Are you excited to pursue a cybersecurity career but unsure where to begin? Whether you’re a student, an incoming professional, or ready to work in a different field, the tried-and-tested career hacks in this eBook will help you get your start in cybersecurity
Inside the eBook
Cybersecurity Is Hot! Current Market Conditions
Where Entry-Level Lands You
Cybersecurity Career Hacks for Students, Incoming Professionals and Career-Changers
The need for cybersecurity professionals is at an all-time high in our rapidly evolving digital landscape. As cyber threats continue to advance and grow in frequency, businesses are showing a strong commitment to safeguarding their valuable data and networks, resulting in a significant rise in job openings within the cybersecurity field, some of which come with attractive compensation packages. In this article, author delve into the ten highest-paying positions within the cybersecurity sector, shedding light on the specific roles, duties, and salary brackets linked to each role.
The cybersecurity talent issue is a significant challenge faced by organizations worldwide. Solving this problem requires a combination of short-term and long-term strategies to attract, develop, and retain skilled cybersecurity professionals. Here are some steps that can help address the cybersecurity talent shortage:
Education and Training: Invest in cybersecurity education and training programs at various levels, from primary education to advanced professional certifications. Collaborate with educational institutions and industry experts to design comprehensive and up-to-date curricula.
Promote Cybersecurity as a Career Choice: Raise awareness about the importance of cybersecurity as a career option. Target students and professionals from diverse backgrounds to encourage them to pursue cybersecurity careers.
Apprenticeships and Internships: Establish apprenticeship and internship programs to provide hands-on experience to aspiring cybersecurity professionals. This can help bridge the gap between theoretical knowledge and practical skills.
Industry Collaboration: Foster collaboration between academic institutions and the private sector. Industry partnerships can help ensure that cybersecurity programs align with current industry needs and practices.
Cyber Range and Simulations: Set up cyber ranges and simulations to provide a safe environment for individuals to practice and enhance their cybersecurity skills. These platforms allow trainees to learn through realistic scenarios without risking real-world systems.
Mentorship Programs: Create mentorship programs where experienced cybersecurity professionals can guide and support newcomers in their career development. This can be especially helpful in retaining talent and promoting professional growth.
Competitive Compensation and Benefits: Offer competitive salaries and benefits to attract skilled cybersecurity professionals. Recognize their value and contribution to the organization’s security posture.
Continuous Professional Development: Encourage and facilitate continuous learning and professional development for existing cybersecurity teams. This can be achieved through regular training, attending conferences, and participating in workshops.
Diversity and Inclusion: Promote diversity and inclusion within the cybersecurity workforce. A diverse team brings varied perspectives and problem-solving approaches, ultimately enhancing the overall security posture.
Public-Private Partnerships: Encourage partnerships between government agencies, private companies, and non-profit organizations to address the talent shortage collectively. Collaboration can lead to resource-sharing and more comprehensive solutions.
Automation and AI Solutions: Implement cybersecurity automation and AI technologies to augment the existing workforce. Automation can handle repetitive tasks, allowing professionals to focus on more complex issues.
Retaining Talent: Focus on employee retention by providing a supportive and rewarding work environment. Recognize and celebrate cybersecurity achievements and milestones within the organization.
Ethical Hacking Competitions and CTFs: Support and sponsor ethical hacking competitions and Capture The Flag (CTF) events. These challenges attract cybersecurity enthusiasts and offer valuable learning experiences.
By combining these strategies and adopting a long-term perspective, organizations can start making progress in solving the cybersecurity talent issue. Remember that cybersecurity is an ever-evolving field, and continuous efforts are needed to attract and retain skilled professionals.
The ongoing cybersecurity skills shortage is a critical issue plaguing organizations and causing serious problems. The lack of trained and qualified professionals in the field has resulted in numerous security breaches, leading to the loss of large amounts of money.
In this Help Net Security video, José-Marie Griffiths, President of Dakota State University, discusses how this shortage is not just a mere inconvenience but a major threat compromising the safety and security of companies and putting the sensitive information of their clients and customers at risk.
With each passing day, the consequences of this shortage become more and more severe, making it imperative for organizations to take immediate action and find ways to address this critical challenge.
Advancing cyber education can help fill workforce gaps in several ways:
Meeting the growing demand for cybersecurity professionals: With the increasing number of cyber threats and attacks, there is a growing demand for cybersecurity professionals. Advancing cyber education can help produce more skilled professionals to fill the gap.
Increasing the number of qualified candidates: Cybersecurity positions often require specific skills and certifications. Advancing cyber education can help increase the number of qualified candidates by providing them with the necessary skills and certifications.
Addressing the skills gap: The skills gap in cybersecurity is a major challenge for employers. Advancing cyber education can help address the skills gap by providing education and training programs that are tailored to the needs of the industry.
