ISACA CEO Matt Loeb: Cybersecurity Month Highlights Challenges and Opportunities

We are at a pivotal moment in time. Cyberattacks continue to escalate, and they have now emerged as a top technology risk in the World Economic Forum’s Global Risks 2015 report. Exacerbating this issue is the widening gap between demand and supply of properly trained cybersecurity professionals. We are in the midst of what is now described as a “perfect storm,” and as we wrap up another Cybersecurity Awareness Month, it’s the right time for ISACA to provide a forum for keeping the conversation moving forward.

Your roles—many as cyber first responders—have become more complex and more critically important to your organizations than ever before. Cybersecurity is more than a business issue and more than a concern over financial security. It’s a matter of public safety, and therefore needs to be monitored and addressed at all times. Cybersecurity doesn’t take holidays. Cyber threats don’t have borders and are fueled by smart and motivated people. The numbers tell the story:

  • 83 percent of organizations believe that cyberattacks are one of the top three threats facing organizations today.1
  • 86 percent of cybersecurity professionals say there is a global shortage of skilled cybersecurity professionals, and only 38 percent feel their organizations are prepared for a sophisticated attack.1
  • Nearly two million cyber security professionals will be needed globally by 2017.2
  • Attempted cyberattacks on corporate IT networks jumped 458% last year.3
  • And, recognizing these issues, companies will invest more than US $170 billion on cybersecurity by 2020.4

While these statistics are daunting, I challenge you to look at them as opportunities. Digital technologies are the backbone of the world economy, of our society, and are a key enabler of innovation, freedom and prosperity. Times like these enable us to look ahead and work together in addressing the evolving technology challenges that we face. Over the next few years, we can shape future technology decisions, traditionally based on benefits, cost and ease-of-use, to include a more strategic focus on security.

The need to improve cybersecurity is more urgent than ever as enterprises around the world struggle with finding knowledgeable and experienced cybersecurity staff. Hiring and retaining skilled workers is a significant global issue. However, there is an upside. The global skills gap creates a variety of career opportunities for students, recent graduates and professionals seeking a career change. Those who can demonstrate their skills in this area can earn higher incomes and choose the jobs that provide them with the most rewarding experiences.

Deploying technology and retaining the right staff to enable innovation and build the business is best accomplished when done in a focused and strategic manner. Cyber and technology advances, while fraught with risks, are bringing great opportunity. It is up to us to take the action necessary to capitalize on these opportunities for the benefit not just of our enterprises, but for the society as well.

Matt Loeb, CGEIT, CAE
CEO, ISACA

1 2015 Global Cybersecurity Status Report
2 National Cybersecurity Institute at Excelsior College
3 AT&T Cybersecurity Insight Report
4 MarketResearch.com

[ISACA Now Blog]

(ISC)² Associate Program: The Entry Pathway to a Cybersecurity Career

As noted in our latest Global Information Security Workforce Study, the majority of security professionals (78 percent) anticipate the greatest need for new hires at the entry-level in their organizations. With a predicted shortage of 1.5 million global cybersecurity professionals by 2020, we must put efforts behind bringing more entrants into the industry. It’s one of my goals to bring more awareness to the Associate of (ISC)² program, which is ideal for students, recent graduates just beginning their career journey, or those new to cyber, information, software and infrastructure security.

Many college graduates today have a difficult time finding employment post-graduation. The information security industry has long experienced a shortage of qualified professionals, making unemployment virtually nonexistent. Bringing graduates into careers at the entry-level and setting them up on a pathway to success is essential to garner the growth we so desperately need. I believe that this program has enormous potential to have a real impact on not only bringing entrants into careers, but helping to develop the qualified security professionals needed to combat growing cyber threats.

By becoming an Associate, you, as an aspiring cybersecurity professional, join an internationally respected organization of nearly 110,000 professionals to network and learn. You also have the added benefit of earning a reputation for industry knowledge and expertise by passing one of our rigorous credential exams before you’ve obtained the requisite years of experience. Additional benefits of becoming a member include the option of joining a local (ISC)² chapter, and having access to monthly webinars, regional multi-day and one-day conferences, members-only InfoSecurity Professional magazine and more, all at free or deeply discounted prices for members.

