Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Businesses Education Security IT

How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com) 179

Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive: The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...

Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.

The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
This discussion has been archived. No new comments can be posted.

How Can Businesses Close 'The Cybersecurity Gap'?

Comments Filter:
  • by turkeydance ( 1266624 ) on Sunday June 18, 2017 @06:36PM (#54644245)
    Mr. President, we must not allow a mineshaft gap!
    • Unlike mineshafts, any reasonably competent CompSci or Engineering grads, or existing employee autodidacts can take an interest in cybersecurity and become a valuable asset.

      • Unlike mineshafts, any reasonably competent CompSci or Engineering grads, or existing employee autodidacts can take an interest in cybersecurity and become a valuable asset and volunteer to get underpaid for it. FIFY
  • More H1B's anyone? (Score:5, Insightful)

    by johanw ( 1001493 ) on Sunday June 18, 2017 @06:39PM (#54644261)

    It doesn't matter if they know nothing, as long as the manager gets his bonus and is gone before the fallout of their crappy work becomes clear.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Companies can't find enough qualified security personnel ... "about a quarter of all cybersecurity positions are left unfilled for about six months."

      Pure unadulterated bullshit.

      Companies are unwilling to pay for the talent that is available. Companies have bimbo HR ladies (who are blowing the CEO for their cakewalk job) write up buzzword bingo self-contradictory job requirements while they have no idea what the job actually requires.

      Though I should not be quite so disparaging, writing believable (on the sur

    • by swb ( 14022 ) on Sunday June 18, 2017 @09:26PM (#54644903)

      My first thought was how can businesses possibly be considered to taking IT security seriously when their first and only impulse is how to do things even cheaper than they do now?

      I'm still amazed at the dichotomy between shaving pennies and then the utter panic when there is downtime or a security breech. If its so important that you basically can't do business without properly functioning IT systems then why is it treated as if they don't want to spend money on it? Do they really think it's free?

      H1Bs are of course just one example of this mindset.

    • by phantomfive ( 622387 ) on Monday June 19, 2017 @12:02AM (#54645357) Journal
      When was the last time your agile sprint gave you time to look for security problems?
      When was the last time any manager told you to look for security problems?

      That's why we don't have secure software.
      • by Ash-Fox ( 726320 )

        When was the last time your agile sprint gave you time to look for security problems?

        Back when I was a tester, every sprint.

        When was the last time any manager told you to look for security problems?

        Friday.

        • That's unusual, what company do you work for? Not Google, I'm sure.
          • by Ash-Fox ( 726320 )

            That's unusual, what company do you work for?

            Previously, I started as a tester in a company known as being one of "the big four [google.co.uk]", left that for a start-up that didn't succeed and now I work for a company known for opensource governance.

  • One network port at a time.
    • by stooo ( 2202012 )

      >> How Can Businesses Close 'The Cybersecurity Gap'?
      Easy peasy.
      These companies just need to switch to linux, and use a few safe protocols ( like SSH)

      • Easy peasy. These companies just need to switch to linux, and use a few safe protocols ( like SSH)

        If you think security is setting up a bunch of linux boxes and calling it good, you're gonna have a bad time. Just today I had to reach out to one of our vendors about a blind sql injection vulnerability on the login page for their shiny new linux appliance. Also the page was encrypted, but encryption does not fix broken code. It just encrypts the traffic exploiting the broken code.

    • by gweihir ( 88907 )

      Oh yes. That would help so incredible much. And then make sure all developers, designers and architects either get some real basic understanding on security and have somebody competent they can ask. In most cases, that will be a consultant, as even large enterprises cannot keep in-house experts current. There is just not enough variance in one application landscape. Consultants, on the other hand, see a lot of different situations in a lot of different places.

      Of course, the question of getting competent IT

  • by AHuxley ( 892839 ) on Sunday June 18, 2017 @06:50PM (#54644301) Journal
    Talk to university and vocational education staff around the USA. Tell them what you need.
    Ensure they have the software and tools that are needed over the short courses to allow students in the USA to transition to the workforce.

