@ISACA Volume 20  4 October 2017

Addressing the Biggest Cyber Security Threat: The Shortage of Qualified Talent


 Avani Desai Everyone knows that a company's greatest assets are its people. Finding the right person for the job can be a long and costly process. This is even more true when looking for cyber security specialists to fill open positions. Finding and retaining people with the necessary cyber security skills, both now and going forward, is a job in its own right.

The present need for cyber security specialists has developed largely due to the massive rise in security exploits and breaches. With so much at stake in a growing market, including enterprise breaches and changing security technologies, there is a growing need for cyber security awareness. As such, there is a heightened demand for very specific knowledge and expertise. So, even though the market is growing, finding and keeping individuals with the right specialties is becoming ever more difficult, especially since the new landscape requires that every organization retains their security specialists.

The Cyber Security Staffing Landscape

During the fourth quarter of 2016, a Cybersecurity Ventures report inquired into staffing levels in the industry and determined that 6 million security specialists will be needed by 2019. Unfortunately, the expected number of qualified experts is projected to fall short by 1.5 million professionals. This need is even further illustrated by the US Bureau of Labor Statistics, which anticipated an 18% increase in demand for security analysts alone. This foreshadowed gap in supply will result in a need to innovate around the problem. If there are no practitioners who can be brought in-house, then the need should either be filled by training current employees or by replacing needed skills with other methods.

Training internal staff in cyber security is one way to create an internal pool of specialists. In fact, the US Department of Homeland Security (DHS) is using this model to create the next generation of cyber security specialists. The DHS runs an internship program where interested professionals can take part in a 10-week course where they are trained alongside government security experts. As helpful as this may be in terms of solving the projected shortage problem, the major issue with this type of program is that it requires in-house experts who can perform the training. Even though this may not be a solution all organizations can implement, as DHS continues with its program, their trainees will soon enter the marketplace with the right skills for the industry.

The rise in demand for cyber security skills has led to inflation of cyber security staff salaries. Supply and demand rules apply to the recruitment and retention of qualified staff. Research by Indeed.com on salaries for information security specialists across the United States found that Minneapolis, Minnesota, USA, experts were paid the most, at an average annual salary of US $127,757. Annual salaries in Seattle (Washington, USA) and San Francisco (California, USA) were not much less, averaging just over US $119,000. Until the supply of experts grows in the cyber security industry, top dollar will need to be allotted to hire and retain experienced staff in the next few years.

Dealing With Cyber Security Staffing

Organizations that lack qualified information security experts should consider these short-term solutions:

  • Use a security consultancy—If an organization cannot recruit directly, security needs to be outsourced to external consultants. Many organizations already use this method, and demand for these services is expected to grow by 10 % by 2021. Smaller organizations benefit from using cyber security consultancy services, because they get more holistic service across the security spectrum.
  • Outsource security to a Security as a Service company—Cloud computing itself has its own security challenges, but it has also created new ways of using security tools. Security as a Service (SaaS), such as managed security service providers and cloud-based security platforms, may solve some staffing issues and alleviate the need to find in-house personnel with specialist knowledge regarding certain security solutions.
  • Be attractive to employees—Money does not always attract the best talent. If a workplace is open to alternative working models, it may attract talent away from the big industry players. This is especially true of technical staff, who often demand a more flexible work pattern not wanting to adhere to the normal 9 to 5 office routine. Allowing cyber security staff to work from home or have flexible hours may be enough to sway them away from the larger corporations and higher salaries.
  • Be part of the industry—Supporting cyber security employees’ attendance at conferences and training events goes a long way. To be an even more attractive workplace, organizations should get involved, too. Whether the organization is financial, develops code or manufacturers products, there are conferences and industry events to participate in and establish the organization’s role as an engaged thought leader.

No matter how an organization chooses to strengthen its information and cyber security teams, through in-house or external means, it is clear that it is a necessary expense in the coming years. Large enterprises have already accepted the need to invest heavily in cyber security—JP Morgan doubled its cyber security budget to US $500 million in August 2015. Organizations believe this enormous increase is necessary to protect against the growing onslaught of cybercrime. JP Morgan and other organizations know that the extra funds will provide the best resources, including specialized cyber security talent. These types of increases in security budgets will, no doubt, become the norm as more companies begin to vie for the best available personnel.

