After many major breaches this year, it’s time to rethink 2014’s cyber defense with an eye on people, not products
By W. Hord Tipton, CISSP, Executive Director (ISC)2
As security professionals, we look back at 2013 with a sense of frustration that we are still losing ground to the bad guys. But while there were plenty of battles lost this year on the technical side, there is good reason to hope that the war can still be won in the long term – with promising developments on the human side.
There were many frustrations for the defense in 2013. Adobe reported the compromise of more than 38 million users’ personal data, and there were serious questions raised about the security of its source code. Chinese hackers cracked the systems at the New York Times and other major media, and an investigation later showed a calculated effort to crack U.S. government and commercial systems as well. And the face of privacy and cyber espionage changed with revelations of secret U.S. government documents that disclosed the details of NSA activities and intelligence-gathering practices.
These unprecedented data breaches were game-changing in their size and scope, but at a more fundamental level, they were reminders that today’s security departments still have not mastered the basic “blocking and tackling” of data protection. The Adobe breach exposed the weaknesses of the password system and the failures of current, outdated forms of authentication. China’s attacks on the media pointed out enterprises’ vulnerability to social engineering and the inability of current systems to detect sophisticated malware.
These fundamental failures exposed the weaknesses of defenses that rely primarily on technology as the most important line of defense. They were setbacks of epic proportions – but sometimes it takes such setbacks to force an industry to think differently. And there is good reason to believe that such a shift is beginning now, and that the wave of new thinking will continue to rise rapidly in the New Year.
At its heart, this sea change puts a bright spotlight on an issue that has long been overlooked: the need for skilled security professionals. For years, the industry has been skimming by with a small, undertrained security workforce, and the weaknesses have begun to show. The overwhelming nature of hacktivists’ social engineering and denial of service attacks exposes the shortage of manpower in the security department. The sophisticated nature of today’s targeted attacks exposes the need for more specialized skills, such as computer forensics and application security. Attacks on vertical markets have exposed the need for industry-specific skills, such as the support of healthcare and government systems.
In 2014, I predict that the industry will begin to meet its frustrating chain of breaches and failures not only with better technology, but with more skilled, and improved, security teams. Finally tired of compromises that put their organizations in the headlines, members of the C-suite will begin to invite the security department to the table during the discussion of major business and organizational initiatives. Security will begin to be seen as a fundamental building block of IT-driven programs, and cybersecurity risks will begin to be factored into the business equation as a business imperative.
Driven by awareness at the topmost levels of the executive suite, IT managers will also rely more heavily on their security teams, integrating security into business-critical initiatives such as mobility, application development, and business intelligence. Once seen as separate camps, IT and security will begin a new wave of collaboration, and the result will be secure systems, improvements and awareness of security in IT operations, software development, and endpoint management.
This new emphasis on security in the C-suite and in the IT department will drive growth in security’s “human capital.” Spending on security staffing and training will increase. Salaries for skilled security professionals will grow. And there will be a stronger understanding of the value of security to the business, making security an even more important part of tomorrow’s plans and budgets. The impacts of security breaches are now recognized as negatively impacting the global economy and the effects may take several years to recover.
And of course, our team at (ISC)2 will be there to support this growing emphasis on security skills and staffing. Already we are developing new methods for testing and certifying security professionals to make them more applicable to today’s changing threat environment. For example, you will see that our tests are evolving to now emphasize scenario-based and advanced format questions and detailed practical knowledge over traditional multiple-choice testing methods.
Technology lost many battles for the defenders in 2013, but those losses taught us a valuable lesson – that the capabilities of technology are extremely limited unless they are supported by an army of security professionals that is strong in numbers and honed in its skills. Armed with this lesson, I believe that the tide in the cybersecurity war could turn in 2014 – and the defenders with the strongest human skills will have the advantage.