Encouraging diversity: Cybersecurity has historically been a male-dominated field, and there is a lack of diversity in the workforce. Advancing cyber education can help encourage diversity by providing opportunities for underrepresented groups to enter the field.
Preparing for future threats: Cyber threats are constantly evolving, and it is essential to have a workforce that is prepared to face new challenges. Advancing cyber education can help prepare the workforce to address future threats by providing them with the necessary knowledge and skills.
Overall, advancing cyber education is crucial to fill workforce gaps in cybersecurity and to ensure that the workforce is prepared to address current and future threats.
As we wrap up the year, it always makes sense to take a look back and see what worked and what didn’t; what we can do better and what we have to accept. When 2021 ended, it was pretty bad. We were still trying to navigate COVID-19 and plan for a return to in-person work. But the markets were decent, the investment dollars kept flowing and while effective cybersecurity was hard, there was some optimism that it would get better.
Well, it didn’t. In hindsight, it should have been obvious that a recession was coming. Companies of all shapes and sizes tightened their belts, expecting security to do more with less. Yeah, you’ve heard that story before. Of course, you probably couldn’t have projected Russia’s attack on Ukraine nor planned for the cybergyrations necessary to determine if you were within the blast radius of the attack(s).
Data and workloads continued to move to the cloud unabated, putting pressure on data governance policies and visibility efforts to track the data. Many organizations now expect to run their environments (both development and infrastructure) using CI/CD pipelines, and they haven’t been proactive in understanding how to protect them.
So, yeah, things got harder for security professionals in 2022. But it wasn’t all bad. Security analytics continued to advance, improving detection. Organizations started making progress on deploying zero-trust architectures for both their perimeters and identity environments. Security budgets weren’t impacted until late in the year, as security tends to be one of the last expenditures to be impacted in a slowdown. Ultimately a couple of realities set in this year and for 2023 to improve, we’re going to have to address them.
No juice: I was involved in a number of cloud and container security projects with enterprises this year. In each one, the security team had difficulty getting the dev teams and business influencers to care. To be clear, they said they cared, but their actions spoke louder. They don’t care about security until something bad happens. Then, they are happy to throw security under the bus. The mandate for change will need to come from the executive suite. That’s the only way to align the incentives toward protecting data.
Identities run amok: As workloads and data move to the cloud, implementing an effective, enterprise-wide identity and access management (IAM) strategy is the critical arbiter of success. It’s also hard to retrofit an effective tenancy and IAM structure once workloads are deployed, so there isn’t a lot of time to waste to get your arms around IAM.
AppSec still lags: As exciting as it is to think about having developers build secure code, they are neither trained nor incentivized to do so. Thus, they don’t. Yes, you can (and must) build security tests into the pipelines. You should push (hard!) to break builds that have critical security errors. But developers have been (and will continue to) push back on being responsible for application security, so we’ll need to find a middle ground.
Skills upgrade: Sadly, with many companies reducing headcount, thousands of qualified security folks are looking for work. Yes, many of them get snapped up quickly, but not all. Now would be a great time to invest in your security skills, but too many organizations responded to the slowdown by freezing hiring and don’t use downturns as an opportunity to upgrade their personnel. The savviest managers buy when everyone else is selling; many organizations were selling in 2022 (and will continue to do so in 2023). If you can, add hard-to-find skills (like cloud security and AppSec) now.
Regulatory uncertainty: Between the ongoing privacy litigation in Europe and the new software bill of materials (SBOM) mandate in the U.S., it remains hard to know what “compliance” really means and what it will take to pass assessments. Of course, an effective security program should address most compliance requirements, but there will continue to be uncertainty, so expect some unplanned work as we get clarity on the expectations.
I could go on, but that’s a pretty good overview. I alluded a bit to what’s coming in 2023, but we’ll dig into that in greater depth during our Predict 2023 virtual conference on January 12, 2023. You can register here. Have a happy and safe holiday season, and we’ll see you at Predict in a few weeks.
As organizations begin to address the risks of an increasingly complex digital landscape, they are recognizing that cybersecurity challenges are compounded by a lack of available talent and skills to mount a necessary defense. The digital skills shortage in the U.S. is at a critical point, highlighting a need for increased investment in workforce training. The Biden White House recently said that roughly 700,000 cyber-defense-related positions nationally are unfilled.
Clearly, CISOs and leaders across the C-suite are focused on the challenge, and many are investing heavily in shoring up gaps in their cybersecurity approach. In an age when a cyberattack can be an existential threat to any organization, cybersecurity engineers will serve as the first responders to such threats.
But organizations are struggling to fill these roles. Cyber professionals face ever-increasing pressure to keep up with more sophisticated and complex threats. The burnout in the profession is significant. What’s more, there hasn’t been a good understanding of the variety of jobs that there are in cybersecurity, and the various skills that can be leveraged for those jobs.
