Defeating cyber-criminals demands that we train more and better professionals
The complexity and variety of security attacks/breaches are growing at a phenomenal pace. Recently, we heard that Yahoo malware is turning PCs into bitcoin miners. It is becoming increasingly clear that the biggest issue for the information security profession is going to be the risk of the ‘unknown’.
The capabilities of cyber-criminals are increasing far beyond our ability to acclimatise fast enough to rapidly evolving threats. They are using every trick in the book and are streets ahead of us in their application of new technologies, which are developing fast and furiously. So how can the workforce protect against what it does not know or cannot identify?
The devil is in the detail. The breaches in the recent past show that relying primarily on technology is not sufficient. We need to take a comprehensive view of security including technology, processes and people if we are to effectively limit breaches.
Information security requires strategic thought, and the ability to look beyond the horizon, which in turn demands thinking time from professionals so that they can universally look at the issues and devise solutions.
Security attacks in the form of advanced persistent threats, denial of service and social engineering will undoubtedly continue, but a holistic, skilled and diligent approach can significantly curtail their frequency and intensity. However, the information security workforce is severely handicapped in its ability to deliver against such an approach due to staff shortages and dearth of skilled professionals to effectively perform in this dynamic security landscape.
On a more tactical level, there is a dire need for IT and security departments to constructively collaborate, particularly as enterprises make projects such as app stores and BYOD a business priority. This will ensure that security risks are factored into these business critical initiatives and proactive measures devised to pre-empt breaches and attacks.
Today, technology and cyber-criminal activity is evolving paces ahead of the skills development that we are able to undertake. At the very least, we need to pool our resources to tackle the challenge of the ‘unknown’ threat. But the real impact will take place when development of the profession takes place holistically and at pace with technology and its applications.
John Colley, managing director, (ISC)2 EMEA