December 22, 2024

CIA to Boost Cyber Capability in Sweeping Overhaul

Posted on March 7, 2015 by in Security

The CIA plans to radically overhaul operations, ramping up its capability to deal with cyber threats while boosting integration between departments via a network of new units.

Central Intelligence Agency director John Brennan outlined the proposed changes to the agency in a message to staff on Friday described as a “Blueprint for the Future” covering four key areas.

Brennan said the US espionage agency would set up a new “Directorate of Digital Innovation” to reflect the rapidly evolving cyber landscape.

“We must place our activities and operations in the digital domain at the very center of all our mission endeavors,” Brennan wrote.

“To that end, we will establish a senior position to oversee the acceleration of digital and cyber integration across all of our mission areas.”

The changes reflect the increasing emphasis on cybersecurity by the United States after a series of high-profile digital breaches in recent years, such as the Sony Pictures hack blamed on North Korea.

Director of National Intelligence James Clapper last month told lawmakers that foreign cyberattacks represented a bigger threat to national security than terrorism.

US media reports said Brennan’s sweeping changes would affect thousands of employees at the agency.

‘Bold steps’

A centerpiece of the overhaul would be the establishment of 10 new “Mission Centers” aimed at enhancing integration between departments.

“Never has the need for the full and unfettered integration of our capabilities been greater,” Brennan said in his message. “We must take some bold steps toward more integrated, coherent and accountable mission execution.”

Analysts said the introduction of Mission Centers was intended to eliminate divisions between traditional departments covering the Middle East, Africa and other regions.

Several media reports said the new units would be modeled on the CIA’s Counterterrorism Center, which grew exponentially in the years after the September 11, 2001 attacks on US soil.

The new centers will “bring the full range of operational, analytic, support, technical and digital personnel and capabilities to bear on the nation’s most pressing security issues,” Brennan said.

Each new center would be led by an assistant director who would be accountable for overall mission accomplishment in the field or geographic region assigned to their unit.

According to The Wall Street Journal, the overhaul follows an exhaustive review led by senior CIA veterans that identified several “pain points.”

“One of the things we’re trying to do here is to think about the agency operating in a way so that there are less of those… frictions that build up over time, and to have a more streamlined, a more efficient agency so we can, frankly, produce more, do a better job in some of the areas where we need to do better,” Brennan was quoted by the Journal as saying.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

Tokyo Cyber Security Competition Draws 90 Hackers

Posted on February 8, 2015 by in Security

Tokyo – A cyber security competition began Saturday in Tokyo, with organizers aiming to show off the skills of young Japanese hackers by testing them against international rivals.

The final rounds of the Security Contest 2014, or SECCON, brought together 90 participants in 24 teams from seven nations and regions: China, Japan, Poland, Russia, South Korea, Taiwan, and the United States.

The winners of the Tokyo competition will advance to the prestigious Def Con CTF (Capture the Flag) competition, slated for later this year, organisers said. SECCON was designed to allow young Japanese technology engineers to show off their skills on the world stage, while also encouraging more to get into the field of cyber security.

Teams compete for points by hacking six virtual servers to discover particular keywords, and can also intervene to stop their rivals’ cyberattacks.

“There is a need for a forum where fledgling, young… hackers can grow and gain understanding of their families, schools and the outside world,” said Yoshinori Takesako, the head of the SECCON organising committee.

“This is important in order to keep them away from being pulled into the underground world,” he said in a statement to AFP.

The Japan-based event has drawn a total of 4,186 participants from 58 countries through various qualifying rounds.

Takesako said the organizers, supported by government agencies, tech firms, and scholars, also want to change the media image that Japan lags other nations in the cyber security field.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

SEC Examines Response From Financial Advisory, Brokerage Firms to Cyber Threats

Posted on February 5, 2015 by in Security

An overwhelming majority of brokerage and investment advisory firms examined by the U.S. Securities and Exchange Commission (SEC) have been the subject of a cyber-attack.