However, if the talent is not there or an organization cannot afford it, it must look at other options to close the cyber security skills gap. In the meantime, one positive step all organizations can take is to educate all staff members to make them security and privacy aware, aiming to ultimately train everyone to be knowledgeable about security at the very least. As phishing remains the biggest source of malware infection, being able to spot a problem before it happens goes a long way toward reducing risk and managing a lack of in-house security specialists. Either way, organizations must make changes to match the growing number of cyberthreats as best they can.

Avani M. Desai, CISA, CRISC, CIA, CIPP, CISSP, PMP, is the executive vice president at Schellman & Company Inc. Desai has more than 13 years of experience in IT audit, attestation, security and privacy. Her focus recently has been on emerging technology concerns and issues.


See to Protect Your Infrastructure

See to Protect Your Infrastructure
Source: Vladgrin/
Getty Images

How can you adequately protect what you cannot see? There are entire frameworks built around visibility into every device and application on your network. Best practices to ensure transparency in your infrastructure include discovering your network assets across all physical, virtual and hybrid cloud infrastructure; extracting actionable insights from network data; monitoring and analyzing your network devices and applications; and detecting and analyzing domain name system (DNS)-based attacks.

To help improve your visibility, ISACA and Infoblox present the “Visibility Is the Key to Infrastructure Protection” webinar to discuss how organizations can apply these best practices to their infrastructure/network. This webinar takes place on 12 October at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Sam Kumarsamy, who is currently working in security product marketing at Infoblox, will present the webinar. Kumarsamy will use his experience in security and disruptive services as a guide to explain how these best practices apply to current network infrastructure.

To learn more about this webinar or to register for it, visit the Visibility Is the Key to Infrastructure Protection page of the ISACA website.


Discover the Link Between Governance, Risk and Automation


Governance, risk and automation all go hand-in-hand. How IT governance works and how risk is involved are central to the industry. Once you have an established framework with risk prevention measures in place, you can then go about implementing automated solutions to manage these issues.

To aid in your understanding of industry governance and risk, ISACA and Lockpath present the “Governance, Risk and Automation—Part I” webinar to explore concepts central to IT governance and risk. The presenters will describe IT governance, how it works and then go deeper into one central aspect: risk. Automation will be covered in part II of the webinar at a later date. Part I of this webinar takes place on 10 October at 12PM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Peter Tessin, CISA, CGEIT, CRISC, MSA, PMP(Ret), and Jimmy Heschl, CISA, CISM, CGEIT, ITIL Expert, will present the webinar. Tessin, senior manager for business technology, risk and compliance at Discover Financial Services, will use his experience with the COBIT 5 framework to show how risk affects IT governance and how you can manage this risk. Heschl is head of digital security at Red Bull and is an ISACA Austria Chapter board member. He will use his experience on various COBIT task forces and authoring COBIT publications to further illustrate risk effect on IT governance and risk management.

To learn more about this webinar or to register for it, visit the Governance, Risk and Automation—Part I page of the ISACA website.


Use ISACA Privacy Principles to Perform GDPR DPIAs

Use ISACA Privacy Principles to Perform GDPR DPIAs
Source: EJvanHannen
/Getty Images

As privacy breaches continue to occur and data continue to proliferate, the need to protect these data becomes more important each day. The European Union (EU) addressed this by issuing the General Data Protection Regulation (GDPR), which takes effect on 25 May 2018. Compliance will be necessary for many organizations, and ISACA has released a new paper What Does It Mean to Me: GDPR Data Protection Impact Assessments to address these compliance needs. An associated tool, in Excel format, has also been released. This tool can be used by privacy practitioners to conduct data protection impact assessments (DPIAs).

This is the first release in ISACA’s new “What Does It Mean to Me” product line designed to provide context around a topic that may impact you or your profession. Because of the criticality of this topic, this introductory release is complimentary for a limited period of time.

The GDPR is designed to harmonize personal data protection laws across the EU and reshape the way enterprises approach data privacy. Whether your enterprise has offices in the EU; employees, contractors, consumers, customers, patients or other people who are citizens of, located within or currently traveling through the EU; processing that includes some type of monitoring activity within the EU; or goods and/or services that are available to those located within the EU, it will have to comply with GDPR.

ISACA’s What Does It Mean to Me: GDPR Data Protection Impact Assessments paper illustrates how ISACA’s privacy principles align with specific GDPR articles so that your enterprise can perform DPIAs to establish GDPR compliance and avoid the fines imposed for noncompliance. You can access the complimentary ISACA paper and the associated tool on the What Does It Mean to Me: GDPR Data Protection Impact Assessments page of the ISACA website.


