Cybersecurity is Enveloped in Ambiguity

Cybersecurity is Enveloped in Ambiguity

In every corner of the world across every dimension of technology, there is an unprecedented growth in the users connecting to cyberspace. As the world’s use and reliance on cyberspace grows, so too grows our individual and global cyber vulnerability. In recent years, cybersecurity threats have accelerated and grown in significance, scale, scope, and sophistication. Protecting the critical infrastructure and data that underpin our financial markets, power grids, intelligence and defense systems, and which hold the intellectual property and private information of millions of businesses and individuals, has become a high priority albeit, efforts to improve the cybersecurity have fallen short due to a general inability to grasp the economic and psychological dimensions of the problem. We can summarize the circumstances surrounding cybersecurity today in one simple word, ambiguity.  There exists both a lack of understanding as well as an overabundance of inconsistent concepts of the below items: What is cybersecurity? What are its dimensions? How do you operate it? What does it deliver? How is it achieved? How is it sustained? What drives it? How is it measured? Who is involved? This ambiguity combined with today’s existing IT challenges and their inherit diversity in perspectives have forged a complex and nebulous cybersecurity landscape. Additionally, ever evolving advanced persistent threats, regulatory mandates, and complex business operations have driven most organizations to regard cybersecurity as an IT challenge for IT to solve. The truth is that cybersecurity is more than just an IT challenge, it is equally a human challenge, and an organizational imperative to protect customers, partners, competitive advantages, and shareholder interests. The reality we face in this dilemma is that until we understand cybersecurity’s many nuances (and I mean really understand) we will continue...
The 8 Hottest Security Jobs of 2015

The 8 Hottest Security Jobs of 2015

There is an unprecedented demand for highly-skilled professionals capable of building holistic programs, security into new and existing networks, assessing security on a real-time basis as new vulnerabilities are identified and disclosed, and acting as front-line defenders across various industries. Meanwhile, the number of entrants into the workforce has not kept up with this demand, leaving a significant gap in capacity to adequately protect businesses from attacks. At the same time, the lack of clarity and consistency in job profiles, competency models, skills assessment contribute to a sub-optimal deployment of these scarce resources. Openly Secure has built upon the work of previous efforts to identify and validate the hottest security jobs, the top eight list of roles define the apex of professional skill in the field:   1. Chief Information Security Officer (CISO) / Chief Security Officer (CSO)  A CISO/CSO is a C-level management executive whose primary task is to oversee the general operations of an organization’s IT security department and other related staff. The organization’s overall security is the foremost concern of the CISO/CSO. As such, persons who aspire to become a CISO/CSO must demonstrate a strong background in IT strategy and security architecture. 2. Application Security Engineer / Architect Application Security Engineer / Architect is a mid to high-level employee who requires the demonstrated technical abilities necessary to conduct operational testing of applications before initial deployment and as they are subsequently updated. Competence is assessed on the ability to identify the program avenues most riddled with flaws and holes that give malicious actors access to important content or systems. Applications from the web are particularly vulnerable to malicious exploitation, frequently infecting...
How Security Leaders Succeed

How Security Leaders Succeed

Security teams rely on the ability to learn skills and process information on-the-fly to meet expectations from stakeholders across the business and combat an ever evolving persistent threat. One of the critical contributors to any security program’s success is skill availability. While technical experts and vendors have done great work building cybersecurity solutions, a businesses security program is nothing without the right people and the majority of security professionals today struggle to justify their value to the business. Security represents a vague and fairly intangible field of work that cannot be quantified through profit margins and in the absence of compromise or breach businesses are prone to undervaluing their security program’s criticality to the business. And so it should come as no surprise that the most challenging and critical roles in security is being a leader. Security leadership (directors, security architects, managers, shift leads, senior analysts etc.) must be able to understand the larger picture, translate security into the language of the business, and hold some degree of deep technical knowledge matured over a long career. Throughout my career I have witnessed security leadership either succeed or fail based on how they maneuver through three very common pitfalls:   1. Disadvantageous Support The Security Leadership team has a responsibility to ensure that they are providing the appropriate level of training and mentoring to the younger and less experienced security professionals. They must be sensitive and actively aware when they reward, discipline, and/or punish any individual on the team. Too much discipline or punishment have a tendency to reduce the free thinking innovative environment that successful security teams depend on....
Top 5 Worst Security Practices

Top 5 Worst Security Practices

When it comes to security the basic and most common security practices work far better than any security product advertises and this is the reality that seasoned security professionals live in. This isn’t going to change for security anytime soon and you can expect the status quo for security of purchasing and deploying products that will never live up to their claim of protection to continue. We hope to be a voice of reason for security by shedding some light on the issue with the top 10 widespread security practices and products that aren’t providing the level of protection you would assume.   1. Antivirus scanners will not uncover actual attackers Hackers put out millions  of new malware programs each month, far too many for any single antivirus program to reliably detect. This persists despite claims from nearly every antivirus vendor that they reliably detect 100 percent of the common malware submitted to them. They can show you their multiple awards attesting to their incredible accuracy, but this is just simply not pragmatic. 2. Firewalls are not effective Businesses often put a unrealistic sense of criticality on firewalls but they are actually becoming less relevant than antivirus software. The vast majority of compromises and breaches don’t start at the firewall but originate from deceiving end-users into running a forbidden program or circumventing a security practice on their systems, thus invalidating firewall protection. Moreover, most malware reaches back to their command and control servers using using port 80 or 443, which is always open outbound on the firewall. 3. Patch management isn’t happening Today the top security advice you could give anyone is to patch their systems and applications. All...
3 Tips For Learning Security

3 Tips For Learning Security

I get a lot of questions regarding where exactly to start when trying to get into security and frankly, that’s a very important question as today’s security job market is extremely competitive. If you want to be taken seriously you need to learn something! The first thing you should understand about security is that it is big- I mean really, really, really big. There are thousands upon thousands of specialty tracks in security that can range from watching security camera feeds, ensuring physical barriers are in place around a data center, sensitive network traffic is properly encrypted between endpoints, validating and sampling technical and operational controls for compliance, and the list goes on. The point I am trying to make is that there are countless opportunities out there for you that fit your specific skill sets. You don’t have to code to work in the field of security much like you don’t have to watch security camera feeds to be in the field of security. One of the foremost think tanks in security is a man named Bruce Schneier and he provides excellent advice for anyone learning to get into computer security but the this can apply across multiple domains:   Study. Studying can take many forms. It can be classwork, either at universities or at training conferences like SANS and Offensive Security. (These are good self-starter resources.) It can be reading; there are a lot of excellent books out there — and blogs — that teach different aspects of computer security out there. Don’t limit yourself to computer science, either. You can learn a lot by studying other areas...

Share This

Share this post with your friends!

ENTER YOUR ACCOUNT
Remember Me
OPENLY SECURE SERVICES
CONTACT US
SIGN UP FOR EARLY ACCESS
REQUEST EARLY ACCESS