In its recent ‘Cybersecurity Examination Sweep Summary‘ report, the SEC took a look at 57 registered broker-dealers and 49 registered investment advisors. Eighty-eight percent of the broker-dealers and 74 percent of the advisers stated that they have experienced cyber-attacks either directly or through one or more of their vendors.

The majority of the cyber-related incidents are related to malware and fraudulent email. In fact, more than half of the broker-dealers (54 percent) and 43 percent of the advisers reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of those broker-dealers reported losses in excess of $ 5,000 related to these emails, with no single loss being greater than $ 75,000. Twenty-five percent of the broker-dealers confessing losses related to the emails said the damage was the result of employees not following their firm’s identity authentication procedures.

<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.securityweek.com%2Fcybersecurity-healthcare-retail-sectors-lags-behind-utility-and-financial-industries-report%22%3E"Brokers and advisors, especially those who handle very wealthy clients, are used to dealing with substantial sums of money, but they’re also human beings who can be duped by a well-crafted phishing scam,” said Tim Erlin, director of IT security and risk strategy at Tripwire. “Not all of these brokerages are as big as Wells Fargo and Morgan Stanley. Small and medium financial firms are gaining visibility because criminals are walking away with meaningful sums of money. The criminals are becoming more savvy about which kinds of transactions remain under the radar, and the more success they have with these targets, the more of these businesses they go after.”

The good news is the vast majority of examined broker-dealers (93 percent) and advisers (83 percent) have adopted written information security policies, and 89 percent of the broker-dealers and 57 percent of the advisers conduct periodic audits to determine compliance with these policies. For the majority of both broker-dealers (82 percent) and the advisers (51 percent), these written policies discuss mitigating the effects of a cyber-security incident and/or outline the plan to recover from such an incident. These policies however generally did not address how firms determine whether they are responsible for client losses associated with cyber incidents.

While firms identified misconduct by employees and other authorized users of their networks as a significant concern, only a small proportion of the broker-dealers (11 percent) and the advisers (four percent) reported incidents in which insiders engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client or firm information, or damage to the firms’ networks. 

The vast majority of examined firms conduct firm-wide risk assessments on a periodic basis to identify cybersecurity threats, vulnerabilities and any potential impact to business. While most of the broker-dealers (93 percent) and advisers (79 percent) reported considering such risk assessments in establishing their cybersecurity policies and procedures, fewer firms applied these requirements to their vendors. While 84 percent of the brokerage firms require cyber-security risk assessments of vendors with access to their firm’s networks, only 32 percent of the advisers do so.

“Cybersecurity threats know no boundaries,” said SEC Chair Mary Jo White, in a statement. “That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC. Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Cyber Attacks From Las Vegas Spiked During Black Hat, Defcon: Imperva

Posted on August 22, 2014 by in Security

The days when the Black Hat USA and Defcon conferences are ongoing are two times when surfing the Internet in Las Vegas can be a gamble all on its own.

According to Imperva, there was a spike in malicious activity emanating from Sin City two weeks ago when the conferences were under way.

“I decided to test for attack traffic originating in Las Vegas during BlackHat and Defcon, and a month prior to that in order to correlate to baseline,” blogged Barry Shteiman, Imperva’s director of security strategy. “In order to do that, we collected all of the security events during that time period from our Community Defense system, mapped Geo IPs for Nevada state, and Las Vegas specifically, then we queried the Community Defense data set for all source IPs that were in the US. Finally, we summarized by date and where the city itself is Las Vegas.”

Here’s what the company found. Typically, it detects roughly 20 attacks originating from Las Vegas on a normal day. However, during the conferences that number peaked at 2,612. There was a significant drop off as Black Hat began winding down. On Aug. 6, the conference’s second to last day, there were just 20 detected attacks. The start of Defcon – which is also the final day of Black Hat – erased that decline however and the number of attacks shot back up to 1,916 on Aug. 7.

On the final day of Defcon, Aug. 10, the number of detected attacks fell to 7.

