Fortune’s Brainstorm Tech 2019 was held recently in Aspen, Colorado. During a lunchtime cybersecurity roundtable, the session’s featured speakers were asked a two-part question: What’s the biggest challenge the world faces with respect to cybersecurity today? And what is the solution?
We posed the same two questions to Shahin Pirooz, CTO and CISO at DataEndure. With over two decades leading technology teams and having been deeply immersed in the evolution of cloud and security – we knew he would have insights worth sharing. Today, we will look at the first question.
According to Pirooz, talent is the biggest challenge the world faces with respect to cybersecurity.
Threats and bad actors are multiplying at an aggressive rate, and there is not enough talent to field the positions that are required to defend the onslaught of threats. And with threat vectors constantly expanding and changing, it is a struggle for organizations to keep up.
Networking used to be the black art; and as such, it was hard to get good networking talent, and in particular CCIE’s. With the move towards automation, cloud, virtualization etc., the talent gap has shifted to security. This has resulted in an overflow of professionals who understand networking – making up one tenant of security – however, they also need to have expertise in application security, system security, physical security, etc.
A majority of the security personnel you see today I would liken to tier-1 tech support. For the quantity and diversity of threats we face, security personnel have to be equipped (and should be expected) to not just respond but also to remediate. And to do this effectively, it requires a broad understanding not only of security basics but where and how things interoperate. It only takes a small miss to have severe implications.
Developing the requisite breadth and depth in security is not easily taught, and there is simply no substitute for experience. People who have been in security for a long time have seen a lot and know what to look for. Up until 5 years ago, security was not a priority for our education system, or in demand from employers. So there is a challenge as we try to bridge the experience gap between those who are book smart and those who have been active in the trenches.
On the positive side, certification bodies have responded by adding security-specific certificates to ensure a wider breadth of knowledge around security (and an assurance that employers are getting the talent they believe they are paying for).
For example, at DataEndure, when we hire people as security analysts, we are looking for 2 years of analyst level experience then we get them certified on Network+, A+, System+ and Security+. Then we move them into higher certifications based on their goals of becoming either a threat hunter, analyst, manager, compliance, etc.
For those who seek the most valuable and stringent qualifications, you will want to obtain a CISSP (Certified Information Systems Security Professional) certification. To do so, you need to have an understanding of the 8 domains of the Common Body of Knowledge (CBK) the certification is built on:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communications and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
With all of this said – talent is simply a band-aid.
This brings us to the second question: What is the solution? Stay tuned for our August Tech Tips to find out!