Earning one of our certifications is a recognized accomplishment, career differentiator, and in-demand for industry jobs. A 2015 Burning Glass Cybersecurity Jobs report found that nearly 50,000 job postings requested candidates holding the CISSP in 2014. Those newer to the field may see our solid experience requirements as an obstacle and look elsewhere to start their career paths. But they shouldn’t! The Associate of (ISC)² program offers you the opportunity to earn the status that comes with becoming a member of our organization while you gain more experience, continuing on your career path to earn one of our credentials; thus advancing your career.

Associates of (ISC)² will also soon be able to broadcast achievements via digital badging.  Digital badging is a major trend in the credentialing space, and is designed to translate learning outcomes, including certifications, into digital, web-based representations.  These badges can then be broadcast to social media sites, shared via email, or added to a website.  Sharing accomplishments in a verifiable way is also key for candidates to achieve their ‘dream job.’  When the program goes live in December, Associates of (ISC)² and members who have our certifications will receive an invitation to claim their digital badge(s) and begin sharing their accomplishments with the world.

As CEO for (ISC)², it’s my job to advocate for programs that I believe help to drive our vision to inspire a safe and secure cyber world. The Associate program, currently at more than 3,000 strong globally, has enormous potential to cultivate aspiring cyber, information, software and infrastructure security professionals to become part of a qualified workforce, filling the current and future needs of the industry. Let’s spread the word about providing a pathway for professionals looking for that first step on their pathway to a cybersecurity career. For more information about the Associate of (ISC)² program, please visit https://www.isc2.org/associate/default.aspx.

(ISC)² CEO David Shearer

[(ISC)² Blog]

The Blind Spot of Insider Threat

Security threats from inside the organization are increasing, but too many organizations hesitate to address the issue. They’re afraid that monitoring employee behavior implies they don’t trust employees. Today, the reality is that employees are often unintentional actors. They’re increasingly being used as vectors and vessels by sophisticated cyber organizations, which want employee credentials to access valuable data.

We’re seeing an increase in employee-targeted phishing attacks and credential theft, because the credentials allow hackers to bypass a huge amount of security investment—the firewall, the perimeter, the encryption—essentially 90% of your security strategy.

As CISOs, we need to get past the insider blind spot to adequately protect our organizations. The first step is to define insider threat more accurately and more tactfully—as either a known actor with motive and opportunity or an actor who unknowingly becomes a conduit, who is essentially a victim.

I try to take an approach that defends against both scenarios, an approach that says: “I’m not sure if your credentials were handed to the bad guy or harvested through malware. Regardless of how it happened, if there’s a deviation or situation where a credential is suspect, then we will detect and respond.”

The bigger challenge is how to detect the deviations. And that requires understanding what the normal state looks like. If you were to look at Edward Snowden and say you wanted to protect against that type of data breach, then you have to be able to understand at what point his access and his abuse occurred. At what point did he go from his normal three years as a contractor to someone behaving maliciously.

Or in the case of Anthem, in which a database administrator’s credentials were stolen, when did that administrator’s normal network behavior change. If the admin logged in every day from 9 to 5 p.m. and then all of a sudden was logging in at 3 a.m., that would tell you something.

To understand what normal looks like at Surescripts, we’ve invested in advanced analytics and other technologies that allow us to profile good behavior. So if we had an Edward Snowden, I would have been able to see and potentially detect the moment he started to abuse his privilege, because I’d have a historical view of his digital behavior over the past three years.

The key for any CISO to gain support for this type of internal profiling strategy is not to focus on distrust. Rather, focus on the need to find the anomalies that lead to internal data breaches—by both intentional and unwitting internal actors.

Paul Calatayud is the Chief Information Security Officer for Surescripts.

[Cloud Security Alliance Blog]

People of Palo Alto Networks: Get in on the Ground Floor

Technology is great. People are better. “People of Palo Alto Networks” celebrates the employees who preserve our unique culture of innovation and collaboration.

Episode 2

Watch us break ground on our new campus.
Big changes are in the future for us – want to be a part of it?

Get in on the ground floor and learn more about securing your career with Palo Alto Networks:

[Palo Alto Networks Blog]

English
Exit mobile version