Information security professionals are making progress, but they are still losing the race against adversaries, according to Hord Tipton, executive director of security professional certification body (ISC)2.
“Even banks are going into mobile transactions, despite the fact that this is still one of the most dangerous areas in terms of security threats,” he told Computer Weekly.
Despite the lack of skilled people, Tipton said there is room for improvement as those in the field continue to “fight the good fight” to bring the effect of cyber attacks down to an acceptable level.
“Typically only around 10% of the easy stuff is being addressed, but we cannot afford to ignore the low-hanging fruit,” he said.
Tipton said improvement can come in areas such as reducing the number of days it takes for organisations to detect that they have been breached, which is around 320 days on average.
Security skills must be kept up to date
In addition to broad-based skills, Horton said there is a growing demand for specialised skills in areas such as software assurance and forensics.
“I am excited about the new Cyber Forensics Professional Certification (CCFP) because that will enable practitioners to learn what they need to feed back into the preventive side to ensure the same weaknesses are never exploited again,” he said.
Read more about cyber security skills
The new Secure Software Lifecycle Professional Certification (CSSLP) is aimed at creating skills in building software secure from the start of the development process.
“If businesses knew the cost of patching bespoke, in-house and even commercial software, the demand for software assurance would be extremely high,” said Tipton.
With the skeptical view that most organisations will be breached at some time or other, Tipton said it is important that organisations do not neglect traditional preventive strategies.
“If we are ever to get losses down to acceptable levels, we can’t give up on prevention,” he said.
Two commonly overlooked areas are application security updates or patching and proper configuration management. Although both require manpower, Tipton said if done properly, the gains are huge.
Continuous monitoring is a new area that is becoming more prominent, he said, which is a good thing because it is a form of preventive control, but requires a forensic capability to translate data into action.
This is where security practitioners who have forensics training could be invaluable to organisations in being able to analyse and interpret logs to help fine-tune cyber defences.
Investing in future information security professionals
To help ensure more skilled people enter the cyber security profession, Tipton said organisations have got to create career pathways in the field to attack talented individuals from a young age.
Through around 10,000 volunteers in 105 member chapters around the world, (ISC)2 runs school programmes to help “build the pipeline” of information security professionals.
“Organisations need to make it known that they offer challenging and lucrative careers in cyber security,” said Tipton.
In another outreach initiative, (ISC)2 is running a pilot training programme for graduates to become associate members with a view to becoming fully fledged members with work experience.
Looking ahead, he said businesses need to look at ensuring they have the right people with the right skills and that the software they are using is free of vulnerabilities that can be exploited.
With the amount of outsourcing, including cloud, it is also important for businesses to achieve security oversight through the supply chain.
For its part, (ISC)2 is working with the Cloud Security Alliance (CSA) on a certification for advanced cloud practitioners.