Acute Cybersecurity Skills Shortage Areas

In my last blog, I reviewed some new research from ESG and the Information Systems Security Association (ISSA), revealing that 70% of cybersecurity pros say that the global cybersecurity skills shortage has impacted their organizations. Based upon this and other similar research, I’m convinced that the cybersecurity skills shortage represents an existential risk to our data, businesses, and national security.

Topics: Cybersecurity security analytics security operations cloud security application security ISSA security investigations

VMware Advances Application Security

This week at VMworld, VMware announced market availability of a new security technology called AppDefense. AppDefense is an application-layer security control designed to profile applications, determine “normal” behavior, and then provide a series of least privilege controls for applications and options for security incident remediation.

Now in some respects, AppDefense is a lot like application white listing/black listing, which can be very effective for limiting the attack surface but the historical problem with application controls is operational overhead. If you want to implement white listing, you have to know what workloads are running and whether they are allowed to, and then implement controls to restrict unanticipated application behavior. This can become quite cumbersome when servers run multiple applications with dynamic development cycles and changing behavior. 

Topics: Network Security Cybersecurity VMware VMworld NSX application security AppDefense

High Demand Cybersecurity Skills in 2017

As I’ve written many times, the cybersecurity skills shortage is the biggest cybersecurity issue we face today. Not only are there too few bodies to fill the cybersecurity jobs, but a recent series of research reports from ESG and the Information Systems Security Association (ISSA) indicates that many currently employed cybersecurity professionals are overworked, not managing their careers proactively, and not receiving the proper amount of training to stay ahead of increasingly dangerous threats. Yikes!

Topics: Cybersecurity cybersecurity skills shortage CISO cloud security application security security analyst security engineer penetration testing

Swimming application security upstream with SecDevOps

I used a metaphor during a cloud security webinar this week to explain how SecDevOps is an opportunity to “swim security upstream”, an expression that reminded me of an aspect of being a QA Manager earlier in my career. Our software development process included an acceptance phase, which, for repeatability, we executed by running a set of automated tests through a harness. Too often basic mistakes would be found, resulting in the build being rejected and thrown back over the wall to Dev, as it was back in the days of waterfall.

These inefficiencies highlighted the need to swim quality upstream in the dev process by requiring unit tests before release engineering ran a build and handed it off to QA. Just as was the case with such quality assurance steps, so too often are application security best practices performed late in the cycle, if at all. Enter SecDevOps.

Topics: Cybersecurity DevOps application security

Cybersecurity Customer Segments in 2016

Depending upon whom you believe, there are roughly 800 to 1200 companies selling cybersecurity products and services to end customers. Yes, the cybersecurity market is forecast to be around $70 billion this year but that’s still a lot of vendors.

Topics: Network Security Cybersecurity endpoint security enterprise security application security

Software Security is Not Keeping Up

We cybersecurity professionals spend a heck of a lot of time in areas like endpoint security, network security, and overall threat management. In the dozen years I’ve been focusing on cybersecurity, this situation hasn’t changed. Unfortunately, this means that we haven’t paid enough attention to software security in the past, and we continue to maintain this basic status quo approach today.

Topics: Cybersecurity web application security application security