What complicates the effort to fill these roles are the demands placed on them. A strong cybersecurity professional must have advanced skills and experience in the following: meeting the immediate needs of securing the enterprise while also satisfying regulators and compliance officials; keeping a close eye on protections for customers and their personal data; and, if an incident occurs, navigating those interactions and coordinating with law enforcement. These are skills rarely found together.
In fact, not only is there a challenge in filling day-to-day roles within the cybersecurity portfolio, there is also a leadership gap. Many highly skilled cybersecurity professionals avoid taking leadership positions in the field precisely because they do not feel prepared to take on these multivariate tasks.
The solution rests in a two-pronged approach.
#1. Leverage cybersecurity frameworks and automation.
Organizations need to reduce the demand on crisis cyber defense by deploying automated platforms and technologies, such as zero trust security, to screen out threats and examine their entire value chain — including suppliers, vendors and others who may be the source of the greatest potential risks. As part of this effort, trained cybersecurity professionals should be deployed during the software development lifecycle and across business processes so that security and protections can be embedded by design rather than bolted on later.
Gurucul announced the results of a Black Hat USA 2022 security professionals survey with respondents indicating that insider threats were the most difficult type of attack for SOC analysts to detect, and that behavioral analytics was the most common piece of technology they felt was missing and that they planned to add to the SOC in the near future.
The survey also found that a strong majority of respondents feel their SOC programs are improving, but that they needed more training, high-level talent in the SOC, better compensation, and more time off.
“Taken as a whole, these survey results suggest that organizations and security professionals understand that insider threats are a serious security risk and are working to improve their defenses by adding technologies like behavioral analytics and network traffic analysis,” said Saryu Nayyar, Gurucul’s CEO.
Other key findings from the survey include:
27% of respondents identified insider threats as the most difficult attack to detect – the highest percentage across types.
More than 36% of respondents chose behavioral analytics as the technology they are currently missing that would most improve their SOC and more than 24% plan to invest budget into behavioral analytics solutions in the next year.
More than 17% of respondents plan to invest in Network Traffic Analysis technology in the next year.
82% of security professionals feel their SOC programs are improving. Less than 5% said it was actively getting worse.
Tier 3 SOC analysts / threat hunters are the most in-demand role in the SOC (chosen by 31% of respondents), followed by Tier 2 Analysts (20%) and threat content creators (16%).
39% of respondents feel that their organization is investing in enough training for the SOC, but 31% said they are not and 30% were undecided.
35% of analysts need more than two weeks of time off to feel rejuvenated and 28% feel like they deserved a 20% raise.
The global cybersecurity workforce gap is estimated at 2.7 million people, with the problem particularly acute when it comes to entry-level roles.
Cybersecurity nevertheless promises an interesting and potentially lucrative career. Even though the profession is open to people with any degree or none – providing they have the aptitude to learn – it can still be daunting to make the initial first steps and difficult to know where to begin.
The talent pool might potentially be expanded through more inclusive and broader hiring strategies. Against this, unrealistic hiring practices sometimes create barriers to entry for those looking to enter the profession, especially those seeking a career change.
The path into a career in information security is, however, eased by a growing number of entry level training schemes and courses. The Daily Swig has surveyed this landscape to chart some promising routes offered by various reputable training providers.
For example, cybersecurity skills training organization (ISC)2reports that more than 1,400 individuals have undertaken its entry-level infosec certification pilot exam since the program launched at the end of January 2022.
The qualification is designed to support industry entrants embarking on cybersecurity careers, ranging from recent university graduates, to career changers, to IT professionals looking to switch roles and focus on infosec. In all cases, the certificate offers a means to validate their foundational security skills.
Laying down foundations
For employers seeking to fill entry-level roles, the qualification offers evidence that newcomers have the foundational knowledge, skills, and abilities necessary to thrive in the sector. According to (ISC)2, the qualification shows that candidates for junior roles are familiar with technical concepts whilst having an aptitude for on-the-job learning.
The (ISC)2 entry-level pilot exam evaluates candidates across five domains; security principles; business continuity, disaster recovery, and incident response concepts; access control concepts; network security; and security operations.
Within the cybersecurity education market, however, (ISC)2 is far from the only game in town.
World of choice
The SANS Institute offers a five-day, in-person Introduction to Cyber-Security course that covers a mix of technical and business issues. SANS Institute courses are well regarded but not inexpensive.
GIAC Information Security Fundamentals, for example, retails at $6,600.
Other paid-for SANS Institute introductory courses focusing on specific areas of cybersecurity – such as cloud computing, digital forensics, and incident response – are also available.
SANS also offers free-of-charge security workshops and other content, though this material is more geared towards the professional development needs of those who have already established a cybersecurity career.
eLearning
Coursera offers access to online courses from leading universities and companies.
The Coursera platform provides routes that run the gamut from short online classes and hands-on projects that teach job-relevant skills in less than two hours, to job-ready certificates and degree programs. Short courses cost up to $99 while professional certifications run between $2,000-$6,000 and degrees between $9,000-$45,000.