Learn to Assess Your Enterprise’s SSH Usage


As the use of public networks increases, the security deficiencies of private network protocols become more apparent. One of the most prominent deficiencies is clear text data transmission. Secure Shell Protocol (SSH) offers secure transmission over public networks. Its use includes a variety of security mechanisms such as encryption and authentication. The effectiveness of these security mechanisms should be assessed on a periodic basis. Assessing the effectiveness of encryption, authentication, the controls around SSH governance, configuration and key management can all be clarified by using the ISACA Secure Shell Protocol (SSH) Audit/Assurance Program.

The objective of the ISACA Secure Shell Protocol (SSH) Audit/Assurance Program is to provide enterprises with a means to assess the effectiveness of SSH protocol usage. The SSH audit/assurance program covers the following areas:

  • Governance—SSH policies and practices have been drafted and implemented to ensure strong controls such as prohibiting users from sharing private keys, implementing continuous monitoring and requiring key rotation.
  • Configuration—Configuration of SSH aligns with the enterprise’s SSH strategy and protocols.
  • Access management—Only authorized access to production environments, backups servers and high availability (HA) clusters is permitted, and that access is the minimum level of access necessary to meet stated business needs. A formal process is in place and enforced for disabling access for users who are transferred within the enterprise or who separate from the enterprise.
  • Continuous monitoring—Processes for authentication and key management are evaluated to ensure that they detect unauthorized access, misconfigured keys or other vulnerabilities.

Conducting a formal assessment of an enterprise’s SSH practice effectiveness allows an enterprise to know where controls are working as intended and where areas for improvement exist. The ISACA Secure Shell Protocol (SSH) Audit/Assurance Program provides IT auditors with the tools needed to successfully assess the risk associated with SSH usage. To download this audit program, visit the Secure Shell Protocol (SSH) Audit/Assurance Program page of the ISACA website. For more about the importance of enterprise SSH usage, download ISACA’s SSH: Practitioner Considerations white paper.


Discover the COBIT 5/DMM Practices Pathway Tool


In many organizations, practitioners are either familiar with COBIT 5 or the Data Management Maturity Model (DMM), but not both. Both sets of practices are used in the IT governance and data management context, both provide generally applicable practices to the governance and management of other domains, and they each have their own set of strengths. The ISACA and CMMI COBIT 5/DMM Practices Pathways Tool provides practitioners and enterprises with a means to implement these two frameworks in harmony.

DMM provides practices that reliably enable successful enterprise data management. It is written for the business and designed to measure an organization’s current capabilities across 25 areas of data management.

In contrast to the DMM, COBIT 5 is designed to guide governance and management of enterprise IT (GEIT) implementation. COBIT is a business framework that is used to align stakeholder requirements with available enablers, or resources. It is also used to generate and deliver value to enterprise stakeholders. COBIT 5, specifically, is best viewed as a framework of frameworks. It facilitates the incorporation of multiple frameworks and standards to create a cohesive governance of enterprise IT (GEIT) structure.

This tool highlights areas of COBIT 5 that may augment implemented DMM practices and highlight specific DMM practices that may benefit GEIT and/or increase operational efficiency in organizations utilizing the COBIT 5 framework. Aligning these 2 frameworks where possible, especially by utilizing individual practices that provide clarification or extend the usefulness of a practice in the other, helps practitioners and organizations derive the most benefit from this harmonization. To learn more about how to utilize this tool to better your organization’s IT governance, data management and operational efficiency, visit the COBIT 5/DMM Practices Pathways Tool page of the ISACA website.


Take the Next Step in Your Career at ISACA’s Virtual Career Fair

Take the Next Step in Your Career at ISACA’s Virtual Career Fair
Source: Tom Merton
/Getty Images

ISACA’s Virtual Career Fair will take place on 25 October 2017 from 10AM-2PM CST (UTC -5 hours). This event will allow IS and IT professionals to connect with the top employers in the industry and will give employers a chance to meet with qualified, certified candidates. All of this happens from the comfort of your own computer. Highlights of the career fair include:

  • Participation of experienced and early career ISACA members worldwide
  • Flexible online time frames
  • Private chat rooms to conduct interviews
  • Readily available electronic resumes
  • Subject matter expert involvement in the recruiting process

Visit the ISACA Online Career Fair page to learn more about this opportunity and to take the next step in your IS/IT career.