No program can spot troubling patterns in a corporation’s data logs as well as a human expert who knows what shouldn’t be there. But with everyone competing for top talent, will there be enough experts to go around?
Frost & Sullivan, a US-based business consulting firm, collaborates annually with management and technology consulting firm Booz Allen Hamilton to produce the “Global Information Security Workforce Study.” In 2013 alone, the study predicted that some 332,000 cybersecurity jobs would be added to payrolls worldwide, bringing total global employment in the field to 3.2 million, a growth of more than 10%.
Alberto Soliño, director of Program Management at CORE Security, a security research-and-response firm based in Buenos Aires, Argentina, says a true expert has several years of experience testing security and dealing with breaches; is up-to-date with the techniques used by black hats (hackers); and has a deep understanding of the industry.
“These types of profiles are rare and very expensive for an average mid-size company,” Soliño said. The best solution for all but the largest companies, Soliño said, is to employ a mix of in-house security professionals and a set of specialized, commercially available tools. “You don´t want to spend money (on consultants) for vulnerabilities that could be found by commercial testing tools.”
THEORY VERSUS PRACTICE
Alan Paller, director of research for the SANS Institute, a US-based security research and training group, said the real challenge is that most “experts” today have little training in hands-on security; even fewer have the ability to translate knowledge of existing threats into protection schemes for tomorrow’s attack.
Instead, experts fall into one of three groups, Paller said: policy analysts with no hands-on skills; hands-on firewall administrators and log analyzers; and “hunters and tool-builders” who can analyze attack data and quickly update filters to block intruders. Unfortunately, Paller said, the policy analysts outnumber the other two groups by a factor of two to one. “The hunters and tool-builders are getting paid US$130,000 to US$200,000 if you can find them, but they’re really, really hard to find.”
David Bizeul, head of the computer security incident response team at Paris, France-based Cassadian Cybersecurity, said many smaller organizations can’t afford to give their security personnel the necessary resources. For them, he advises outsourcing cybersecurity to dedicated firms.
“It can be tedious for a cybersecurity expert to work in a place where everything he will say sounds like a foreign language to his colleagues,” Bizeul said. “With the scarcity of such people, it might be more difficult for out-of-security-business companies to staff their corporate departments with experts.”
Richard Bejtlich, chief security officer at Mandiant, a security consultancy based in Alexandria, Virginia (USA), urges companies to carefully scrutinize all cloud security providers. His advice: Create a checklist of requirements, then quiz the provider on how they measure up. (See “Cloud Controls Matrix” at http://bit.ly/17ITP4C) “If you are not in the business of IT, you’re more likely to get better service by going with a good cloud provider,” Bejtlich said. “But your mileage here all depends on whichprovider you select.”
TRAINING GUARD DOGS
So how does the world get more of the really good experts? The answer, according Paller, probably won’t involve retraining existing policy people. “It’s going to be easier to build a massive pipeline of bright kids who can become this quickly,” he said.
Several US states have already announced challenge programs that offer scholarships for a few dozen winners of intense-hacking competitions, Paller said; all 50 states are expected to announce such programs within the next year. (www.cyberaces.org)
DOES YOUR ORGANIZATION HAVE THE RIGHT NUMBER OF INFORMATION SECURITY EXPERTS?
Source: 2013 Global Information Security Workforce Study, Frost & Sullivan and Booz Allen Hamilton