Chart of Attacks Coming from Las Vegas

Imperva also noted a jump in attack volume during the NAACP conference in July, which indicates one of a few possibilities: either a large crowd in a conference-scale event causes a growth in attack volume due to malware on computers, or attackers are attending the conference and performing their attacks from there, Shteiman wrote. As for Black Hat and Defcon, they are not exactly typical conferences, he added.

“They have some of the brightest security/hacking minds in the world attending,” he blogged. “Those guys who read every link before they click, run custom operating systems in cases and are generally very aware to security and therefore are less likely to be drive-by victims of hacking – for that reason, seeing numbers that high is more substantial at a hacker conference than in other conferences.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

North Korea Doubles Cyber War Personnel: Report

Posted on July 6, 2014 by in Security

SEOUL – North Korea has doubled the number of its elite cyber warriors over the past two years and established overseas bases for hacking attacks, a report said Sunday.

The North’s cyber war unit now has 5,900 personnel, compared with 3,000 two years ago, the South’s Yonhap news agency said.

“The communist country operates a hacking unit under its General Bureau of Reconnaissance, which is home to some 1,200 professional hackers,” a military source was quoted as saying.

North Korean hackers have launched cyber attacks through overseas bases in countries such as China, the source said.

In recent years, hackers have used malware deployments and virus-carrying emails for cyber attacks on South Korean military institutions, commercial banks, government agencies, TV broadcasters and media websites.

Investigations into past large-scale cyber assaults have concluded that they originated in North Korea.

The North has denied any involvement and accuses Seoul of fabricating the incidents to fan cross-border tensions.

South Korea has increased its Internet security budget to train experts since it set up a special cyber command in 2010, amid growing concern over its vulnerability.

RelatedNorth Korea Jump Significantly: Solutionary

RelatedSouth Korea’s ‘Top Gun’ Cyber Warriors

RelatedNew Disk Wiping Malware Used in Attacks Against South KoreaCyber-Attacks From 

© AFP 2013


SecurityWeek RSS Feed

Cyber Risk Intelligence: What You Don’t Know is Most Definitely Hurting You

Posted on June 20, 2014 by in Security

Cyber Risk Intellitence

Growing up, one of my father’s favorite sayings was “luck favors the prepared.”

I must have heard it a thousand times over the years. It was almost always spoken just after some sad scenario where I had failed to stay alert, informed and aware, thus my ending up at a loss. Sometimes a big loss. It was his belief that, if you’re always broadly observant of things that affect your life, good things have a better chance of happening to you. He has always been right.

Nowadays, I find myself applying this lesson to cybersecurity and cyberdefense.

More than just nifty tools and solutions, robust IT budgets, threat intelligence firehoses and rigid security policies, I’m learning over and over again that practical, habitual day-in/day-out awareness is invaluable at helping you avoid becoming a victim of cybercrime – and lessening the impact when cybercrime inevitably happens to you and your organization.

Cybercrime is all around us.

One day it may become second nature to stay constantly informed about cyber risks facing us and our businesses. We’re certainly not there yet. Sooner or later, we may all need to get used to the idea of constantly consuming data about our risks and vulnerabilities in order to act safer. It’s likely sooner rather than later. To really accomplish this type of awareness, though, takes the right levels of information. Not just data. In fact, we’re all awash in data. But more on that later.

What we need is high-quality cybercrime information that’s comprehensive, yet also focused and simple to digest. Information that’s current, consistent, intuitive, continuous and, most importantly, easy to draw conclusions from that have meaning specific to you, your business and the decisions you face. It’s what I call “complete context.”

And there’s more.

To truly benefit from this sort of information takes more than just the info itself. Just as my father also told me, it takes focus, effort and commitment. Every day. Something he just called “hard work.”

Current Data + Contextually-Relevant Info + Continuous Awareness + Hard Work = Practical Solutions

Of course, the familiar modern-day version of my father’s favorite is “Chance favors a prepared mind” said by Louis Pasteur, French microbiologist, father of Pasteurization, and father of the Germ Theory of Disease. For Pasteur, the saying meant that, by staying diligently informed of all things surrounding your problem space, you’ll more quicker see solutions for tough problems.

