As hackers become more sophisticated, and attacks more frequent, it’s no longer a matter of if your organization becomes a target, but when. That reality has forced many organizations to reassess how they address security efforts, and how best to allocate scarce resources toward mitigating the damage as quickly as possible.
Here, having the right mix of security skills on board is key.
“For a lot of our clients, they’re starting to realize that while they certainly want to hope for the best, they absolutely have to prepare for the worst,” says Stephen Zafarino, senior director of recruiting for IT recruiting and staffing firm Mondo. “Earlier this year, with the Chase and Home Depot breach, with the ransomware attacks on Britain’s NHS top-of-mind, everyone’s trying to figure out how to fortify defenses,” Zafarino says.
Following are 10 security skills your organization should focus on when staffing up or upskilling your security teams.
It may go without saying, but sound security begins with knowing the tools. Unfortunately, many organizations take a set-it-and-forget-it approach, because they don’t have security tools know-how on board.
[ Learn how to win the war for top tech talent, and retain your best by knowing the 9 reasons good employees leave — and how you can prevent it. | Keep up on the latest CIO insights with our CIO Daily newsletter. ]
James Stanger, senior director of product development at CompTIA, points to security information and event management (SIEM) tools as an example. “These tools are great in that they give you a fifty-thousand-foot view of your network and infrastructure landscape, but also let you look very granularly at incidents so you can identify problem areas,” Stanger says. “Are most incidents the result of end-user error? Are there security flaws that could be exploited through your cloud implementations? Now you can see those vulnerabilities, and you can address those. How can we get our users to stop clicking on attachments? How can we make sure sensitive data isn’t in a vulnerable place?” he says.
Of course, these tools aren’t helpful if you’re not using them to their full potential, he says. “Most of these tools are, unfortunately, left at their defaults because they were installed just to comply with a requirement. For example, what we see a lot of is, ‘Do you have an incident manager installed? Okay, you do, now check that box … and ignore it.’ That’s incredibly dangerous,” he says.
That’s why it’s imperative to staff up with experts for the tools you have, says Ashley Stephenson, CEO of Corero Network Security. Product-specific knowledge is important to making sure you can leverage whichever tools you choose to their utmost, Stephenson says.
CIOs should invest in extensive training and even upskilling security staff to make sure they know the ins-and-outs of every security tool in their arsenal, or they’re little more than a placebo, Stephenson says.
2. Security analysis
Tools are important, but it’s also critical to understand how they fit into your overall security strategy, says Stanger. “Before you can figure out which tools you need and how to use them, you need someone who understands the business of security,” Stanger says. “How does your business work? What are its unique features, markets, customers, infrastructure, industry — all of these aspects inform security policy and each business has different problems.”
Security analysis can identify the conditions that make attacks more likely and help minimize those attack surfaces, he says, adding that CompTIA data shows demand for security analysts growing 18 percent by the year 2020.
3. Project management
IT project management skills are always in demand, but project managers who specialize in managing security projects are becoming especially valuable, Stanger says. What used to be the domain of a general sysadmin or network admin has now evolved into a more specialized role, he says.
“It used to be that you could just install some antivirus, some spam filtering, maybe even some perimeter defense tools and away you go,” Stanger says. “But now, you have to think of these security solutions as a weeks- or months-long project, and figure out how to integrate it with the rest of your systems, add training, maintenance, upgrades — security-focused project management skills are extremely important,” he says.
4. Incident response
Incident response is another vital area when it comes to securing IT systems. Here, Splunk is among the best-known tools, mostly because of its prevalence in government IT systems. Incident response help you identify threats quickly, and the demand for professionals with Splunk skills has increased tremendously, says Zafarino.
“A lot of the time, companies can’t keep staffing levels where they need to be, and even if they could, it becomes a matter of affordability. So what we’re seeing is organizations bringing in contract security specialists to do analysis, and then upskilling the company’s existing personnel so they can keep up,” he says. That can involve training existing staff and beefing up automated detection and mitigation tools, too, he says.
Cybersecurity threats and tools are constantly evolving, making it difficult to keep up, says Zafarino. Traditionally, organizations would have security teams manually monitoring and mitigating vulnerabilities, but that’s not a workable solution nowadays, he says.
“Companies are leveraging devops and automation to be able to manage the threat landscape,” Zafarino says. “How can we understand anomalies and then quarantine those to be able to analyze them? What threats are we dealing with, where did it come from and how do we block that access? What are our weaknesses? How can we prevent those from happening again? These are all incredibly important questions, but so many organizations don’t have the staff to handle them all at once.”
