What are your Security Challenges for 2018?

Published: 2017-12-27
Last Updated: 2017-12-27 00:25:01 UTC
by Guy Bruneau (Version: 1)
2 comment(s)

We are almost at the end of another year. Last year I wrote a diary on Talent Shortage [1] and from what I have seen, it is still difficult to find the right people with the right skills [2]. I read more than ever, enterprises have to start coming up with creative recruitment strategies to hire the next generation of security professionals (IP-based skillsets) and develop strong training programs to bring them up-to-speed with the right security skills needed to defend or audit their enterprise. Obviously, you can learn a lot of things in a classroom but some skills can only be acquired in the real world. Anyone willing to learn or is curious about how attacks methods works and how to defend against them, has strong ethics and problem solving skills sound like a candidate you might want to coach and hire.

Technologies are rapidly evolving and changing; keeping on top of all of them is difficult and not really possible. I think it is becoming important to specialize whether it is offensive (pen testing and audit) or defending networks. Don't get me wrong, I believe it is important to have a strong understand of both but I think at some point picking a side (auditing or defending) is the right thing to do.

Last but not least, cybercrimes are going to continue to grow and be more focus against selected products (corporate "secret sauce"), user data, groups and employees. Malicious actors are always looking for new methods to gain access, steal data and sell it to whoever is willing to pay for it.

What are your predictions for the coming year?

[1] https://isc.sans.edu/forums/diary/Is+there+an+Infosec+Cybersecurity+Talent+Shortage/21541/
[2] https://www.bricata.com/blog/cyber-security-talent-shortage/

Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

2 comment(s)


Recruiters still looking for people to fill jobs who are in it strictly for the money...no passion, no desire for life long learning = no-go in this field.
I agree that the talent pool from which to draw is rather shallow. There are numerous universities offering degrees in infosec now, which is a good thing but what I've seen over the last few years hasn't been terribly impressive.

I worked for a smallish options exchange where there were a very few people involved in netsec/infosec. We handled all firewall changes, proxies, TACACS, SIEM, A/V, operations, yadda yadda yadda. We needed capable people with fairly diverse skillsets. We interviewed tons of people just coming out of school or still in school for an internship over a period of a few years. I realized that those coming out of these programs were really only trained on the infosec side of things, and had no understanding at all of anything on the network. No concept of firewalls, proxies, no understanding of TCP/IP or the OSI model.

I wasn't expecting to bring someone on board straight out of school that would have all these skills, but I at least expected some of them to be familiar. I found none of them bothered to install the various open source tools and operating systems to tinker with anything. That kinda blew my mind. In an era where hardware is relatively cheap and virtualization is free, not one interviewee had bothered. I imagine we interviewed between 30 & 50 candidates.

I now work for another exchange, and won't be involved in the interview process or attempting to track down talent. I'm glad that's the case, too.

Perhaps I expect too much. Dunno. I saw a lot of people that were going to be entrenched in relatively low level ops work for a long time.

Diary Archives