For years and years he labored at the microscope, observing, collecting data and analyzing. But it was his devotion to basic research on more than just the problem itself – and the quick delivery of practical applications based on what he learned –  that led him to his biggest breakthroughs against unseen and deadly illnesses. Eventually, thanks to Pasteur’s way of working, we developed critical medicines such as antibiotics.

Studying a problem from every angle and every level always leads to more practical solutions and quicker (re)action.

Although Pasteur labored in the medical and biological fields, his work was in many ways analogous to modern cybersecurity. Today, scientists and researchers battle similar unseen forces, all around us, making us sick in various ways. Our networks and computers and mobile devices are constantly exposed to harmful pathogens and viruses. And, with the Target breach and things like Heartbleed, real people now know these things are fatal in their own way.

But in today’s world, we seem to have gone off track a bit in trying to cure our cyber ills.

In perhaps what was much the same as in Pasteur’s day, many smart people today labor to observe, collect data and draw conclusions. However, most of them, unlike Pasteur, are not able arrive at real practical breakthroughs that change the world.

Why is this the case?

For me, it’s mostly a simple answer:

We focus so much on looking down the barrel of individual microscopes, we get lost in all the low-level noise that’s far too focused on only a few dimensions of the problem.

Let me use Pasteur again to explain more simply.

Had Pasteur only observed the smallest bits floating around under his glass, he would’ve likely not been remembered in history. Instead, Pasteur gathered data about sick people, who they were, where they lived, how old they were, what gender, what symptoms they had, what prior illnesses they had been subject to, what their jobs were and what they had in common.

He observed animals, how they behaved, how long it took for them to become sick when they did, what they ate, where they lived and more. He even observed how rotting meat behaved, how it decomposed, how it compared to other plant and animal matter and on and on. He focused on all sides of the issue; the causes, the victims and, of course, their symptoms. Pasteur observed every facet of his problem set from high level to low, and turned basic data collection – from many dimensions at once and from all angles – into information he could use to draw practical conclusions.

Put simply, Pasteur had complete context by performing “intelligence gathering.” But, by focusing on more that just the threat itself, Pasteur was one of the first practitioners of risk analysis, or risk intelligence. It’s something we’ve only just begun to really apply to cyberdefense.

Continuous awareness of our own cyber risks compared to what’s possible and what’s happening around us right now is one of the missing pieces in current cyberdefense practices.

Today, we spend most of our cybersecurity efforts and dollars gathering massive amounts of data from millions of “microscoped” sources, but we rarely change perspectives or levels. We want to know what’s threatening us, but can’t seem to understand the picture is much bigger. Too rarely do we push back from the lenses trained only on data sets inside our specific organizations to pick our heads up and look around.

I like to call it “cyber navel gazing.”

You see, outside the microscope, there’s just so much other useful data – mostly not being stored and analyzed – that can be turned into helpful information, then into practical solutions.

Yet, we continuously employ 10s of 1000s of myriad tools, solutions and applications that comb through huge bins of raw packet data and endless streams of netflow and long-term signature repositories and terabytes of log files and interface dumps and more.

In fact, it’s as if all we do is peer through the scopes at our own micro worlds and draw conclusions that themselves lead to other tools begetting other massive piles of micro data.

Are these things all bad? Of course not. And they’re all part of fighting the fight against cyber disease. But in all of this we miss out on the bigger picture. Rarely do we store data, day in and day out, on what we’re getting hit with, how threats are occurring and what’s happening as a result. Neither are we matching that up to what our specific, individual symptoms are, who we are as targets, where we’re from, what types of companies we are, who our customers are, what technologies we’re using and on and on.

What would Pasteur say to us now if he were brought in to consult on our cyber sickness?

He’d probably just say, “Luck favors the prepared.” Then he’d tell us to start over. From the top this time.

Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.

Previous Columns by Jason Polancich:


SecurityWeek RSS Feed

Do Cyber Attacks Have A Tipping Point Where Catastrophic Effects Are Imminent?

Posted on May 16, 2014 by in Security

The term “Tipping Point” is controversial because it has been so widely misused and loosely applied; two abuses that I often see in the cyber security marketplace. However, there are examples where a tipping point has been found to exist through more rigorously applied studies.

One study showed the point where hospitals begin to fail resulting in the deaths of critically ill patients: “What our research revealed is that there is, in fact, a tipping point which was triggered strongly at midnight occupancy levels of around 92 per cent in our data. When the tipping point was exceeded, patients began dying in significant numbers.”

The risk of a fire turning into a firestorm due to the density of trees in a forest occurs at 59% density: “The risk of catastrophic fire does not increase in a linear relationship with the density of the forest. Instead there is a tipping point at about 59% density.”

My interest with tipping points have to do with critical infrastructure such as the power grid or transportation routes. A lot of papers have been written about cascading failures such as [1] and [2], however what would happen if a small terrorist group with moderate knowledge of industrial control systems wanted to create sustained or repeated outages? Think of the different regional grids in the U.S. as songs on an adversary’s playlist, and he just hit “Shuffle”. What would be the tipping point before social order in the U.S. would collapse?

I don’t know if there’s a good answer to that question, but I think it’s one that needs exploring. Therefore, I’ve organized a panel to address the issue from different angles at Suits and Spooks New York. Joining me will be Joe Weiss, an internationally known ICS expert and Dr. John Mallory of MIT.

If you’d like to hear this discussion and add your perspective, please register to join us at Suits and Spooks New York on June 20-21, 2014. This will be just one of many great panels and speakers. Suits and Spooks New York will mark the first SecurityWeek-branded two day event. Hope to see you there.

Footnotes:

[1] Saleh Soltan, Dorian Mazauric, Gil Zussman: Cascading Failures in Power Grids – Analysis and Algorithms

[2] Paulo Shakarian, Hansheng Lei, Roy Lindelauf: Power Grid Defense Against Malicious Cascading Failure.

Jeffrey Carr is founder and CEO of Taia Global and author of “Inside Cyber Warfare: Mapping the Cyber Underworld” (O’Reilly Media 2009 and 2011) and the founder of the Suits and Spooks event series. Jeffrey has had the privilege of speaking at the US Army War College, Air Force Institute of Technology, Chief of Naval Operations Strategic Study Group, the Defense Intelligence Agency, the CIA’s Open Source Center and at over 100 conferences and seminars and regularly consults on security matters for multinational corporations.

Previous Columns by Jeffrey Carr:


SecurityWeek RSS Feed

US ‘Restrained’ in Cyber Operations – Pentagon Chief

Posted on March 28, 2014 by in Security

WASHINGTON – The United States will show “restraint” in cyber operations outside of US government networks, Secretary of Defense Chuck Hagel said Friday, urging other countries to do the same.

Hagel, speaking at the National Security Agency (NSA) headquarters at Fort Meade, Maryland, said that the Pentagon “does not seek to ‘militarize’ cyberspace.”

Instead, Hagel said that the US government “is promoting the very qualities of the Internet — integrity, reliability, and openness — that have made it a catalyst for freedom and prosperity in the United States, and around the world.”

Overview of PentagonThe remarks came at the retirement ceremony for outgoing NSA chief, General Keith Alexander.

The Pentagon “will maintain an approach of restraint to any cyber operations outside the US government networks. We are urging other nations to do the same,” Hagel said.

He also said that the United States “will continue to take steps to be open and transparent about our cyber capabilities” with Americans, US allies, “and even competitors.”

The idea is to “use the minimal amount of force possible” in cyber operations, a senior defense official told reporters, speaking on condition of anonymity.

This would take place only when it would “either prevent conflict, de-escalate conflict or allow us to use the minimal amount of force,” the official said.

