There is a dire shortage of talent in the information security industry.
Today, industry roles command big salaries, but also bigger workloads.
When you read articles about the best jobs or highest paying jobs to consider, information security is always in the top 10 of the list.
How does this industry sustain current security professionals and prepare the next generation?
Here, I look at what current professionals can do, and offer sound advice for preparing the next generation of security pros.
Malicious cyber activities are becoming very common.
Some have gone so far as to say that this form of crime knows no bounds.
It is global and unlimited, like the internet itself.
The deficit of a well-developed, skilled workforce makes government and businesses recruitment efforts very difficult.
Developing sophisticated technical capacities has become a priority for US and global industries and governments.
The role of educators
No-one plays a more important role in preparing the next generation security professionals than educators and trainers.
We need to make sure existing education gives students a holistic view of cyber security with focus on relevance and proficiency.
The complicated state of cyber threats requires a learning methodology engendering critical thinking and deeper understanding to defend against increasingly complex cyberattacks.
A number of shortcomings exist in the conventional classroom training model in creating efficient and reliable cyber security professionals, according to the Software Engineering Institute.
Going forward, we will be facing increasingly interdisciplinary and multi-faceted challenges.
These will necessitate knowledge in different fields and areas, including law and law enforcement, criminology, engineering, computer science, to name a few.
This is hardly a surprise, as the main elements of cyber security technical perfection, process, and people must be supplemented by the capability to manage shortcomings.
Deterrence Doctrine and SPC (Situational Crime Prevention) theories
Information system researchers analysing security compliance and behaviour use the deterrence doctrine, according to which the likelihood of violations is inversely proportional to the perceived risk and punishment.
A review found that this theory has been the most-cited one in Centre for Internet Security (CIS) security literature over the past three decades.
According to this literature, one must increase awareness of an organisations efforts to limit ICT abuse and of the likelihood and/or extent of sanctions in order to reduce ICT violations.
The Situational Crime Prevention (SCP) Theory is widely used to study cybercrime and reduce criminal activities perpetrated or otherwise related to employees.
Most crimes are opportunistic and occur when a motivated offender detects a suitable and unguarded (or incapably guarded) target.
Proponents of the SCP theory find violators to be rational decisionmakers who carry out an analysis of costs and benefits before committing a crime.
Accordingly, the SCP theory outlines five broad categories of efforts to counteract cybercrime that security professionals should make. They are presented in the table below:
Table 1. Categories of efforts to counteract cybercrime, according to SCP
The US government established a cyber skill task force to address the crisis in human capital in the field of cyber security, improve retention and recruitment of cyber security professionals, and identify the best ways to create and support a national cyber security workforce.
This initiative gave rise to the NICE Framework: a proposal to group, organise, and describe cyber security tasks.
The framework is comprised of seven categories covering 31 specialty areas, as well as details regarding work roles, skills, abilities, knowledge, and tasks.
It has become a good starting point for developing a central cyber security curriculum and a useful categorisation of topics and related skills.
Cyber security exercises
The NICE Framework and the Situational Crime Prevention Theory have been combined to design and deliver cutting-edge tools and strategies.
One notable example of how these are used is the Cyber Security Exercises (CSE), an offense/defense environment, in which students are grouped and get a virtual machine to host HTTP(S), FTP, SSH, and other services.
These services can then be accessed by other groups.
The CSE aim to reflect real-life environments for students to apply their skills.
The approach of CSE architecture has proved useful for translating theory into practice.
More specifically, CSE are elaborate learning experiences aimed at developing competence and expert knowledge through simulation.
They are associated with a number of pedagogical issues, including design of exercises and training outcomes and evaluation.
Training effectiveness can be improved based on analysis, observation, and integrating educational knowledge and focus at each stage of the life cycle of CSE, including planning, feedback, and implementation.
Its necessary to measure change systematically in order to improve CSE, ranging from organisational change to changing customer experiences.
Scenarios to help prepare cyber security professionals
According to the Center for Internet Security, technical professionals, admins, and users share the responsibility for security.
The CIS has prepared a series of tabletop exercises to help cyber security professionals and teams secure their systems by means of tactical strategies.
These exercises are intended to assist organisations in comprehending various risk scenarios and preparing for potential cyberthreats.
The exercises Im about to present do not take very long to complete.They are a convenient tool to develop a cyber security mindset.They consist of six scenarios which list relevant processes, threat actors, and impacted assets:
Scenario 1: Malware infection
While using the companys digital camera for work, a staff member takes a picture that he then moves to his personal computer.
