skills gap has impacted their business,
with 54 percent reporting they’ve suffered at least one security event in
2016. Fifty-five percent of respondents also said the lack of skilled
workers added to their security team’s workload so much that, in some cases
(35 percent), their team couldn’t familiarize themselves with the security
tools they use.

These are all systemic issues needing systemic answers that could take
years to resolve. Still, these problems need to be addressed, and they
won’t be until we change how cybersecurity experts are hired, retained, and
educated.

Setting expectations is a good first step. Companies should have a clear
understanding of what they need from a security professional and set their
expectations accordingly. Typically, this will range from evaluating
network and system ecosystems to routinely testing and prodding the
companies’ security to establishing protocols and analyzing network
attacks. Here, professional experience and the ability to communicate
effectively within the organization are very important.

Companies should also have a robust mix of technical and theoretical
problem solving questions for candidates. It should be long. It should be
exhaustive. It should be tiring — but it’s necessary. The reason is simple:
Candidates should have the endurance, determination, and focus to lay out
how they came to their conclusions and the ability to explain their
reasoning — clearly — in order to do their job. Good hackers think
creatively to overcome technical problems, and your security engineers need
to do the same in order to defend the company properly. Sticking with a
problem for awhile and not giving up is a key trait to look for. Just
remember: “Thinking like a hacker” is a must in this industry.

Another tactic is to give security teams the tools they need to succeed —
and sometimes that just means giving them room to work. Giving employees
the time to test new techniques, research new attacks, and analyze events
is an important part of healthy security. Cybersecurity is a unique
industry because it must identify and mitigate a variety of vulnerabilities
in technologies that are constantly changing. Attack vectors come and go,
but sometimes they resurface. Patches need issuing, and suspicious behavior
needs analyzing — especially when executive-level endpoints are in play.
Companies that don’t provide the space and the time for their security
staff to keep their skills sharp, are setting themselves up to fail.
Companies with successful security teams give them the time to conduct
internal evaluations and regularly send them to security conferences for
fresh perspectives and hands-on training.

The fundamental problem facing the skills gap, however, is that there
aren’t enough people coming into the field to begin with. Here, companies
need to do two things: step-up their advocacy when it comes to promoting
cybersecurity careers, and look internally for employees who have the
skills and desire to take on a security position but need the training and
support to succeed. The first half is a long-term solution requiring a good
deal of cooperation with career counselors in both high schools and
post-secondary schools. The second half, however, is more of a short- to
mid-term solution, but it’s just as viable — in some cases — as hiring
dedicated security professionals. This is because cybersecurity shares many
skills common to tech positions: creative thinking, technical know-how, and
a dogged obsession with solving difficult problems.

Finally, businesses need to recognize that security threats today go well
beyond just one department. Every employee should be responsible for
knowing what to look for in an attack, how to report a suspected threat,
and how they can simply disengage from content and files they deem
suspicious. Basic security training needs to become a part of the
onboarding process for any employee — especially for those in the C-Suite,
where a greater number of spear-phishing attacks occur.

Closing the cybersecurity skills gap isn’t going to happen overnight — or
likely even over the next decade. It’s going to be a long process because
it’s going to take a fundamental shift in how businesses recruit, hire, and
keep security talent. But it’s worth it in the long run for the company,
its employees, and its customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170620/4dedeb94/attachment.html>