Where's the lifeboat? Cyber pros struggle in a sea of cyber threats
- By (ISC)2 Government Advisory Council Executive Writers Bureau
- Dec 18, 2012
Managing and securing corporate assets today is becoming exponentially more difficult in a rapidly exploding technology market. Cloud computing, advanced persistent threats (APT), and “bring your own device” are trends that pose a triple threat for cyber security professionals charged with defining and implementing security controls.
How do cyber security professionals stay current with this very volatile technology market? Do they have sufficient resources (capital and human) to effectively implement (identify, deploy and continuously monitor) their security plans? If not, can they leverage other resources in their battle to secure corporate assets? Here are a few recommendations regarding high-impact initiatives and how to address the resource and technology gaps that may exist on cybersecurity staffs.
The 2011 (ISC)2 Global Information Security Workforce Study, conducted by Frost and Sullivan, found that security professionals are overworked. They also believe that threats are advancing at a rate faster than their ability to put necessary security controls in place. Coupled with the fact that the cybersecurity profession is rapidly growing, with competition for qualified candidates at an all-time high, the cyber resource problem can make security managers feel like they are drowning in a sea of frustration.
What can cybersecurity managers and practitioners do to keep their heads above water?
They must remain current on state-of-the-art technology being deployed with organizational applications and understand the threat scenarios associated with the technology.
In this fast-moving environment, it is time to redefine responsibility for security. Every employee in the organization is a player. The entire organization must be viewed as a resource and managers must seek ways to identify those outside the cybersecurity staff who can use their areas of expertise to assist with security initiatives.
In terms of the threat scenarios and associated security controls that can be applied, references such as those published by the National Institute of Standards and Technology are very good sources. Building coalitions with other security-focused groups as well as participating in forums where participants can share problems and solutions is a must. One very good example of such a group is the Federal Chief Information Security Officers (CISO) Forum.
In order to understand where the knowledge/resource gaps are in an organization, one must conduct an organizationwide needs assessment to identify existing skills as well as training deficiencies. This should be done with new technology challenges in mind. Results of this assessment can be presented to corporate management and used as a tool to address critical skill/resource gaps that weaken the organization’s security posture. Remember, the cyber security professional’s job is to act as expert advisor to management, presenting accurate and timely assessments for critical decision-making. Cybersecurity managers must be able to effectively make a case in an environment of competing resources and priorities.
Key to effectively making a case for a security implementation is conducting a risk assessment that will identify those areas presenting the biggest threat to corporate assets based on the level of exploitation. Options and priorities must be presented to managers so that they can give attention to risks that potentially cause the most damage.
For example, APT attacks typically are not something target organizations can stop because they often exploit inside weaknesses. Security professionals must press for more employee training in addition to ensuring that security controls consistent with best practices (see NIST guidance as an example) are being enforced. Since APT attackers are typically very persistent and very skilled, they are formidable opponents. Organizational vigilance, along with a comprehensive training and awareness program, is a necessary countermeasure. Security training can help block social engineering or spear-phishing attacks used in APT attacks.
Cybersecurity professionals must be forward thinking as they build the next generation of cyber professionals. The hiring of student interns to supplement staff is an excellent way to build a new generation of security trainees since they typically are already very savvy with new technology. An organization’s strategic planning should include a recruitment and training component focused on hacker methods and techniques. Today, this kind of training carries a significant price tag, but perhaps organizations can join together and try to negotiate discounts based on number of trainees. Other activities included in the plan must cover opportunities for these cyber professionals to “experience the enemy,” which means that funds need to be designated for conferences/forums focused specifically on activities of hackers and the methods/impact of hacktivism.
The options for cybersecurity professionals who feel like they are drowning in a sea of exploding cyber threats include leaving their jobs out of frustration, trying to make their case to management for more resources and training, and continuing with their current situation. The battle for cyber space is escalating and security professionals need to lay the necessary groundwork for corporate executives to be able to make investment decisions that strengthen the organization’s security posture.
The only lifeboat for cybersecurity professionals is the one they build based on understanding the technology exploits, security best practices associated with each, and a realization that only through training and collaboration with the security community at large (government, public and private sectors) can they manage to stay afloat.
Members of the (ISC)2 U.S. Government Advisory Council Executive Writers Bureau include federal IT security experts from government and industry. For a full list of Bureau members, visit https://www.isc2.org/About/Advisory-Council#