    People outside the USA will have no loyalty to the USA and only work for money or to help their faith/cult/own government.
    Thats not good for US security.
    Its very hard to find out what some foreigner did in their own nation for years. What complex issues do they bring to your company?
    Help get US education to a good standard so US students can find work. Or get further education to keep their skills up.
    • Ensure they have the software and tools that are needed over the short courses to allow students in the USA to transition to the workforce.

      Be careful not to be too specific on what tools to use. My community college taught all flavors of Java because local technology companies insisted that they wanted C/C++ programmers with Visual Studio experience and there was no money to renew the Microsoft site license. The dean offered to teach C/C++ under Linux but the administration stuck to the surveys. When the site license got renewed, none of the computers could run Visual Studio .NET (the latest and the greatest at the time). The dean had us boot

    • by Lumpy ( 12016 ) on Sunday June 18, 2017 @07:25PM (#54644403) Homepage

      "Talk to university and vocational education staff around the USA. Tell them what you need."

      They have... They want high skilled people that will accept very low wages and not complain about it.

      There are skilled people out there, the companies dont want to pay for them.

      • by AHuxley ( 892839 )
        Then talk to the vocational education people and churn more useful low wage tech people out.
        No need to pay university wages to people who have only done vocational courses.
    • by AmiMoJo ( 196126 )

      People outside the USA will have no loyalty to the USA

      And neither should people in the USA. Loyalty gets you fucked over with low salary increases and poor conditions. You have to make them earn your loyalty.

      Its very hard to find out what some foreigner did in their own nation for years. What complex issues do they bring to your company?

      If you need to use FUD to compete, you have a serious problem.

      • by AHuxley ( 892839 )
        Considering the need is for "security" looking over an applicants past is often very useful.
        Are they a criminal?
        Are they entering the profession just to obtain or sell or give away secure information later due to their politics, faith or due to poverty?
        Kind of hard to find that out if they can obfuscate, hide or totally invent a work history in another nation.
        Or enter a nation with another persons identity. Always best to look over every applicants work history in great detail.
        Some due diligence
    • People outside the USA will have no loyalty

      No. No Americans! Americans are too stupid to do computer jobs in America. If you believe otherwise, you're a racist.

  • by brian.stinar ( 1104135 ) on Sunday June 18, 2017 @07:22PM (#54644391) Homepage

    You can have all the diamonds, gold, and tungsten, you want, when you pay the market price. The same is true for labor. Eventually, people will stop doing what they were doing, and start doing what you want them to do, if you pay them enough.

    Eventually, everything evens out when prices become high enough, new producers come on-line, and new (consumable?) resources are discovered, or extraction method are invented. How long does it take for someone to become a security expert? Five years? At least with human resources, there isn't the same concern with extraction, and consumption, costs. If they're already good at software development, and building infrastructure, maybe a year?

    Seriously, this is like BASIC economics - they can close the gap by paying them vastly more, thus encouraging software developers to specialize in security. Using contractors is the short term version of this.

    When prices become high enough, I'll start bidding on security contracts. As it is, if companies would rather fill those positions with W2s, and not contractors, and leave the work undone.

    This title is seriously demonstration a lack of economic knowledge.

  • by Lumpy ( 12016 ) on Sunday June 18, 2017 @07:24PM (#54644397) Homepage

    Want to close the Cybersecurity gap? It is very easy.

    STOP BEING CHEAP ASSHOLES AND START PAYING FOR REAL SKILLED IT PROFESSIONALS.

    This means the IT department on it's own Makes MORE than the CTO does. Yes the guys that are actively fighting the bad guys deserve a LOT more than the waste of space in the executive seat. Quadruple your IT budget, Start actually buying real fucking equipment and real security suites and software. Hire PROVEN EXPERTS that cost a lot of money.

    InfoSEC that is effective is NOT CHEAP. Stop treating IT as the bastard red headed step kids. and start treating them as the Mission Critical staff they really are.

    That and kick the CTO and CFO in the nuts, both those assholes deserve a good hard kick in the groin any time they suggest cutting the IT department's budget. If you hire and pay for the best, then you don't have the security problem that the companies that try and half ass it by paying as little as possible.

    These executives know this, they just dont want to do it. and until they start making executives personally responsible for data breaches, it will not change. Yes personally responsible, if these assholes can get multi millions then they also deserve to carry all the personal financial risk.

