WE NEED SECURITY PROS ZOMGWTFBBQ

[deanwebb]

http://www.scmagazine.com/shortfall-of-security-pros-increasingly-deliberate-attacks-worry-survey-respondents/article/409402/

Want some more job security? Get into security!

From the article: "To help close the skills gap, ISACA Thursday unveiled seven new Cybersecurity Nexus (CSX) certifications that combine skills-based training with performance-based exams and certifications. Courses will be available starting in the third quarter of 2015."

MOAR CERTS! YESH!

http://www.isaca.org/cyber/Pages/default.aspx

I'll keep my CCNP-Security current, but I'd like to pick up the CSX certs, as well. Anyone here have any knowledge of these, or will I be the first to take the plunge?

[SimonV]

Never heard of them before or seen them in job descriptions. Are they widely recognized?

[Otanx]

ISACA is pretty well regarded, and recognized. The certs are new so we will see how that works out. However, I am getting frustrated that everyone seems to think offering more certifications in cyber security is the way to increase the work force. We need more people, not the same people with more letters after their names.

-Otanx

[deanwebb]

These aren't entry-level, either... Tests cost between $500 and $850. Ouch.

But amen to needing people to fill in roles. We're to the point where we'll take a good R&S guy looking for something new, if he'll do security.

I'm wondering if contract opportunities for security get yanked in favor of making them FTE positions, just because that'll be what it takes to get a guy to consider a position.

[NetworkGroover]

ISACA is pretty well regarded, and recognized. The certs are new so we will see how that works out. However, I am getting frustrated that everyone seems to think offering more certifications in cyber security is the way to increase the work force. We need more people, not the same people with more letters after their names.

-Otanx

Wow.. that's a pretty astounding statement.  Kudos.
*Disclaimer:  I'm not a security guy - just thought your statement was pretty deep, and valid.

[that1guy15]

I actually have BS in Security and that was my desired area when I was first getting started. In my first real job and about half way through my MBA I said screw this, and jumped back over to R&S. Im still very security minded but its an uphill fight that I just dont want to be a part of.

From what I have experienced, security will always be second (or lower) priority to business. So a perfectly good security plan will always be screwed up by management. Then when something happens you and your team are to blame since you wear the security badge. Nope, no thanks

I know there are exceptions out there.

I have a ton of respect for Sec guys and what yall have to deal with so dont take this as me bashing you. I actually have always gotten along with the security team when others cant.

[deanwebb]

When folks want to go second rate, I always politely note my concerns. That's a lot nicer than screaming, "YOU'RE ALL FOOLS! FOOOOOLS!" as I storm out of a meeting, tears of passion and betrayal streaming down my face. Also gets better results. Emotional response: "Oh, he's just a prima donna that's bent out of shape because we didn't do things exactly his way."

But the polite note? "Saaaay... this means I don't have plausible deniability if we have a breach, and he documented the concern, so we can't pin it on him not informing us of the risk... maybe we should spend a little more time on thinking this solution through..."

***

As it is, most entry-level security jobs involve setting firewall rules and dealing with questions about whether or not the firewall is blocking things...

[hizzo3]

Its hard to make a case for avoided risk on something you can't truly justify the cost. At least if you break a law, you have a starting point with fines. If you lose your data center, you can't say this would cost us 1.5 million with any reasonable certainty. This is why security tends to take a back seat. Until there are laws and regulations that must be followed, don't expect it to get better any time soon. In the mean time, companies will continue to cease to exist because economic losses from a data breach, etc is too much to recover from. Would too big to fail apply here too? I think I see the start of the next big recession.

[SimonV]

My previous job was mostly R&S and Wireless, which I loved. Lots of travel, hands-on projects and troubleshooting. Currently I'm working in more of a mid-level security role and frankly, most if it is just paperwork, meetings and dealing with all sorts of silly problems.

For example, we are implementing a certain NGFW and the last three weeks we've been burried in all sorts of tickets, ranging from AD problems or wrong credentials to agent installations that went wrong.

[deanwebb]

Security is definitely a role where having sysadmin skills comes in very, very handy.

[Fred]

Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.

Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.

Those security professionals would be right, but they're only doing half the calculation. You have to balance the need for security against the needs of the business, and in amazon's case, one of their primary needs is to make it as simple as possible for consumers to order product. And it turns out, amazon makes more money--including those costs from fraud--by being less secure.

Risk is the probability of an event times the cost of that event, and this needs to be compared to the cost of the protection. 

[jinxer]

Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.

Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.

Those security professionals would be right, but they're only doing half the calculation. You have to balance the need for security against the needs of the business, and in amazon's case, one of their primary needs is to make it as simple as possible for consumers to order product. And it turns out, amazon makes more money--including those costs from fraud--by being less secure.

Risk is the probability of an event times the cost of that event, and this needs to be compared to the cost of the protection.

Good post


Sent from my iPhone using Tapatalk

[deanwebb]

That is sad, but true. Most people are too stupid and impatient to actually want security. That's why the best spies are the patient ones.

[hizzo3]

Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.

Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.

]

Good post


Sent from my iPhone using Tapatalk

http://www.businessinsider.com/amazon-hit-with-91000-faa-fine-2014-4
I'm sure that is the same argument used in this instance. How much can they still make money before they bring down a plane full of people or cargo plane in a city.
A lot of risk management is intangible that still must be factored somehow.

[deanwebb]

Learned today:

"The hacker *may* show up. The auditor *will* show up."