He does so by inserting the SD card, which while connected to his PC becomes infected with malware.
Unsuspecting of this fact, he re-inserts the card into his work computer and the malware spreads throughout the organisations system.
The question is how the company will now deal with this issue.
To answer this question, one needs to consider a few additional ones.
The first of these is who youd need to notify within the companys structure.
Its important to identify the vector of the infection and to establish a process for doing so.
In addition, what should managements reaction be?
Are there any other devices that could present a similar risk?
Does the company have policies and training to prevent this and do these apply to all storage devices?
At the core of this scenario is user awareness and detection ability.
Scenario 2: Quick fix
Your underpaid and overworked network administrator is finally going on vacation.
Just as shes packing the last item in her suitcase, her boss asks her to deploy a critical security patch.
She comes up with a quick fix so she can make her flight.
Soon after that, your service desk technician tells you people have been complaining that they cant log in.
It appears the admin did not run any tests for the critical patch she installed.
Does the technician have the skills and knowledge to handle the issue?
If not, whom should it be escalated to?
Does the company have a formal policy to change control in place?
Is staff sufficiently trained to escalate such issues?
Does the company have any disciplinary measures to take if an employee doesnt adhere to policies?
In the event of unexpected adverse impact, does the company have an option to rescind patches?
This is one of the threats that impact an organisations internal network.
Patch management is the process tested.
Scenario 3: An unexpected hacktivist threat
In the wake of an incident involving accusations of use of excessive force by authorities, a hacktivist threatens to attack your company.
You have no idea what kind of attack they are planning.
What measures can you take to best protect your organisation?
What is your reaction?
Again, you need to look at the potential threat vectors.
Perhaps certain vectors have been common in the last few weeks or months.
What methods can be used to prioritise threats?
You must alert your help desk as well as other departments within the organisation to the threat.
A bulletin board is a nifty solution.
You need to check your patch management status if you havent already, and augment IDS and IPS monitoring.
Think about getting outside help if you dont have the resources to manage all this by yourself.
Ask yourself what companies or organisations can help you analyse any malware identified.
Its evident that your response plan should account for such situations.
Your preparation is the process tested.
Your security professionals may be the first line of defense, but as you can see, they cant be the only one.
Your whole organisation needs to be involved, active, adequate, and compliant when security is at stake.
Scenario 4: Financial break-in
Following a financial audit, it emerges that a few people who have never actually worked for the company are receiving paychecks.
You conduct a review, which shows someone added them to the payroll a few weeks earlier, simultaneously, using a computer in the finance department.
How do you react?
The strategy starts with investigating how these people were added to payroll.
Lets say there was a break-in at the finance department prior to the addition.
A few computers were stolen.
However, there was no sensitive data on them, so the incident did not get serious attention.
See the original post here:
Preparing cyber professionals for the real world - ACS
- Internet Security Market 2021 Will Reflect Significant Growth in Future with Size, Share, Growth, and Key Companies Analysis- HPE, IBM, Intel,... - April 8th, 2021
- Utah is the 2nd State to Create a Safe Harbor for Companies Facing Data Breach Litigation - Lexology - April 8th, 2021
- Unpatched SAP applications are target-rich ground for hackers - ComputerWeekly.com - April 8th, 2021
- Verizon Mobile Security Index: COVID-19 unearths new cyber threats for businesses - Verizon Communications - April 6th, 2021
- Upgrade your digital security and enjoy a cleaner internet experience with this plug-and-play filter | TheHill - The Hill - April 6th, 2021
- How the quick shift to the cloud has led to more security risks - TechRepublic - April 6th, 2021
