Date post: | 15-Jan-2017 |
Category: |
Government & Nonprofit |
Upload: | government-technology |
View: | 46 times |
Download: | 2 times |
2PROPRIETARY AND CONFIDENTIAL
Security Threatscape
• Criminal Organizations
• Credit Card Theft
• Identity Theft
• /Bots and Bots/ of Bots!
• Ransomware
• Hacktivists
• Denial of Service
• Reputational Damage
• Nation States
• Intellectual Property
• Cyber Warfare
• Malicious Hackers
• Website Defacements
• Worms
• Spammers
• Ad Revenue
• Crime Rings
• Carding
• Phreaking
Past Present
3PROPRIETARY AND CONFIDENTIAL
Evolution of Threats - Past
1. Solutions were Technology Centric
• Point solutions (IDS, Firewall, AV) were good enough
2. Cyber Security Lacked Visibility Outside of IT
3. Security Breaches Seen as “Cred” Driven and Not Motivated By Profit
4. Set the Stage for Compliance as Security
• Made for an easier sell to leadership at a long term cost
5. Security Architectures Hinged on Inside Trust
• Protect against the outside with hardened perimeter
4PROPRIETARY AND CONFIDENTIAL
Evolution of Threats - Present
1. Solutions Must be Information Centric
• Share Signatures and meta-data of attacks
2. High Visibility Outside of IT for Cyber Security
• Attacks are in the news – constantly
• Clients and Consumers are demanding their information be protected
3. Compliance Drive Security Programs – Bare Minimums
• Can miss the obvious in pursuit of reduced compliance scope
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry (PCI)
4. Security Architectures Require Multi-Layered Approaches
• Inside Assets are compromised and provide external access.
• No one technology or process can be 100% effective
5PROPRIETARY AND CONFIDENTIAL
Changing Environments
• Software Defined Network
• Continued Virtualization
• Internet of Things
• Mobile Devices and Applications
– Android lacks robust patching (Carrier Dependent)
– Nexus is different
– Apple is getting faster at releasing security updates
• Cloud
– For many Cloud will improve baseline security
– Attractive turn-key solutions
– Economies of scale for security spending
– Reputational Risk and Liability is not Transferable!
6PROPRIETARY AND CONFIDENTIAL
Abundance of Jobs
• Improving Cybersecurity is the third most
important enterprise objective for CIOs.
• Security Jobs are currently in demand and
currently makeup >12% of all IT jobs
• Over half of surveyed Managers expect to raise
head count.
7PROPRIETARY AND CONFIDENTIAL
Our current landscape is one where we have
an increased need for individuals to secure a
larger and more complex environment against
an ever-evolving adversary.
8PROPRIETARY AND CONFIDENTIAL
Talent Black Hole
• Information Security has an observable unemployment rate of near zero.
• Almost 90% of Security Professionals are satisfied with their
compensation and job security – 2016 State of the CIO
Existing talent is not likely to migrate to other opportunities on their
own, and will need to be incentivized.
• Applicants are consistently leading with certifications instead of
accomplishments.
• Learning methodologies have been largely formulaic
• Seasoned security staff are burning out!
9PROPRIETARY AND CONFIDENTIAL
What’s old is new
• 2010 – “A Human Capital Crisis in Cyber Security” – CSIS Commission
on Cybersecurity.
“There are about 1,000 security people in the US who have the
specialized security skills to operate effectively in cyberspace. We
need 10,000 to 30,000” – Jim Gosler, Sandia Fellow, NSA Visiting
Scientist, and the founding Director of the CIA’s Clandestine
Information Technology Office
• 2014 Cisco Annual Security Report predicted that the talent gap would
be over 1 Million EEs.
10PROPRIETARY AND CONFIDENTIAL
Our current landscape is one where we have
an increased need for [a finite pool of
individuals] to secure a larger and more
complex environment against an ever-evolving
adversary.
11PROPRIETARY AND CONFIDENTIAL
Character Traits
• Security professionals must:
– be knowledgeable across all domains.
– be business centric
– stay abreast of new technologies AND new threats
– be able to meet increasingly higher expectations.
Security professionals can:
– Be experts in one discipline (Audits, Reverse Engineering, SOC
Analyst, etc.)
12PROPRIETARY AND CONFIDENTIAL
Character Traits
– Hire for ability not knowledge
– Hire someone who attacks problems differently
– Hire someone that understands the business from within:
• Bring developers in to application security
• Bring system/network engineers in to architecture
• Bring administrators in to manage the plethora of security products
– Hire the person that asks questions instead of tacitly agreeing.
– Hire the person that says, “I don’t know”
13PROPRIETARY AND CONFIDENTIAL
Where to look?
New Talent
– BSides : A community driven framework for building the Information
Security Community
– Reddit : https://www.reddit.com/r/netsecstudents
– Local Hacker Spaces
– Local Colleges
Seasoned Talent
– Network!
– Reddit : https://www.reddit.com/r/netsec
14PROPRIETARY AND CONFIDENTIAL
What can I offer?
– Compensation
– Flexibility
– Tele-Commute
– Innovative Work Environment
– Positive Work Environment
– Training!
– Conferences!
According to IDC Security Survey in 2015, new talent individuals can be
found within a few months, but positions requiring 10+ years have a time
to fill rate of over a year.