    • Removed unnecessary clause:

      That and kick the CTO and CFO in the nuts, both those assholes deserve a good hard kick in the groin any time

    • by CODiNE ( 27417 )

      good hard kick in the groin any time they suggest cutting the IT department's budget.

      That's really odd. Generally department leads always seek budget increases and fight tooth and nail against the slightest decrease as it lessens their power and influence in the company.

      So why would any CTO want to cut ITs budget when it's something they actively manage?

      Guess they just put the difference into their bonus.

    • by AmiMoJo ( 196126 )

      Problem is that the cost/benefit ratio of spending enough money to do really good security doesn't work out. Managers see companies like Ashley Madison have the most horrendous security failures, resulting in their customers being blackmailed or getting divorced, and yet somehow they come out of it just fine and even claim to have gained additional users.

    • by eth1 ( 94901 )

      The problem with a "just spend more money" argument is that for a business, information security is just risk management. If it costs the business more for security than it does to deal with a breach, it doesn't make sense to have the security.

      Part of the problem is that breaches that leak customer information can screw over customers (or whoever they're storing data about) a lot more than the business, so the cost of the breach is externalized to some extent. Maybe we need legislation that straight up requ

      • Wouldn't it be nice if there was a large organization that represented all people so that they could take action and make these incidents hurt the company, because it hurts the people. Even better, maybe people could pay this organization a percentage of the money they earn and use to spend on things, so that this organization would have resources to help them with these things. Yup, it would be nice to have an organization like that.
  • by Anonymous Coward

    Stop using Windows.
    Stop using unqualified, cheap foreign labor.
    Make penalties for data loss attributed to hacking massive, and direct them at the board of directors, CEO, CFO, and CTO of any company.
    Make geoblocking simple and easy to apply.
    Enforce open source software standards to prevent the insertion of backdoors.
    Enforce encryption, banning unencrypted website traffic (http).
    Update by default.

  • campaigning for cuts to education so they can translate them into tax cuts. Then they can provide training, better pay and actual career paths. Why should anyone care about security in a job they're gonna have for 2 years before they have to leave to find better pay before inflation eats their earnings?
  • That's the first thing you should probably consider. Is the cost of physical paperwork and security less than the cost of implementing proper cybersecurity?

    I see so many businesses trying to go digital when it's horribly obvious that they have no business doing so nor would their business actually benefit from such a thing.

  • Make every US security position have some national standard.
    If your company wants US customers invest in US staff that are cleared to work in the USA.
    Cover contractors too and ensure most of the security staff have a full, legal background in the USA.
    That would fund US tech education, make US education responsive to the needs of US tech firms and create jobs in clearing staff background work.
    Not a criminal? Loyal to the USA? Not on social media doing things that are not legal?
    That would open a pat
  • Programming gets easier with increasing abstraction, thus allowing the engineering portion to grow, but the haphazard, ever increasing abstraction also grows the attack surface - and you can't abstract vulnerabilities away as you can abstract away simple programming tasks. To find exploits in a system, you first need to *know* *most* the abstractions in and out in the first place.

    Meaning abstraction makes security harder as there will be proportionally less people understanding the system compared to all p
  • by chill ( 34294 ) on Sunday June 18, 2017 @08:26PM (#54644637) Journal

    Quoth the article:

    First, from a hiring perspective, the trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues â" what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing.

    Anyone who is any good at cyber security didn't learn it in school. Most of what they know they learned on their own. The IT field lends itself to an apprenticeship model more than most other modern professions.

    Stop requiring degrees, as they aren't relevant to the actual work. I'd much prefer candidates with an AA and skills in communication, critical thinking, probability, and logic along with some certifications and core understandings:

    CCNA Routing & Switching to show you have at least a basic grasp of networking fundamentals.

    Something from SANS (GIAC) gets my attention. A CISSP will help get you an interview.

    Develop some skills in a Linux shell, with command-line tools. I need to know you know more than "I click the 2nd option in the 3rd menu".

    Understand the basics of required policies -- PCI, HIPAA, NIST 800-53, NYDFS, CJIS. Know what they are and where they apply. You don't have to memorize them, as that stuff can always be looked up.

    I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.

