In a previous blog on challenges in today’s security environment, we discussed the shortage of cybersecurity personnel - in the US alone, 3.5 million positions are expected to be unfilled by 2021. According to the Global Information Security Workforce, the main reason for this gap is not a lack of candidates per se; it’s a lack of qualified candidates. We’ve assembled a brief list of the top skills that every security professional should have, as a quick guide for both decision-makers and aspiring cybersecurity workers:
The most important skill a security profession needs is risk management, which has two main components. First, is the ability to analyze each vulnerability in terms of its specific threat to the company, and the second is to demonstrate and otherwise communicate this information to security team members, executives, and other stakeholders.
Newcomers to security might be tempted to just look at “objective” numbers such as CVSS scores. However, these metrics only paint part of the picture - they do not take into account the implications each vulnerability would have on the company’s unique environment. Proper risk assessment is ultimately about knowing your organization and its assets - not just the threats. Moreover, it disregards what is being done with the vulnerability in the wild. These all need to be incorporated for proper risk management.
Threat assessment focuses on researching and understanding exploits in depth. To be done successfully, it requires the ability to investigate threats and maintaining awareness around them. This means gathering data from external sources in order to understand how the threat is coming about in the wild, and incorporating that data within the vulnerability remediation process in the organization.
Threat assessment means taking a “know thy enemy” approach: identifying a threat’s characteristics and any Indicators of Compromise (IOCs) that are associated with it as well as the history behind it, the vectors it can take, and capabilities. By better understanding a threat, you’ll be wiser about the next steps you should take if you need to remediate.
Just as security professionals must be able to assess external threats, they must be able to examine networks from the inside, searching for vulnerabilities that attackers could exploit as well as offering suggestions about how to strengthen network security. In order to do this, professionals must become familiar not only with their own software but also any third-party software used. This includes reading reviews and other studies from different sources and correlating the results of this research. As part of this assessment, other team members and stakeholders should be consulted, in order to make the most of their knowledge and help keep security on everyone’s agenda. As always, the focus should be on the vulnerabilities that pose the greatest risk to a company’s specific network and data.
Security Tools Expertise: Know Your Arsenal
Sound security practice begins by knowing your company’s security tools well, understanding how to make the most of them and being able to advise executives on which ones your company needs -- or doesn’t -- and why. Note that basic knowledge of your tools isn’t enough. As James Stagner points out, far too many tools are simply left on their default settings because they were only purchased to comply with a corporate requirement. Although this may help pass an internal or external audit, the type of passive “use” of security tools means they are not being used to their full potential, possibly weakening your network’s security instead of hardening it. Security teams may think they are "covered" because they have the right tools in place, when in fact there are still left exposed if they are not using them correctly.
Make the Automation/DevOps Synergy Work for Security
Automation is a major part of the DevOps approach to development. If you’re working in an agile environment or on cloud-native apps, you’re familiar with this synergy in your CI/CD pipeline. But automation can also be a great driver for security, especially when you are working at scale. Automating key remediation steps and tasks ensures that you are implementing accurately, efficiently, and consistently. This could be particularly important in enterprise environments, where there may be many instances of an asset in the company network. Automation is also a great way to keep your CI/CD pipeline safe and secure and there are some excellent open-source tools for this.
Last but not least: learning to write scripts will make it easier for you to run security procedures that are repetitive and/or complex, especially ones that involve more than one asset. With environments now including software written in several languages, scripts are vital for ensuring that work is done properly. Writing an impactful script requires both technical knowledge and knowledge of the business. This becomes even more relevant when handling remediation of vulnerabilities within the environment, since it is essential to opt for a solution that fixes the threat without leading to unintended consequences.
The Future Belongs to the Secure
Security professionals need to continuously keep up to date with the latest tools, technologies and techniques in order to contribute and offer value to their companies. As the risk derived from threat actors continues to grow, those professionals with the top, sharpest skills will continue to be in demand and with good reason. We urge individuals and companies to increase the time and effort they devote to increasing professional training.