A yearly subscription to Coursera’s online courses costs $399.
Coursera offers a variety of entry-level cybersecurity courses, each affiliated to universities or technology companies.
For example, Introduction to Cyber Security Specialization from New York University includes four courses aimed at beginners. It can be completed in about four months with four hours of learning per week.
There’s also an Introduction to Cyber Security course from the UK’s Open University that is particularly suitable for those looking for a flexible course aimed at beginners. The course doesn’t lead to a formal qualification but is available online and is accredited by several reputable organizations in the UK cybersecurity sector.
“Over eight weeks, the course will take on average three hours a week to complete,” an Open University (OU) spokesperson told The Daily Swig.
“The course is accredited by APMG International, the Institute of Information Security Professionals, and the (UK) National Cyber Security Centre. The Certificate of Achievement for this course demonstrates awareness of cybersecurity issues across 12 of the IISP skills groups, and demonstrates that participants have completed a course that meets the awareness level requirements of NCSC Certified Training.”
Another option from the Open University involves a part-time degree course that offers a BSc in Cyber Security at the end of six years. There’s also a postgraduate micro-credential in Cyber Security Operations.
Quite a few well established and respected infosec professionals got their start in the field by simply picking up a book and getting stuck in.
There’s no better example of this than noted bug bounty hunter David Litchfield, who 25 years ago passed his Certified Novell Administrator (CNA) exam courtesy of a related CNA guidebook, thus certifying his ability to maintain networks running the then ubiquitous but since obsolete Novell NetWare networking software.
Fast forward to the 2020s and you’ll find PortSwigger’s* Web Security Academy offering a free-of-charge service that explains key concept and vulnerabilities in web security. This learning exercise is reinforced through a series of labs graded ‘Apprentice’, ‘Practitioner’, or ‘Expert’.
Practice in the labs gives learners proficiency with Burp Suite, a web security testing tool that’s the industry standard for pen testers and bug bounty hunters alike.
Next, The Daily Swig’s own John Leyden plans to try his hand at modules from the (ISC)2 entry level qualification to see how he fares. Stay tuned for a follow-up feature this autumn.
The cybersecurity skills shortage continues to present multiple challenges and have repercussions for organizations. The skills gap can be addressed through training and certifications to increase employees’ education.
The talent shortage and a variety of specialized fields within cybersecurity have inspired many to reskill and join the industry. One way to get more knowledge is to take advantage of online learning opportunities. Below you can find a list of free online cybersecurity courses that can help further your career.
Cryptography I
Stanford University
Instructor: Dan Boneh, Professor
In this course you will learn the inner workings of cryptographic systems and how to correctly use them in real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. You will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two parties generate a shared secret key. Throughout the course participants will be exposed to many exciting open problems in the field and work on optional programming projects.
DDoS Attacks and Defenses
University of Colorado
Instructor: C. Edward Chow, Professor
In this course you will learn the history of DDoS attacks, analyze Mirai IoT malware, and perform source code analysis. You’ll learn about the intrusion tolerance paradigm with proxy-based multipath routing for DDoS defense. By developing and deploying such a new security mechanism, you can improve the performance and reliability of the system at the same time and it does not have to be just an overhead. By the end of this course, you should be able to analyze new DDoS malware, collect forensic evidence, deploy firewall features to reduce the impact of DDoS on your system, and develop strategies for dealing with future DDoS attacks.
Hardware Security
University of Maryland
Instructor: Gang Qu, Associate Professor
In this course, you will study security and trust from the hardware perspective. Upon completing the course, students will understand the vulnerabilities in current digital system design flow and the physical attacks on these systems. They will learn that security starts from hardware design and be familiar with the tools and skills to build secure and trusted hardware.
Software Security
University of Maryland
Instructor: Michael Hicks, Professor
This course explores the foundations of software security. You will learn about software vulnerabilities and attacks that exploit them, and consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, you’ll take a “build security in” mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Successful learners in this course typically have completed sophomore/junior-level undergraduate work in a technical field, have some familiarity with programming, ideally in C/C++ and one other “managed” program language (like ML or Java), and have prior exposure to algorithms.
Web Security Fundamentals
KU Leuven University
Instructor: Philippe De Ryck, Founder, Pragmatic Web Security
This course provides an overview of the most common attacks, and illustrates fundamental countermeasures that every web application should implement. Throughout the course, you will gain insights into the threats that modern web applications face. You’ll build an understanding of common attacks and their countermeasures; not only in theory, but also in practice. You’ll be provided with an overview of current best practices to secure web applications. Although no previous security knowledge is necessary to join this course, it will help to be familiar with the basic concepts behind web applications, including HTTP, HTML, and JavaScript.
Security Governance & Compliance
University of California, Irvine
Instructor: Jacob Horne, Cybersecurity Consultant
In this course, students are introduced to the field of cyber security with a focus on the domain of security & risk management. Topics include the fundamental concepts and goals of cybersecurity (the CIA triad), security governance design, the NIST cybersecurity framework, relevant laws and regulations, and the roles of policies, strategies, and procedures in cybersecurity governance.