“That is not always the approach that other nations in the world use,” the official said. Although he emphasized that there was “a clear difference” between espionage and cyber operations, restraint is also applicable “for espionage and communications intelligence” at both the NSA and Cyber Command, the official said.

“We think very carefully about the things we do outside of our own network,” the official said. The budget for the Pentagon’s Cyber Command for fiscal 2015 is $ 5.1 billion. The Command must have 6,000 soldiers by 2016.

Alexander’s successor is a US Navy officer, Vice Admiral Michael Rogers, who will take over as both head of the NSA and Cyber Command.

Hagel is set to begin next week a tour of Asia with a stop in China, where cyberspying will be a hot topic following a report in The New York Times and Germany’s Der Spiegel that the NSA had secretly tapped Chinese telecoms giant Huawei for years.

The NSA had access to Huawei’s email archive, communications between top company officials, and even the secret source code of some of its products, according to the reports based on information provided by fugitive former NSA contractor Edward Snowden.

© AFP 2013


SecurityWeek RSS Feed

High Demand Pushes Average Cyber Security Salary Over $93,000

Posted on March 12, 2014 by in Security

Despite concerns over unemployment and the challenging job market, the IT job market has been fairly healthy, and demand for cyber-security professionals remained high in 2013, according to a new jobs study.

The number of job postings for cyber-security positions grew twice as fast as the number for overall IT job postings in 2013, Burning Glass Technologies found in its latest installment of the Job Market Intelligence report. There were 209,749 national postings for cyber-security jobs in 2013, and the average salary for a cyber-security posting was $ 93,028, according to the report, which is compiled by reviewing job postings across 32,000 online sites daily. In comparison, the average salary for all IT job postings was $ 77,642.

“These postings are growing twice as fast as IT jobs overall, and now represent 10 percent of all IT job postings,” the report said.

Cyber Security Salary When considered against the backdrop of increased number of data breaches, distributed denial-of-service attacks, online fraud, and cyber-espionage being reported each day, it’s no surprise the cyber-security job market is booming. Over 17 major retailers and financial institutions were targeted in 2013 alone, and according to the FBI, nearly 300,000 cyber-crimes were reported in the past year, resulting in losses of over $ 525 million.

Security is no longer restricted to just technology companies or financial institutions, as retailers such as Target and organizations in charge of critical infrastructure such as the electric grid grapple with skilled adversaries who take advantage of holes in the network defenses to cause damage. “If you have sensitive data, you are a security company,” David Lindsay, a senior product manager at Coverity, said in an earlier interview.

Burning Glass released the report last week, hours after the Labor Department reported the U.S. Economy added 175,000 jobs in February. The Labor Department said the biggest growth nationwide was in the professional services sector, which includes technology jobs. According to the Burning Glass report, 38 percent of those technology jobs are cyber-security positions. Manufacturing, defense, finance, insurance, and health care sectors also had high demand for cyber-security jobs, Burning Glass found.

While there are many jobs, Burning Glass said they are concentrated in three major hubs: Washington, D.C., New York, and San Francisco/Bay Area. The Washington, D.C. metropolitan area had the most cybersecurity job postings in 2013, with more than 23,000 listings, followed by New York City with just over 15,000, Burning Glass said in its report. The San Francisco-San Jose corridor, which includes the Silicon Valley, had more than 12,000 listings. Chicago and Dallas rounded out the top 5.

The demand for skilled cyber-security professionals in the federal government and for the contracting firms that work on government contractors explains the high numbers for the D.C.-area. In a state-by-state analysis, Burning Glass found that Virginia ranked second in the number of cybersecurity job listings, and Maryland ranked sixth. As would be expected considering its concentration of technology companies, California ranked first in the number of open jobs.

The report highlighted the oft-discussed skills gap, as well. The demand is there for cyber-security professionals, but cyber-security jobs took 24 percent longer—45 days as opposed to 36 days for other IT jobs—to fill, Burning Glass found. Cyber-security jobs also took 36 percent longer than all job postings.

