You have to think like the ‘bad guys’ — you have to know social engineering tricks so you can identify vectors like phishing attacks, spear-phishing and other malicious endeavors and how to mitigate them
As hackers become more sophisticated, and attacks more frequent, it’s no longer a matter of if your organisation becomes a target, but when. That reality has forced many organisations to reassess how they address security efforts, and how best to allocate scarce resources toward mitigating the damage as quickly as possible.
Here, having the right mix of security skills on board is key.
“For a lot of our clients, they’re starting to realise that while they certainly want to hope for the best, they absolutely have to prepare for the worst,” says Stephen Zafarino, senior director of recruiting for IT recruiting and staffing firm Mondo. “Earlier this year, with the Chase and Home Depot breach, with the ransomware attacks on Britain’s NHS top-of-mind, everyone’s trying to figure out how to fortify defenses,” Zafarino says.
Following are 10 security skills your organisation should focus on when staffing up or upskilling your security teams.
1. Security tools expertise
It may go without saying, but sound security begins with knowing the tools. Unfortunately, many organisations take a set-it-and-forget-it approach, because they don’t have security tools know-how on board.
James Stanger, senior director of product development at CompTIA, points to security information and event management (SIEM) tools as an example. “These tools are great in that they give you a fifty-thousand-foot view of your network and infrastructure landscape, but also let you look very granularly at incidents so you can identify problem areas,” Stanger says. “Are most incidents the result of end-user error? Are there security flaws that could be exploited through your cloud implementations? Now you can see those vulnerabilities, and you can address those. How can we get our users to stop clicking on attachments? How can we make sure sensitive data isn’t in a vulnerable place?” he says.
Of course, these tools aren’t helpful if you’re not using them to their full potential, he says. “Most of these tools are, unfortunately, left at their defaults because they were installed just to comply with a requirement. For example, what we see a lot of is, ‘Do you have an incident manager installed? Okay, you do, now check that box … and ignore it.’ That’s incredibly dangerous,” he says.
That’s why it’s imperative to staff up with experts for the tools you have, says Ashley Stephenson, CEO of Corero Network Security. Product-specific knowledge is important to making sure you can leverage whichever tools you choose to their utmost, Stephenson says.
CIOs should invest in extensive training and even upskilling security staff to make sure they know the ins-and-outs of every security tool in their arsenal, or they’re little more than a placebo, Stephenson says.
2. Security analysis
Tools are important, but it’s also critical to understand how they fit into your overall security strategy, says Stanger. “Before you can figure out which tools you need and how to use them, you need someone who understands the business of security,” Stanger says. “How does your business work? What are its unique features, markets, customers, infrastructure, industry — all of these aspects inform security policy and each business has different problems.”
Security analysis can identify the conditions that make attacks more likely and help minimize those attack surfaces, he says, adding that CompTIA data shows demand for security analysts growing 18 percent by the year 2020.
3. Project management
IT project management skills are always in demand, but project managers who specialize in managing security projects are becoming especially valuable, Stanger says. What used to be the domain of a general sysadmin or network admin has now evolved into a more specialized role, he says.
“It used to be that you could just install some antivirus, some spam filtering, maybe even some perimeter defense tools and away you go,” Stanger says. “But now, you have to think of these security solutions as a weeks- or months-long project, and figure out how to integrate it with the rest of your systems, add training, maintenance, upgrades — security-focused project management skills are extremely important,” he says.
4. Incident response
Incident response is another vital area when it comes to securing IT systems. Here, Splunk is among the best-known tools, mostly because of its prevalence in government IT systems. Incident response help you identify threats quickly, and the demand for professionals with Splunk skills has increased tremendously, says Zafarino.
“A lot of the time, companies can’t keep staffing levels where they need to be, and even if they could, it becomes a matter of affordability. So what we’re seeing is organisations bringing in contract security specialists to do analysis, and then upskilling the company’s existing personnel so they can keep up,” he says. That can involve training existing staff and beefing up automated detection and mitigation tools, too, he says.
Cybersecurity threats and tools are constantly evolving, making it difficult to keep up, says Zafarino. Traditionally, organisations would have security teams manually monitoring and mitigating vulnerabilities, but that’s not a workable solution nowadays, he says.
“Companies are leveraging devops and automation to be able to manage the threat landscape,” Zafarino says. “How can we understand anomalies and then quarantine those to be able to analyze them? What threats are we dealing with, where did it come from and how do we block that access? What are our weaknesses? How can we prevent those from happening again? These are all incredibly important questions, but so many organisations don’t have the staff to handle them all at once.”