Windows Server Management and Security
University of Colorado
Instructor: Greg Williams, Director of Networks and Infrastructure
This course explores what it takes to design and build the server side of Windows in an enterprise environment. This course will explore everything from Windows Server installation to configuring users, to hardening the server operating system itself. The first week of this course provides an overview of how Windows operates in an enterprise environment and what it may look like in the real world. Week 2 will show you how Windows users interact with the system. Week 3 will explore authorization in a Windows environment. Week 4 explores built in security features of Windows and demonstrates how to use each technology effectively and in what circumstances you would use what technology for what purpose.
We take it as gospel that we have a skills gap in cybersecurity. In fact, the narrative across most of the industry is that you need tools and you need automation because there aren’t enough people to do the work.
And we believe it. But what if that’s not actually the case?
Let me play devil’s advocate for a bit here. I know of quite a few entry-level security folks that are having trouble getting jobs. Now, these are young folks, so maybe their expectations are a bit wacky in terms of compensation or perks or culture but, all the same, if we had such a severe cybersecurity skills gap, wouldn’t the market normalize the additional salary and perks to hire anyone? Is it about the bodies or getting the right bodies? Are we in a position to be picky?
Maybe that’s it. A lot of the entry-level folks aren’t very good at security. How can they be? Security is hard. You need to know a lot of stuff about a lot of stuff, and it’s not the kind of knowledge you really get in a classroom. To be clear, a cybersecurity curriculum provides a great foundation for security professionals, but you don’t really learn until you are screwing it up for real in a live-fire environment.
What if everyone likes to bitch about how we can’t find enough people because they want to cover their asses regarding the reality that most security teams don’t perform very well? Is the industry just diverting attention away from our abysmal outcomes by blaming it on the lack of people? Is this security’s Wizard of Oz moment?
Let’s talk about the folks that should have the most acute problem: The MSSPs or MDR (managed detection and response) companies. These companies can’t grow without people, and they’ve raised capital at valuations that promise that they’ll be growing quickly for many years. How are they addressing this problem?
MDR companies are growing their staff internally. They invest in automation, threat intelligence and supporting technologies that help entry-level security practitioners to become productive faster. They send these n00bs to training and they put guardrails around them to make sure they don’t screw up (too badly).
Maybe that’s the answer. There are enough practitioners, but they don’t have the right skills. The raw materials are available, but we may not want to make the commitment to develop them into workable security staff. So your choice breaks down to either bitching about not having enough staff or getting to work developing your junior staffers.
Now, I may be wrong—t wouldn’t be the first time and it won’t be the last. We may not have enough practitioners to get the work done, but I think we’re focusing too much on what we can’t do and not enough on what we can by making an investment in our people.
Deep Instinct released the third edition of its annual Voice of SecOps Report, focused on the increasing and unsustainable stress levels among 1,000 C-suite and senior cybersecurity professionals across all industries and roles. The research found that 45% of respondents have considered quitting the industry due to stress, with the primary issues being an unrelenting threat from ransomware and the expectations to always be on call or available.
The research reinforced that paying a ransom remains a hotly debated topic. 38% of respondents admitted to paying a ransom, with 46% claiming their data was still exposed by the hackers; and 44% could not restore all their data even after a ransom was paid.
The great cybersecurity resignation
The job of defending against increasingly advanced threats on a daily and hourly basis is causing more problems than ever as 46% of respondents felt their stress had measurably increased over the last 12 months. This was especially the case for those working within critical infrastructure. These increased stress levels have led cybersecurity professionals to consider leaving the industry altogether, joining in the “Great Resignation,” rather than moving to a new cybersecurity role at a new employer.
45% admit to considering quitting the industry on at least one or two occasions
46% know at least one person who left cybersecurity altogether in the past year due to stress
Who’s stressed and why?
Stress is not only felt by SOC teams and others on the cyber frontlines but also among those in the C-Suite who are making the difficult decisions on how to use their available resources more efficiently.
Biggest stress culprit: Ransomware
45% of respondents said that ransomware was the biggest concern of their company’s C-Suite. The survey found that 38% of respondents admitted to paying up in order to receive the encryption key primarily to avoid downtime (61%) or bad publicity (53%). However, paying the ransom did not guarantee a resolution post-attack in many cases.
Of those reporting that a payment was made:
46% claimed to still have their data exposed by the hackers
44% couldn’t restore all their data
Only 16% claimed to have no further issues to date
In response to these issues with ransomware payment, 73% of respondents claimed they would not pay a ransom in the future.
Among those who claimed they would still pay a ransomware demand in the future, widespread fear remained that they would be trouble-free in the future.