    For companies, they also need to accommodate more telework, flexible work schedules, and better pay. I'm sorry, but an InfoSec specialist with 5 years experience should be making about TWICE as much as a Project Manager or HR Specialist with 5 years experience. Starting pay for InfoSec should be at least 25% higher than most other professions -- simply based on supply and demand.

    • Re: (Score:3, Informative)

      by geek ( 5680 )

      I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.

      This is the CEH(https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/) and OSCP(https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/)

      CISSP is a pile of shit. Its a management certificate, nothing else. A monkey can pass that test and judging by the CISSP's I know, frequently do.

      • by Salgak1 ( 20136 )

        CISSP is effectively a PMP cert for infosec. ISC2 has done an excellent job MARKETING it as the end-all/be-all, to the point where I see HR types going "What's a GIAC ? Don't you have a CISSP ?

        As Sister Mary Elizabeth repeatedly told us at Holy Guardian Angels Elementary. . . . it makes Baby Jesus cry. . .

    • Nessus? Really?
      • by chill ( 34294 ) on Monday June 19, 2017 @04:27AM (#54645971) Journal

        Experience with any vulnerability scanner, really. Nessus, Qualys, Rapid 7, OpenVAS, whatever. The key is to learn how to interpret the reports, dig down into the results, and figure out what is really a problem and how to fix it.

        I'm happy to teach junior people, but if someone is claiming to be an experienced analyst or senior InfoSec specialist and just hand me a canned Nessus report, I'm going to be looking to replace you. I can schedule the default reports, I 'm not willing to pay a premium to do that.

        While zero-day vulns and movie-plot hacks get all the attention and press coverage, the simple truth is that vast majority of compromises happen due to improperly patched and misconfigured systems.

        If you can weed thru a few hundred pages of scanner output to tell me which systems are missing what patches as opposed to patched but need a registry update or config change, that is valuable. Which are false positives and why? How can we prioritize what limited resources we have to get the most impact?

        Attention to detail and critical thinking I'll pay a premium for and vulnerability scanner output is a great place to demonstrate that. But keep handing me canned reports and I'll replace you with a script.

    • Perhaps we should talk. I've been working in and around security for 20 years. Currently I develop a scanner which competes with Nessus and Rapid 7. We run comparison scans comparing our product to those two weekly. Where are you located?

    • by eth1 ( 94901 )

      I'm usually also a proponent for not requiring college degrees for IT, but infosec is one area where I think there's an argument for one. A good education in computer science will help understand some of the low-level details of how hardware and software work, which in many cases is where vulnerabilities live.

      Not everyone in the IT/security dept. needs that, of course, but for once, it's not entirely without value.

      • by pnutjam ( 523990 )
        10 years of experience will do more then a degree. Especially if it's bottom up and you see how the helpdesk and technicians work.
  • post-secondary schools what about tech schools??

    No the HR people just pass them over but if you went the the theory loaded schools you get pass in and then the hiring people say they don't know anything and then the HR starts the H1B want ad's

  • by wezelboy ( 521844 ) on Sunday June 18, 2017 @09:39PM (#54644937)
    1) Pay a good salary.

    2) Seriously consider remote workers.

    3) Hire more than one person.

    4) Consider people who are outside the "security" realm. A lot of sysadmins have to do security by default and know just as much about it as a person with the cert.
  • here we go again..

    Step 1 - Exclaim shortage of some IT skill in the media (and of course don't raise compensation to the market clearing rate or train anyone)
    Step 2 - Send to same media various disaster stories and threats to civilization due to said 'shortage'
    Step 3 - Lobby congress for Visas from some third world country (probably India, but could be elsewhere)
    Step 4 - Get rid of all your Americans currently in the roles (hey, they were useless anyways!) and replace with cheaper said visa workers
    Step 5 -

  • Just create evicence based awareness. Make sure that users understand the risk that's involved in using office files or using Adobe software. Those 2 points alone would help a great deal.

  • And don't be so cheap.

  • by tlambert ( 566799 ) on Monday June 19, 2017 @01:59AM (#54645629)

    Before a white hat, you have to be a grey hat.

    However this is all highly illegal these days.

    And yes, I admit to having broken into some U.S. Air Force computers just to look around, back before there were "criminal trespass" laws, and it became illegal as hell to "go in and look".