“The demand for cybersecurity talent appears to be outstripping supply,” said Matt Sigelman, CEO of Burning Glass.

One reason for the gap may be because employers are looking for significant educational background and experience, with two-third of postings requiring at least four years of experience and 84 percent looking for applicants with at least a bachelor’s degree. About half of all cyber-security positions requested at least one professional certification, such as Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (Security+), and Certified Information Security Manager (CISM).

Sigelman noted that 50,000 job postings in 2013 required applicants to have the Certified Information Systems Security Professional (CISSP) credential, but there were only 60,000 such certified professionals at the moment. And considering that CISSP requires four years of full-time cyber-security experience, it’s not possible to “fast track” professionals to meet the demand.

“This is a huge gap between supply and demand,” Sigelman said.

The difficulty in finding cyber-security professionals to fill positions was part of the conversation at last month’s RSA Conference in San Francisco, as well.

Andy Ellis, CSO of Akamai, noted on the security gaps panel that the problem wasn’t a dearth of skilled individuals, but rather that “We’re writing job descriptions that are unrealistic.” The panel emphasized that cyber-security professionals need to be able to communicate with business stakeholders and be able to show how security affects the business bottom line.

With the jobs market booming for cyber-security professionals, it seems there are plenty of opportunities for them to show off what they can do.

Related: Report Shows Extreme Demand for Skilled Security Professionals

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed

RSA: The Cyber Security Gap in Education

Posted on February 26, 2014 by in Security

SAN FRANCISCO – In last year’s workforce study from ISC2, 56 percent of those surveyed said their security organization was short-staffed. A year later, figuring out what to do about that remains a challenge, and it is one not far from the minds of some of the attendees at the RSA Conference.

One answer may be to make sure that all aspects of IT consider security as a critical part of their operation. But that process often gets off to a rocky start for aspiring IT professionals, as many universities are not doing a good enough job of educating students on security – particularly those not going directly into the security field, argued Jacob West, HP’s CTO of Enterprise Security Products. 

“Honestly I think we’re doing almost nothing at the university level today to teach security,” he told SecurityWeek at the conference, where he presented on the topic earlier in the day.

For those pursuing a career in cyber-security, there is at least a clear career path and opportunities, he said. But for anyone seeking a career in IT where security is not their primary responsibility, the danger of security falling through the cracks is very real.

“[Developers] are not getting realistic expectations placed on them at the university level around the kind of coding that they do,” he said. “They are basically asked to provide certain functionality…and are supposed to provide it with a certain level of performance perhaps – some cases not even that – but they’re not expected to provide it in a robust way. They are not graded against frankly the same standards that code in the real world is graded against today, which is being in an adversarial environment and where a small mistake can lead to a huge security problem.”

Adding to the challenge of preparing a workforce is the dynamic realities of IT security, where change is perhaps the only constant. In a panel discussion, representatives from security certification body (ISC)² stressed that seeking professional certifications can help not only bolster an employee’s credentials, but also serve as proof of expertise regarding real-world situations.

The test for the group’s CISSP certification is updated with new questions every few months, and the test has to be retaken every three years for the credential to stay in good standing, explained Vehbi Tasar, director of professional programs development for (ISC) ², explained to SecurityWeek. When it comes to education, he said, the best learning usually comes on the job.

“All good security people learned their job doing the job,” he said. “They didn’t learn at the university. That is a big gap in my opinion because universities are teaching just the basic stuff. They are not necessarily teaching different angles that people will encounter. They cannot really; you cannot expect them to do it.”

West said during his presentation he would like to see additional programs from both the government and the tech industry to support those seeking to get into the field, and added later that it was critical to recruit women, who he said as a group continue to be underrepresented in IT security. To that end, earlier in the week, HP announced it was making $ 250,000 available in scholarships for women studying information security.

“It’s not as simple as adding a new class on security,” he said. “It’s the idea that we have to build security and the requirements of robust programming into everything we teach at the university level, and that’s a much broader problem.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed