Rant – Cyber Security Lies Told by the Industry
Cybersecurity Skills Gap Soars as Brexit Bites – Infosecurity Magazine
“The cybersecurity talent gap is greater than for any other digital skills, according to new research from…”
Reading articles like these have me becoming more and more skeptical. The article is meant to push the narrative that more skilled security people are needed in the industry. I wonder how many working in the industry agree with this narrative. Sure, there are a bunch of security jobs out there, but are they for companies that are serious about security and want to improve their security posture? Every C-level executive is looking at the IT department as a cost center and the security team as the cost center of that cost center.
I don’t have the resources and the time to do an official study, but I think most would agree that security teams have grown by percentage of IT staff over the last 20 years. That situation cannot continue on forever; something has to be done about it. Everyone is looking for three things to right the ship: More efficient security tools, transfer of security risk, and better configuration management.
Firstly, more efficient security tools are not a new dream. Vendors and security teams have been after this for a while. The reality is vendor after vendor just seem to suck. The products are not consistent in their effectiveness. Bigger companies have had their security teams delivering tons and tons of code to internal tools and processes. This has gone on year after year and we still haven’t gotten anywhere. Why?
With SecAI just around the corner for mainstream use, the security tools should be getting augmented effectively very soon. A SecAI discussion is another article for another time.
Secondly, the transfer of security risk is a big deal right now. If you’re smaller than AWS, Azure, or Google than start transferring security risk to them. Don’t give me that, “we want to control our own security” garbage. Those companies have huge security teams. You’re never going to be able to keep up with them, and the number of attacks that they’ve seen and remediate are always going to be more than your team, so just give up. Especially, on the network edge, services like Cloudflare are going to keep you focusing on things that matter directly to your company. Right now, this might be the biggest surge in securing assets we’ve ever seen globally.
Thirdly, configuration management is getting better and more affordable. This is taking on many different forms like containers and immutable servers. Orchestration tools have been around for a long time, but those companies that built them were greedy and wanted too much money for them. And they weren’t the greatest tools anyways with out an army to run them. Do you see the irony there? If have to run them with an army, are they really helping you?
If you’re aren’t using tools like Docker, Puppet, or Chef, then you need to be researching them. They are going to provide huge releases of pressure on all IT teams. The biggest issue is just culture. We need to use them effectively and force crappy commercial software vendors to write for them or go out of business.
Put your own timeline on each of these prongs of attack: better tools, transfer of risk, and configuration management improvements. This is what leadership is looking at to fix our budget and security issues; not more staff or more skilled staff. They can’t afford either of those anyways. In the next few years there will be a sizable loss of staff positions in those areas directly affected by those improvements.
By: Josh Brown