Automation canidentify and shut down threats and attacks before they overwhelm a company, after which IT personnel can step in and perform the more intricate, context-sensitive security tasks, says Brad Antoniewicz, adjunct professor and hacker-in-residence at NYU’s Tandon School of Engineering. “These security professionals need to problem solve and troubleshoot; take in a lot of information and make a determination about where the investigation needs to go based on what the tools tell them and their own insight. And, unfortunately, that isn’t a skill set you can easily pick up — it’s about having a lot of experience over time,” Antoniewicz says.
6. Data science and data analytics
The enormous amounts of data companies collect can be used to track threat vectors, identify potential attacks and monitor the effectiveness of countermeasures, Stephenson says. But doing so requires analytics skills and experience.
“The cybersecurity field needs people with the training, experience and knowledge to leverage these analysis tools — including machine learning, algorithms and even AI — to process all this data, crunch the numbers and analyze reports to get results,” he says.
“Our clients want data scientists in general, but more specifically in security, as well as areas like e-commerce and especially where those two areas intersect,” Zafarino adds.
Antoniewicz is part of a team comprised of ethical hackers and data scientists whose job it is to research new and emerging threats, identify them and figure out the best way to counteract them, he says.
“I can’t emphasize enough how important the data science and analysis part of our team is,” Antoniewicz says. “For large organizations, there can be thousands of data streams feeding millions of events into tools — like Splunk — as well as information about financial transactions, netflow logs, security alerts, DNS traffic — all of this dispersed data flowing into a single repository. And that’s a totally different animal than what most security professionals know. The data scientists help to pull the signals from the noise so we can all better respond to incidents,” he says.
With so many different moving parts, scripting skills are a requirement to get all these elements and tools to work well together, says Stephenson.
“My personal preference is Python for scripting, but others use Perl or even another scripting language. You need all these tools to interface well with messaging systems like Slack, dashboards and monitoring systems and incident management tools,” he says.
8. Soft(er) skills
In the security arena, soft skills take on a slightly different meaning, says Antoniewicz. While communication, collaboration and teamwork are important, there’s an element of critical thinking and even psychology involved, he says.
“You have to think like the ‘bad guys’ — you have to know social engineering tricks so you can identify vectors like phishing attacks, spear-phishing and other malicious endeavors and how to mitigate them,” Antoniewicz says. “You have to know how your employees and your customers are likely to respond and what would get them to let their guard down and then figure out how to fortify against these threats.”
Security pros also need to work well under pressure and be able to triage quickly, prioritizing actions to lessen the damage should an attack occur, he says, or to know how to proceed when conducting a post-mortem after an attack.
“You are getting all of this information, all these alerts — you know something’s happening, and maybe it’s bad. Maybe there’s an attacker on the network, and you have to shut them down. Knowing how to quickly prioritize issues and respond quickly and accurately is crucial,” he says.
Admittedly, some of this comes down to tenure and institutional knowledge about an organization’s unique vulnerabilities, strengths and which solutions they have deployed, he says, and that can only be gained with time.
“That’s why it’s so critical that organizations not only hire great security talent, but that they retain them,” he says.
9. Post-mortem deep forensics
Security talent must also understand how to conduct a post mortem and/or forensic investigation after an incident, says Ryan Corey, co-founder of free online security MOOC provider Cybrary. A number of large organizations put their security teams through extensive deep forensics training to help them develop better incident response skills, Corey says.
“We’re seeing threat response, malware analysis and post-mortem/deep forensics enrollment increase as companies learn about these existing and emerging threats and improve their capabilities to deal with them,” Corey says.
Finally, good security talent has a passion for their work and a desire to share that knowledge, says Antoniewicz. That can manifest itself in various ways, from picking up a new programming language to taking courses to actively sharing knowledge across their organization or at community meetups, he says.
“A good security person will have a major passion for sharing, learning and growing their knowledge all the time,” he says. “I’d argue that this is the most important skill, because you can’t teach or train this like you can with technical acumen. Find someone who asks to go to conferences, who’s signing up for courses, who loves talking shop with others in the industry,” he says.
If you already professionals like this on board, do whatever you can to encourage and support them. “Develop teambuilding exercises, knowledge-sharing sessions, get-togethers, hack-a-thons, demos of new products or solutions, bug bounties — any way you can continue their engagement and add fuel to their fire,” he says.