The fear of paying a ransom in the future included the following:
75% do not expect to have all their data restored
54% fear the criminals will still make the exfiltration of data public knowledge, and
52% fear the attackers will have installed a back door and will return
“Considering that the constant waves of cyber-attacks are likely to become more common and evasive as we move forward, it’s of the utmost importance to ensure that those who dedicate their careers and lives to defending our businesses and country don’t become overly stressed and give up,” said Guy Caspi, CEO of Deep Instinct.
“By adopting and utilizing new defensive techniques, like artificial intelligence and deep learning, we can help the cybersecurity community mitigate one of the most important issues that is often overlooked by many: the people behind the keyboard.”
Many security engineers are already one foot out the door. Why?
The position of securityengineer has become a pivotal role for modern security teams. Practitioners are responsible for critical monitoring of networks and systems to identify threats or intrusions that could cause immense harm to an organization.
They must analyze troves of security-related data, detect immediate threats as early as possible on the cyber kill chain. From their vantage point, they are often best positioned to evaluate security monitoring solutions and recommend security operations improvement to management.
In this video for Help Net Security, Jack Naglieri, CEO of Panther Labs, discusses a recent report which found that 80% of security engineers are experiencing burnout.
People and data are, arguably, a company’s two most important resources, and while losing people is a challenge, losing both can be devastating to a business’s security and competitiveness. This is especially true for security personnel, as they often have unique privileges or access to data and information that other personnel may not. As a result, the Great Resignation has become the “Great Exfiltration,” as people leaving their jobs may also be taking company data with them.
Considering the Great Exfiltration, it is vital for organizations to create and implement a robust data loss prevention (DLP) strategy during the offboarding process to prevent any destruction or loss of data. This is particularly important with many organizations still working remotely, where the lines between personal and professional devices have become blurred.
That said, there are a few tactics that leaders can keep in mind while employing their DLP strategies during the offboarding process:
The Great Resignation is sweeping the world, and the causes and impacts are still being analyzed. Texas A&M University professor Anthony Klotz coined the term, predicting an unusual rise in voluntary resignations as employees anticipated the global pandemic coming to end and life returning to normal. Many employees stayed longer in roles because they were uncertain of the future during the pandemic, while frontline workers experienced an elevated level of burnout due to increased stress. Workers in all industries are looking for new opportunities and leaving past roles behind.
IT and security staff are resigning too, feeling increased stress from managing more remote employees, a rapid transition to the cloud that didn’t allow time for them to gain cloud expertise before making the leap, and a rise in cyberattacks globally. Finding and retaining security talent is an ongoing challenge, one that exposes organizations to increased risk because there simply aren’t enough security experts available.
Most employees, certainly in technology companies but in other industries as well, are required to undergo security training and sign non-disclosure agreements (NDAs) when they join a company. That’s frequently the last time they consider security training, how they use personal devices for company communications and data, and what data belongs to the company and what data they’re permitted to share externally or take with them when they leave. Much of this information is only communicated in an NDA, a document that’s rarely read carefully or reviewed regularly. This may result in reduced adherence to security rules and practices — and, consequently, data losses. Some disgruntled employees may even be tempted to disclose sensitive information or leave security holes to allow them to access the company’s IT infrastructure after departure.
All employees have access to secrets, whether that’s a product strategy document, internal lists of sales prospects or customers, or other internal communications or presentations that aren’t intended for external consumption. Security and engineering teams have access to many internal systems, passwords, and secrets. When many employees leave an organization in a brief period, risks increase because there are so many things to take care of for so many people at the same time.
How to ensure employees, especially security staff, are off-boarded appropriately
Off-boarding employees can pose challenges for any organization. In the past year, data exfiltration incidents increased due to employees taking data, systems access, or both with them when they exit. This is when organizations can refer to their onboarding plan to create a successful off-boarding plan, one that includes people, process, and technology.
Rather than taking a reactive approach to employees leaving the company, embrace a readiness-mindset and prepare for departures in advance. To do that, here are essential steps to take so that you’re ready for employee departures:
Nurture the culture in your organization. This isn’t something you start when your employee gives their notice — it’s something they’re part of from the moment they join your team. Having good interpersonal relationships, sharing values, and identifying and handling personnel issues quickly and appropriately will help you keep your employees and turn them into advocates for your company after they leave. They’ll refer candidates to you, become mentors or contributors in another capacity, or even return for another role in the future. Having a positive relationship makes employees far less likely to pose a threat to your security profile.
Conduct an exit interview through Human Resources to get honest feedback from your employees. When employees are ready to move on to a new opportunity, take the time to ask them for suggestions, learn about problem areas, and build bridges for future relationships even after departure. Whether they’re leaving for a promotion, more flexibility, or because they’re ready to retire, their input can still influence HR decisions around benefits and culture.
Create a knowledge transfer plan. Don’t wait until their last day to find out all the unique knowledge your employees hold. Most of that information probably isn’t in the job description, so documenting it (and having departing employees train your new hires, if possible) will help new employees become productive more quickly.
Review the materials signed during onboarding and security training. Many employees have no idea that the data they take with them increases the security risks for their organizations. Make sure that the person reviewing it with them understands these issues and can communicate them effectively.
Collect company assets. This includes office keys, key cards, laptops, cell phones, badges, corporate credit cards, and any other physical devices that you want returned. Keep a list and track all company assets that you’ve given employees to make sure you get these assets before they leave the building. If employees are keeping an asset, such as a laptop or cell phone, ensure that the data stored on it meets your requirements for employee data retention. For personal devices, former employees need to delete company apps and accounts.
Don’t forget digital access. Whether it’s access to a GitHub repository, Jira, Confluence, the company’s social media accounts, company email and workplace communication platforms, or anything in between, make sure that access ends when employment ends. This helps you make sure that the right people have access even after the employee leaves and reduces the likelihood of you needing to contact them to resolve something when it’s no longer their responsibility. Off-boarding should also include deleting data belonging to former employees and any cloud accounts tied to those employees.
Use single sign-on (SSO) and authentication tools. These technologies can help you manage access in as few places as possible, simplifying your tasks as employees leave. For engineering and security employees, make sure your team doesn’t hard code secrets or embed credentials in code. It’s poor security practice at any time and will allow access even after employees have departed and all other access has been disabled.
Successfully off-boarding security staff introduces some added considerations. While the preceding steps are still critical, security staff have increased access and knowledge when it comes to your systems and infrastructure. Once again, people, process, and technology all play a role. Monitor and audit access to sensitive corporate data, particularly noting whether they’re being accessed by computers or IP addresses outside of the corporate network. Former employees also still have relationships with current staff, so flag and investigate unusual activity there as well.
Adopting a zero-trust framework will help you protect resources even when critical security staff members leave the organization. Putting clear and easily repeatable processes in place can also help you reduce security risks due to departing staff, such as turning off email access but automatically forwarding all email and voicemail to a supervisor so that nothing gets missed. Your process should also include rolling any secrets they have access to promptly, rotating access, and removing their accounts from every system.
A useful advice from Cybersecurity Learning Saturday event. Cybersecurity Learning Saturday is a free program to help folks to build their professional careers. #cybersecurity#career #InfoSeccareer
There is a way to avoid cybersecurity threats, and that’s incorporating effective practices in your daily use of the internet. Here are a few best tips for improving cybersecurity.
Use Strong and Varied Password
The “one password fits all platforms” philosophy is ideal for hackers. They only need to get a password to one network to access all of the others as well. To prevent this from happening, you need to set different passwords on all your accounts.
Memorizing all those passwords can be difficult, especially when you consider various platforms you use for studying. However, with password management apps, you won’t have to memorize them. In addition, you need to create a strong password. For a quick solution, you can use a strong random password generator.
Give Your Data Only to Proven Websites
Random websites can ask for detailed personal information if you want to get access to more content or download something. This can be a threat.
Take extra precautions when using unknown platforms. Before you decide to sign up, read their privacy policy and do some research on the company. For example, if you’re looking for an essay writing company, you can first read the info on the best ones on a credible Top Writers Review website. Reviews, Google results, and privacy policies can help you get to know the website better.
Don’t Download Attachments from Unknown Email Senders
Email phishing is among the most frequent types of cyberattacks. A simple email attachment such as a supposed e-book can be a gateway for malware or phishing attacks.
Whenever you get an email from an unknown recipient, don’t download the attachments. Even if the email seems legit, clarify first who the sender is and where they got your email before you download anything.
Stay Away from Unprotected Public WiFi
An unsecured public WiFi gives free access to the network to anyone – including the criminals.
If you are on the same network, it’s easier for cybercriminals to leach onto your device and access everything you have. Even if just want to quickly connect to research document translation companies for your study abroad papers, hackers can get to your data before you finish.
In situations when you can’t avoid using public WiFi, use a VPN and be vigilant. Virtual Private Network or VPN will encrypt all your internet activity. You can download a VPN app on your phone with a few clicks.
Use Platforms and Apps that Encrypt Data
Apps, platforms, and websites with encrypted data will keep your personal information and internet activity safe. Messaging apps with encryption are also more secure.
When browsing, pay attention to whether the websites with a padlock and “https” in their URL are encrypted. These types of websites won’t leak your data to unauthorized parties.
The privacy policy is yet another way of checking whether the app, platform or website is encrypted. For example, if you read in the policy that the site is covered by COPPA (Children’s Online Privacy Protection Act), it is secure. To ensure internet safety for its students, many educational institutions use apps and platforms covered by this act.
Be Vary of URLs in Messages
You might not find anything peculiar about your friend, teacher, or well-known company sending you an URL. Especially if the message comes in the form of a text message or WhatsApp message. Unfortunately, this is one of the tricks of cybercriminals.
