What IT Security Pros Don't KnowGlaring Knowledge Gaps Present a Challenge
IT security pros working in the trenches confess they don't know as much as they should about the networks and infrastructure they're paid to defend.
More than half of nearly 2,000 IT security folks attending the recent Cisco Live and Black Hat USA conferences say, in response to a survey, they have no idea which internal apps and assets on their networks are accessible to outsiders. Six of 10 report they don't know the capabilities of the tools they use, and fewer than half say they understand how network configuration changes affect the systems they support.
Six of 10 report they don't know the capabilities of the tools they use.
"These are the front-line soldiers in a battle," says Mike Lloyd, chief scientist for RedSeal Systems, a developer of security assurance software. "If they don't know what the front lines are or how they are exposed outside, they are not in a position to win the battle."
See Also: A Toolkit for CISOs
Why? Complexity. Think about it: In the pre-Internet days, companies ran on mainframe, and few people had access to private networks that connected the big iron. Computing was like a one-traffic-light town, where an occasional Model-T would pass by. Providing security was a breeze, if not an afterthought.
Today, the network is more like a global metropolis, with myraid of roads and highways coming from all directions and all types of vehicles and individuals. The metropolis is constantly changing, with new off- and on-ramps being built. There is no centralized control, and add to that new types of technologies and emerging threats. It is hard for pros to know it all.
"Today they are overwhelmed with too much to defend and fix in their environment simply because of the scale they are trying to secure," says Hord Tipton, executive director at (ISC)2, a not-for-profit IT security education and certification organization.
The supersonic pace of change is another factor. In a typical organization, changes made to systems installing a new device or vulnerability tool number above 50 daily.
Still, even understanding today's realities, I am surprised with the survey findings -- especially when security pros cannot maintain necessary layered defenses and determine where gaps exist in their systems.
People can't know everything, but they should have a greater understanding beyond their niche expertise. So ultimately, it is about learning new tools, increased collaboration and putting training programs in place that will fill some of the gaps.
A few pointers:
Focus on roles: Security pros and their employers need to understand the evolution of specific positions like network architect, IT security engineer, system administrator and accordingly examine the requirements for these positions. They further need to effectively target certifications and training programs to close the skills gap. This will ensure that pros can execute on the hard skills (implementation, maintenance, and monitoring) as well as the soft skills (architectural planning, project management, and business case justification) necessary to keep pace with the evolution of IT systems.
Invest in the right tools: Employers need to invest in automated tools for effective network and vulnerability scanning, as well as provide learning sessions to help network security pros be better prepared to identify common configuration errors, security flaws and the system's inbound and outbound network connections.
Initiate collaboration and communication: In a workplace environment that is characterized by globalization and mobility, pros need to have constant communication. They must participate in internal forums to know what changes and upgrades are going on within their infrastructure and share their concerns freely to tackle the complexity of IT security. Further, they must encourage employers to have a structure in place so that people with complementary skills and shared responsibilities can work together to understand the impact of changes made to the infrastructure holistically, not just within their areas of expertise.
Admitting what you don't know is good. It's a sign of maturity. But pros and employers quickly need to take initiative to broaden their horizons to get a grip on changes and issues that plague the environment today.
That would be a sign of greater security.