Cybersecurity Skills Gap Soars as Brexit Bites – Infosecurity Magazine
“The cybersecurity talent gap is greater than for any other digital skills, according to new research from…”
Reading articles like these have me becoming more and more skeptical. The article is meant to push the narrative that more skilled security people are needed in the industry. I wonder how many working in the industry agree with this narrative. Sure, there are a bunch of security jobs out there, but are they for companies that are serious about security and want to improve their security posture? Every C-level executive is looking at the IT department as a cost center and the security team as the cost center of that cost center.
I don’t have the resources and the time to do an official study, but I think most would agree that security teams have grown by percentage of IT staff over the last 20 years. That situation cannot continue on forever; something has to be done about it. Everyone is looking for three things to right the ship: More efficient security tools, transfer of security risk, and better configuration management.
Firstly, more efficient security tools are not a new dream. Vendors and security teams have been after this for a while. The reality is vendor after vendor just seem to suck. The products are not consistent in their effectiveness. Bigger companies have had their security teams delivering tons and tons of code to internal tools and processes. This has gone on year after year and we still haven’t gotten anywhere. Why?
With SecAI just around the corner for mainstream use, the security tools should be getting augmented effectively very soon. A SecAI discussion is another article for another time.
Secondly, the transfer of security risk is a big deal right now. If you’re smaller than AWS, Azure, or Google than start transferring security risk to them. Don’t give me that, “we want to control our own security” garbage. Those companies have huge security teams. You’re never going to be able to keep up with them, and the number of attacks that they’ve seen and remediate are always going to be more than your team, so just give up. Especially, on the network edge, services like Cloudflare are going to keep you focusing on things that matter directly to your company. Right now, this might be the biggest surge in securing assets we’ve ever seen globally.
Thirdly, configuration management is getting better and more affordable. This is taking on many different forms like containers and immutable servers. Orchestration tools have been around for a long time, but those companies that built them were greedy and wanted too much money for them. And they weren’t the greatest tools anyways, without an army to run them. Do you see the irony there? If you have to run them with an army, are they really helping you?
If you’re aren’t using tools like Docker, Puppet, or Chef, then you need to be researching them. They are going to provide huge releases of pressure on all IT teams. The biggest issue is just culture. We need to use them effectively and force crappy commercial software vendors to write for them or go out of business.
Put your own timeline on each of these prongs of attack: better tools, transfer of risk, and configuration management improvements. This is what leadership is looking at to fix our budget and security issues; not more staff or more skilled staff. They can’t afford either of those anyways. In the next few years there will be a sizable loss of staff positions in those areas directly affected by those improvements.
Happy New Year! I’m excited to announce our next OWASP Phoenix chapter meeting, which will be held at Early Warning on Thursday, January 28. Seth Law will be presenting on DevOps and Security – A match made (and broken) in the cloud.
First time attendees should show up about 15-20 minutes early to facilitate the badging process; a picture ID is required. For return visitors, a RSVP through the meetup site will allow me to ask for your badge to be pre-printed.
Free pizza will be provided shortly before the presentation.
Notably, Seth Law is flying in to give us this presentation. Thanks to
nVisium <https://nvisium.com> for sponsoring his travel.
Title: DevOps and Security – A match made (and broken) in the cloud
Abstract: DevOps is the new Agile, allowing organizations to move faster and deploy code quicker. Yet in the quest for continuous delivery, security can fall by the wayside, opening an organization up to data exposure and malicious exploitation. This talk will cover current security research into the technology behind DevOps, examples of failures, and how to prevent the same from happening in your organization. Technologies discussed will include AWS, Git, Hudson/Jenkins, and more. In the end, the presentation should help attendees understand the risks involved in running a DevOps environment.
Bio: Seth Law is the Director of Research & Development at nVisium and
wrangles the research efforts into all areas of application security. An
experienced Application Security Professional with years of security
experience, Seth has worked in multiple disciplines, from software
development to network protection, as a manager, contributor, and speaker.
Seth explores the world of application security via @sethlaw.
————– next part ————–
An HTML attachment was scrubbed…
Wednesday, Oct 14
Time: 6:30 – 7:30 Location: Early Warning 16552 N 90th St Ste 100,
Scottsdale, AZ 85260
Room: Checkin with Security Officer, picture ID required
Title: *Hacking Corporate Em@il Systems*
Presenter(s): *Nate Power*
In this talk we will discuss current email system attack vectors and how
these systems can be abused and leveraged to break into corporate networks.
A penetration testing methodology will be discussed and technical
demonstrations of attacks will be shown. Phases of this methodology include
information gathering, network mapping, vulnerability identification,
penetration, privilege escalation, and maintaining access. Methods for
organizations to better protect systems will also be discussed.