    Perhaps you'd have more security experts available, if they'd already leaned to think like a grey hat by doing.

    You really have to think somewhat sideways or slantwise in order to know how to look for security holes, so that you can then plug them. Because most holes are in the gaps between what systems are intended to do, and what you can actually make them do instead.

    • Before a white hat, you have to be a grey hat.

      However this is all highly illegal these days.

      That used to be the case but nowadays there is many resources for sharpening peoples hacking skills without violating the law. Exploit Exercises [exploit-exercises.com] has several isos with examples of misconfigurations, buffer overflows and format string vulnerabilities for linux. Metasploitable 2 [sourceforge.net] and Metasploitable 3 [rapid7.com] have multiple web and system vulnerabilities for both linux and windows respectively. And Vulhub [vulnhub.com] has hundreds more vulnerable by design systems for people to practice with.

      While not as instructional as a whole s

  • Obviously, you have the spools to look at, but the point is that most cyber security concerns can easily go away by not upgrading to a new system that no lay-person knows how to use every few months, especially IoT stuff. It's geeks trying to look special by having the latest tech only they know how to use, but are secretly YouTubing how to use it all. Because, we all know the hot girl in the office is clearly a sapiosexual. Dance monkeys DANCE! Besides, it's frightening how many places use the default logi
    • by Anonymous Coward

      I once hacked a web-accessible thermostat control for a large popular restaurant 3,000 miles away. I was able to control it all. It had the default username and password.

      Instead of being a total asshat and setting the heat and AC to cycle at opposite ends of the clock to make a rollercoaster of climate control that also ran up their heat/AC costs... I tracked down the owner and informed him of the situation. He said thanks and that was it.

      2 years later... that thermostat is still wide open to the web (if

  • by GrumpySteen ( 1250194 ) on Monday June 19, 2017 @07:23AM (#54646475)

    A security professional is the person who has to argue with management that the cheapest hardware and software are insecure, then has to somehow make them secure after management ignores everything they said, then gets the blame when the company's systems get hacked.

    Basically, they're hired on as the red headed stepchild, then ushered out as the scapegoat.

    Why the fuck would anyone in their right mind want that as their career?

  • The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with.

    The fundamental problem with business computer security is that businesses (and their executives) don't really value security. First, they won't pay for it. If you ask them to buy any security products, they want to buy the cheapest one. If you ask them to pay for a security product that isn't 100% necessary, they'll say no. If you ask them to hire a security expert, they'll complain about that expert's salary. If you present them with a security audit that includes a lot of problems, they won't fund t

  • Cyber Command is just getting ramped up, but trained soldiers are already becoming available as they choose to not re-enlist. This is a source of non-college educated trained professionals we did not have in the past that make ideal watch-floor admins who are coming from all of the services. Most of them are going on to college after their service, you can try catching them before, after or during college.
  • Start holding upper management and their bonuses accountable.

    Otherwise it is going to take regulatory action to force companies to maintain a minimum level of security.

    People just don't care until disaster hits.

  • In every other industry, trade, or profession, in the entirety of human history, labor shortages have been solved in a fairly standard way - offer enough money to attract the best candidates. I wonder how the "cybersecurity" industry will handle this crisis?
  • 1) Stop Outsourcing
    2) Hire qualified IT personal
    3) Fire anyone in IT who doesn't have security focus
    4) Fire any developers, who focus in security development and who don't have security focus
    5) Make sure your CTO is an expert and qualified
    6) Allow training for all in house IT and development staff
    7) Pay your staff properly so they want to do a proper job
    8) Don't allow BYOD, IT controls the devices, not the end user
    9) Lock down your infrastructure and design it properly for security
  • This isn't a hard problem. Companies need to be willing to better reward their security staff so more people will be interested in getting into the field and less apt to walk.
  • Management. They're not willing to pay for someone(s), they don't want to listen to the answers, and then they complain about the cost.

    When something happens, instead of putting was was tailored for them in place, they go so overboard that it interferes with the employees' ability to do work.

    And then they point to that, and say they can't afford that, again.

"So why don't you make like a tree, and get outta here." -- Biff in "Back to the Future"

Working...