- Airlock Digital Further Improves its Allowlisting Solution - Enterprise Security Mag - April 6th, 2021
- New WEF Principles for Cybersecurity Board Governance Address Expansion, Organizational Scope of Cyber Risk - CPO Magazine - April 6th, 2021
- Dotlines CTO Eftekhar builds the first-ever DIY productivity & security solution - Hindustan Times - April 6th, 2021
- Security-as-a-Service Market is poised to surge at a CAGR of over 18% through 2031 - Yahoo Finance - April 6th, 2021
- WatchGuard uncovers top cyber threat trends of Q4 2020 - SecurityBrief New Zealand - April 6th, 2021
- PKI: Securing a variety of use cases in today's digital organizations - SecurityInfoWatch - April 6th, 2021
- What's next for encryption if the RSA algorithm is broken? - CSO Online - April 6th, 2021
- Global Internet of Things (IoT) Security Market 2020 Industry Insights and Major Players are Cisco Systems, Kaspersky Lab, Intel Corporation, Symantec... - April 6th, 2021
- North Korea continues targeting security researchers. Holiday Bear gained access to DHS emails. Charming Kitten is phishing for medical professionals.... - April 6th, 2021
- Tackle security threats before they arise with AT&T ActiveArmor - nation.lk - The Nation Newspaper - April 6th, 2021
- Fraud warnings. Ransomware and the pressure to pay. MobiKwik update. - The CyberWire - April 6th, 2021
- How the Internet of Medical Things (IoMT) Helps Combat Connected Health Security Threats? - CIO Applications - April 6th, 2021
- The State of Endpoint Threats and Internet Security in 2021 - TechDecisions - March 31st, 2021
- Worldwide Internet of Things (IoT) Security Industry to 2025 - Key Drivers, Challenges and Trends - ResearchAndMarkets.com - Yahoo Finance - March 31st, 2021
- Glonal Internet Security Audit Market 2021 Industry Outlook, Research, Key Trends and Forecast to 2026 SoccerNurds - SoccerNurds - March 31st, 2021
- State of the Internet / Security: Adapting to the Unpredictable - BankInfoSecurity.com - March 31st, 2021
- WatchGuard reports the ups and downs of malware - iTWire - March 31st, 2021
- How did the cyber attack on Nine and Parliament House happen? - ABC News - March 31st, 2021
- Internet Security Software Industry Insight report 2021-2026 Covering Prime Factors and Competitive Outlook by Key Players SoccerNurds - SoccerNurds - March 31st, 2021
- Meet the 2021 SC Awards judges | SC Media - SC Magazine - March 31st, 2021
- Everything You Need to Know About Broken Authentication - Hashed Out by The SSL Store - Hashed Out by The SSL Store - March 31st, 2021
- Internet Security Software Market Analysis Based on Development Strategy, Industry Statistics, and Future Prospects SoccerNurds - SoccerNurds - March 31st, 2021
- U.S. conducted more than two dozen operations to thwart foreign cyberattacks before 2020 election - SecurityInfoWatch - March 31st, 2021
- SIS: Covid-19 could lead to greater terror threat - Newsroom - March 31st, 2021
- Colt runs further with IBM to accelerate adoption of edge computing - ComputerWeekly.com - March 31st, 2021
- Global Internet Security Market Report 2020-2024: Market is Poised to Grow by $20.41 Billion - ResearchAndMarkets.com - Business Wire - March 21st, 2021
- Privacy vs Anonymity vs Security: Why They Don't All Mean the Same Thing - MUO - MakeUseOf - March 21st, 2021
- Hire and Train a Cyber Incident Response Team in Healthcare - HealthTech Magazine - March 21st, 2021
- Recent Developmens in Internet Security Software Market with Emerging Technologies, Business Opportunity and Industry Forecast to 2026 Jumbo News -... - March 21st, 2021
- Cyber security gets recognized The Merciad - The Merciad - March 18th, 2021
- The Internet of Things Is Everywhere. Are You Secure? - Security Boulevard - March 18th, 2021
- International Policy Review Puts Cyber at the centre of the UK's Security - GOV.UK - March 18th, 2021
- Where Will Datasea Inc (DTSS) Stock Go Next After It Has Risen 3.97% in a Week? - InvestorsObserver - March 18th, 2021
- How to Find a Network Security Key in the Devices You Love - G2 - March 18th, 2021
- Canada's big carriers, ISPs turn thumbs down on proposed mandatory botnet-fighting regime - IT World Canada - March 18th, 2021
- Global Biohacking Market 2020-2025: COVID-19 Pandemic has Led to a Surge in Market Growth for the Pharma Industries Engaged in Biohacking -... - March 18th, 2021
- Internet Security Hardware Market Size 2021: Production, Revenue, Price Trend By Types & Market Analysis By Application and Forecast 20212027|... - March 18th, 2021