Automation can identify and shutdown threats and attacks before they overwhelm a company, after which IT personnel can step in and perform the more intricate, context-sensitive security tasks, says Brad Antoniewicz, adjunct professor and hacker-in-residence at NYU’s Tandon School of Engineering. “These security professionals need to problem solve and troubleshoot; take in a lot of information and make a determination about where the investigation needs to go based on what the tools tell them and their own insight. And, unfortunately, that isn’t a skill set you can easily pick up — it’s about having a lot of experience over time,” Antoniewicz says.
6. Data science and data analytics
The enormous amounts of data companies collect can be used to track threat vectors, identify potential attacks and monitor the effectiveness of countermeasures, Stephenson says. But doing so requires analytics skills and experience.
“The cybersecurity field needs people with the training, experience and knowledge to leverage these analysis tools — including machine learning, algorithms and even AI — to process all this data, crunch the numbers and analyze reports to get results,” he says.
“Our clients want data scientists in general, but more specifically in security, as well as areas like e-commerce and especially where those two areas intersect,” Zafarino adds.
Antoniewicz is part of a team comprised of ethical hackers and data scientists whose job it is to research new and emerging threats, identify them and figure out the best way to counteract them, he says.
“I can’t emphasize enough how important the data science and analysis part of our team is,” Antoniewicz says. “For large organisations, there can be thousands of data streams feeding millions of events into tools — like Splunk — as well as information about financial transactions, netflow logs, security alerts, DNS traffic — all of this dispersed data flowing into a single repository. And that’s a totally different animal than what most security professionals know. The data scientists help to pull the signals from the noise so we can all better respond to incidents,” he says.
With so many different moving parts, scripting skills are a requirement to get all these elements and tools to work well together, says Stephenson.
“My personal preference is Python for scripting, but others use Perl or even another scripting language. You need all these tools to interface well with messaging systems like Slack, dashboards and monitoring systems and incident management tools,” he says.
8. Soft(er) skills
In the security arena, soft skills take on a slightly different meaning, says Antoniewicz. While communication, collaboration and teamwork are important, there’s an element of critical thinking and even psychology involved, he says.
“You have to think like the ‘bad guys’ — you have to know social engineering tricks so you can identify vectors like phishing attacks, spear-phishing and other malicious endeavors and how to mitigate them,” Antoniewicz says. “You have to know how your employees and your customers are likely to respond and what would get them to let their guard down and then figure out how to fortify against these threats.”
Security pros also need to work well under pressure and be able to triage quickly, prioritising actions to lessen the damage should an attack occur, he says, or to know how to proceed when conducting a post-mortem after an attack.
“You are getting all of this information, all these alerts — you know something’s happening, and maybe it’s bad. Maybe there’s an attacker on the network, and you have to shut them down. Knowing how to quickly prioritise issues and respond quickly and accurately is crucial,” he says.
Admittedly, some of this comes down to tenure and institutional knowledge about an organisation’s unique vulnerabilities, strengths and which solutions they have deployed, he says, and that can only be gained with time.
“That’s why it’s so critical that organisations not only hire great security talent, but that they retain them,” he says.
9. Post-mortem deep forensics
Security talent must also understand how to conduct a post mortem and/or forensic investigation after an incident, says Ryan Corey, co-founder of free online security MOOC provider Cybrary. A number of large organisations put their security teams through extensive deep forensics training to help them develop better incident response skills, Corey says.
“We’re seeing threat response, malware analysis and post-mortem/deep forensics enrollment increase as companies learn about these existing and emerging threats and improve their capabilities to deal with them,” Corey says.
Finally, good security talent has a passion for their work and a desire to share that knowledge, says Antoniewicz. That can manifest itself in various ways, from picking up a new programming language to taking courses to actively sharing knowledge across their organisation or at community meetups, he says.
“A good security person will have a major passion for sharing, learning and growing their knowledge all the time,” he says. “I’d argue that this is the most important skill, because you can’t teach or train this like you can with technical acumen. Find someone who asks to go to conferences, who’s signing up for courses, who loves talking shop with others in the industry,” he says.
If you already professionals like this on board, do whatever you can to encourage and support them. “Develop team-building exercises, knowledge-sharing sessions, get-togethers, hack-a-thons, demos of new products or solutions, bug bounties — any way you can continue their engagement and add fuel to their fire,” he says.
- How to build an army of cybersecurity experts
- Training for one of the most in demand roles of the digital economy
- Reinforce your ‘human firewalls’: Forrester
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.