This type of attack is quite common. Clicking on the links can completely open the door to your data. So, if you receive a message with a suspicious URL, first inquire what it is about. When a company sends you such a message, go to their official website instead of clicking on the link.
Conclusion
These simple steps of precaution will help you keep your data safe. Being more careful of what actions you take, pages you trust, and how you dispose of your data is necessary. A few tips like these can do a lot for your internet security.
There is a serious user problem out there, and whether the user makes a mistake or is intentionally malicious, it can impact the entire system and the organization. But is it really a user problem?
In their session at (ISC)2 Security Congress, Ira Winkler, CISO with Skyline Technology Solutions and Tracy Celaya-Brown, president, Go Consulting International, said the user problem is really a cybersecurity people problem.
“People can’t do things that we don’t give them permission to do,” Winkler said. As long as a user has the ability to do certain tasks, click on links or see a spearphishing email show up in their inbox, they will make mistakes that can take down the network. The problem is not that users cause a loss, but that they can potentially initiate a loss, according to Winkler and Celaya-Brown.
A Failure of Leadership
One mistake shouldn’t take down an entire network. One person shouldn’t have the ability to cause universal panic because of the access permissions they are given. But it happens all the time, and the reason is failure of cybersecurity leadership. Remember the Twitter hack a few years ago where some of the most famous names on the social media site were victims of account takeovers? Winkler pointed out that social engineering techniques coupled with the fact that about one-fifth of Twitter’s employees had permissions to change passwords led to that massive cybersecurity failure. Or, in other words, the human problem was enabled by cybersecurity people and leadership who fell short in their responsibilities. Of course, you want users that will behave the way cybersecurity leadership wants them to, but the cybersecurity team needs to take a closer look at their actions, too.
“We have to take a closer look at why problems occur,” said Winkler. “The problem isn’t a user clicking on a link. The problem occurred when the user received the message.”
This is sometimes due to budgets, as many organizations have not placed a high enough priority on cybersecurity, despite the growing number of high-profile attacks. But even those who are paying high salaries are finding that generous compensation is still not enough to hire and retain talent in this field. While 33% of CISOs surveyed by ISSA said that salary was the reason they left one organization for another, that doesn’t explain most departures or job switches.
Meanwhile, despite high salaries, many currently employed cybersecurity professionals are feeling overwhelmed and under intense pressure, both because they are often short on manpower and because the stakes of their jobs are even higher now with the increased number and severity of attacks. The ISSA survey showed that 62% of cybersecurity employees face a heavier workload due to their organizations not being able to hire enough workers, and 38% say they feel burnt out.
If money isn’t enough, what else can companies do to attract and keep cybersecurity talent?
Write job descriptions that show off the skills employees will gain, not just what skills they need to apply. Cybersecurity is a rapidly growing and dynamic field offering many opportunities. But the field, by its very nature, requires that the best professionals are constantly learning on the job to keep up with the latest technologies and the latest types of threats and attacks. By letting candidates know what types of things they will learn on the job and what experiences they will gain, a company can set itself apart and offer the added value of professional growth, giving it an advantage in the recruitment process.
Look beyond academic education. Academic degrees in cybersecurity and related fields are no doubt helpful, but they are not the only way to become qualified for a job in the sector. If someone does not have a degree, it does not mean that they will not be an excellent candidate, especially if they have the relevant experience. This includes those coming from military or government backgrounds. In fact, with the rise in state-backed cyberattacks, any level of cybersecurity experience in government or military organizations is a considerable advantage and may be more valuable than those with academic degrees or years of corporate experience. A number of new programs, including one backed by Microsoft, also promise to offer training without necessarily granting degrees; these are also worthwhile credentials for candidates.
Teach and mentor on the job. Organizations should realize that current employees in their IT and related departments may be able, with the right training, to learn cybersecurity skills. This can be a way to build up a cybersecurity team internally. Those receiving training in-house should also be assigned mentors who can help them along the way. Building a team internally gives employees opportunities to grow, which can also lead to increased job satisfaction and retention.
Integrate cybersecurity into the overall business strategy, and let recruits know this. Companies should involve the cybersecurity team in all steps of their business, from product development to marketing, and not just relegate them to being on call for incident responses, or when something goes wrong.
hiring and retaining the best talent has quickly become a top priority for most organizations today. In the cybersecurity industry, which faces an immense skills shortage, this is especially true. In fact, according to CompTIA and Cyber Seek, a job-tracking database from the U.S. Commerce Department, there are nearly 500,000 open positions in cybersecurity nationwide as of Q2 2021, which makes hiring the right candidate for a technical role in IT security like finding a needle in a haystack. As a result, it’s never been more important to attract and develop employees in cybersecurity – and here are a few best practices for doing so.
Every employee and organization are different. Even in an industry with a talent deficit, employee/employer culture needs to be symbiotic. What an employee and an employer are looking for must be aligned and when it is, the opportunities are endless.