- How Network Technology Shifts Are Changing the Way Things Are Done - Channel Futures - March 18th, 2021
- 5 Malware Removal Tools That Keep You Safe - G2 - March 18th, 2021
- What Is Internet Security? | McAfee - March 10th, 2021
- Automotive Cyber Security Market is anticipated to exhibit a CAGR of close to 8% over the next ten years - Yahoo Finance - March 10th, 2021
- Microsoft's big email hack: What happened, who did it, and why it matters - CNBC - March 10th, 2021
- Can we keep hackers from shorting the grid? - The Indian Express - March 10th, 2021
- Over 6,700 VMware Servers With Remote Code Execution Security Bug Exposed to the Internet - CPO Magazine - March 10th, 2021
- A discussion on the security of the United States - The American Legion - March 10th, 2021
- Experts warn of growing number of COVID-19 scams preying on pandemic fears and vaccine shortages - National Post - March 10th, 2021
- Cities, towns warned of potential server infiltration - WWLP.com - March 10th, 2021
- John McAfee, software creator with Alabama ties, charged with cheating investors out of $13 million - AL.com - March 10th, 2021
- Tech executives testify in Solorigate hearing. Accellion breach updates. Silver Sparrow targets Macs. - The CyberWire - February 28th, 2021
- IRS Tax Identity Theft and Fraud Resources - The CPA Journal - February 28th, 2021
- $110 Billion Worldwide Internet Security Global Market to 2027 - Impact of COVID-19 on the Market - ResearchAndMarkets.com - Business Wire - February 22nd, 2021
- 6 Security Methods to Protect You and Your Customers - Security Boulevard - February 22nd, 2021
- Railways stung by breaches in IT applications during pandemic - The Hindu - February 22nd, 2021
- A Trippy Visualization Charts the Internet's Growth Since 1997 - WIRED - February 22nd, 2021
- Datasea Inc (DTSS) Stock: What Does the Chart Say Monday? - InvestorsObserver - February 22nd, 2021
- Connected Medical Devices Security Market 2021 to Witness Lucrative Growth in Coming Years with Top Key Players GE Healthcare, Cisco Systems, CA... - February 22nd, 2021
- Comprehensvie Report on: Internet Security Market Share, Growth, Demand, Trends, Region Wise Analysis of Top Players and Forecasts The Bisouv Network... - February 22nd, 2021
- NCSC cyber defence scheme blocked thousands of scams in 2019 - ComputerWeekly.com - February 22nd, 2021
- Panel: 90% of cyber attacks are occasioned by human error, and they're on the rise - NJBIZ - February 22nd, 2021
- Growth Opportunities of IIoT in Small and Medium Scale Enterprises, 2020 Report - Data Communications and Connectivity Between Devices Encouraging... - February 22nd, 2021
- Internet Security Software Market: Find Out Essential Strategies to expand The Business and Also Check Working in 2021-2028 KSU | The Sentinel... - February 14th, 2021
- Akamai Realigns Organization Around Market-leading Internet Security and Edge Technology Solutions - CXOToday.com - February 14th, 2021
- New UK Cyber Security Council to be official governing body on training and standards - GOV.UK - February 14th, 2021
- The greatest security threat of the post-truth age - BBC News - February 14th, 2021
- 80% of medtech firms suffered a cyber attack in the past five years - IT PRO - February 14th, 2021
- Internet Security Software Market is Thriving Worldwide with Surprising Transition During 2021-2026 Atlantic Financial Management - Atlantic... - February 14th, 2021
- Evaluation of Internet Security Market 2021-2026: Recent Industry Developments and Growth Strategy The Bisouv Network - The Bisouv Network - February 14th, 2021
- Internet Security Software Market Experiences a Noticeable Growth with Key Dynamics at High CAGR value NeighborWebSJ - NeighborWebSJ - February 14th, 2021
- Cloud Security Alliance Announced Internet of Things (IoT) Security Controls Framework Version 2 - ARC Viewpoints - January 31st, 2021
- Internet Security Software Market is Rapidly Growing with Huge Application Scope & Opportunities by 2021-2028 KSU | The Sentinel Newspaper - KSU... - January 31st, 2021
- Verizon offers new Complete Business Bundle to aid small business recovery - Verizon News - January 31st, 2021
- Information Security: At the onset, set the philosophy and strategy right, says N. Raman, Group GM CISO, ONGC - Express Computer - January 31st, 2021
- Mozilla: Racism, misinformation, anti-worker policies are undermining the Internet - ZDNet - January 31st, 2021
- Shipping needs to raise its cyber game. - Lloyd's Register - January 31st, 2021