The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: info security

Increasing Interest in Cybersecuirty Education and Careers

Matthew Rosenquist

Written by:  Cybersecurity Strategist and Evangelist at Intel Corporation

The world is facing a growing problem as people’s everyday lives are becoming more digital and increasing our reliance on cybersecurity to protect our interests, yet there are not enough security professionals to fulfill the rising demands.  This leaves gaps in the security of companies and organizations we share information with.  There is hope on the horizon.  Academia is adjusting to increase the training of graduates and there is a rising interest in students to study the variety of cybersecurity domains.  But more students are needed as demand is far outpacing the expected rise in available talent.

All the right elements are in place.  Pay for cybersecurity is on the rise, the needs for an estimated 1.5 million jobs is already growing, and higher education institutions are working collaboratively to establish the training infrastructure necessary for the next generation of security professionals to be prepared for success.  What is missing are the necessary numbers of students.  There simply is not enough.

The good news is millennials are interested, but need more information in order to commit.  Survey results from the Raytheon-NCSA Millennial report show the most prevalent factor for prospective students to increase their interest, is being provided data and expertise to explain what jobs entail.

Providing basic career information is absolutely possible but not as simple as it may seem.  Job roles do morph very rapidly.  Some data suggests as often as every nine months security professionals see their role, expectations, and focus being shifted into new areas or vary radically.  With such a rapid rate of change, cybersecurity is truly a dynamic domain where responsibilities are fluid.  This is not likely to turn off prospective millennials, as they are a generation which embraces diversity.  It may in fact, contribute to the attractiveness of these careers.  Combined with a strong employability and excellent pay, the industry should have no problem filling desk seats in universities.

What is needed right now are for experienced professionals to step up and work with educational institutions to explain the roles and responsibilities to the pool of prospective students.  Open forums, virtual meetings, presentations, in-class instruction, and even simple question-and-answer sessions can go a long way in painting a vivid picture of our industry, opportunities, and challenges which await.  The community should work together to attract applicants to the cyber sciences, especially women and underrepresented minorities who can bring in fresh ideas and perspectives.  I urge higher education institutions to reach out to the security community professionals and ask for help.  Many are willing to share their perspectives and industry knowledge to help inform students and encourage those who might be interested in a career in cybersecurity.  Only together can the private sector and academia help fulfill the needs for the next generation of security professionals.

TwitterIconFollow Matt on Twitter: @Matt_Rosenquist

Interested in Cyber Security? Join our #AskTheExpert session with Matthew Rosenquist! RSVP here

Footerindesign

 

Creating the Total Package

Below is a post written by M.S. in Information Security graduate, Megan Olvera. She is an EMC employee who is continuing her quest for life-long learning. Below are her thoughts on her experience with Brandeis GPS.

Brenna_Megan

“I am admittedly a lifelong learner. I have always loved school, and although I had just wrapped up my first Master’s Degree in 2010, by 2011, I was already missing the classroom. Unfortunately, I couldn’t justify the time and expense required to earn another degree “just because.”  What to do, what to do?  My career had taken a turn from a more liberal arts focus into the world of IT, and although my daily responsibilities didn’t require an IT background, having that level of knowledge certainly wouldn’t hurt.  When my employer (EMC) sent out information about their partnership with Brandeis, jumping into the Master of Science in Information Security program seemed a perfect next step.

My previous formal education was focused on the Humanities side of the house, so I worried that I’d struggle with the more technical concepts I knew would come with this program; working in IT and learning IT in theory are often two very different things.  I was happy to discover that the Brandeis instructors were not only patient in clarifying issues for me, but they seemed to appreciate the human-experience slant that my own background naturally brought to our class discussions.  More than once, professors offered feedback that they valued the perspectives I added to the conversations.

HomeMakeover

The online learning format of Brandeis GPS was ideal for me, as I lead a busy life between family, work, and all-consuming hobbies.  If I had a vacation planned or needed to travel for work, there were no worries about missing class, as class came with me!  I’d be sure to message my professors of any planned time away, just in case I ran into connectivity issues, and most professors were accommodating if I asked for a weekly assignment to be made available early, so that I could work ahead when needed.

COstream

As I progressed through the curriculum at Brandeis, my new found knowledge was noticed and appreciated at work. At times, it even caused exclamations of surprise from my manager at my ability to clearly understand and troubleshoot technical issues that had stumped other members of our team.  In addition to learning technical concepts, I also learned how to efficiently communicate with management; presenting the need-to-know information in a way that enables them to quickly grasp issues and impacts and then make decisions.  In my current role, I interact with clients who expect a certain level of technical expertise combined with graceful communication skills, and now, thanks to my experience at Brandeis, I can confidently step forward and claim that competence.  If any readers are on the fence about committing to (in my case, yet another) degree program, hesitate no longer – Brandeis is the way to go!”

Click here to subscribe to our blog!

Footerindesign

Watch Your Language: How Security Professionals Miscommunicate About Risk

Author: Derek Brink

Original Post: https://blogs.rsa.com/watch-language-security-professionals-miscommunicate-risk/

What a joy it is to be understood! Yet many security professionals find it difficult to be understood by the business decision-makers they are trying to advise.

“They just don’t get it,” we say. And we grumble that our committed, faithful, and honorable efforts to protect the company and its assets are under-recognized, under-appreciated . . . and under-funded.

riskWe could try speaking louder, and more slowly—the comedic memes for how we instinctively try to communicate with someone who speaks a different language.

Of course, we could start trying to speak the same language. That would probably yield better results.

The way we talk about risk is a prime example of how we habitually miscommunicate. Security professionals mistakenly think they are talking about risk, when they are, in fact, talking about threats, vulnerabilities, and exploits. Some examples include

  • Phishing attacks: This is not a risk. It’s an exploit of a very common vulnerability (humans).
  • OWASP Top 10: These are mistakenly described as “The 10 Most Critical Web Application Security Risks,” but they are not risks. They’re vulnerabilities and exploits.
  • Advanced persistent threats: This isn’t a risk. It’s a threat. (Even when we get the name right, we get it wrong.)
  • Rootkits: This is not a risk. It’s a type of exploit.

As security professionals, we tend to go on and on, talking about threats, vulnerabilities, exploits, and the technologies that help to defend against them, and we think we’re talking about risk. Meanwhile, the business decision-makers we’re trying to advise are confused and frustrated.

So, what is the right language? What is risk?

Shon Harris, author of the popular CISSP All-in-One Exam Guide, defines risk as “the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.” Douglas Hubbard, author of The Failure of Risk Management: Why It’s Broken, and How to Fix It, defines risk as “the probability and magnitude of a loss, disaster, or other undesirable event.” (And in an even simpler version: “something bad could happen.”)

To be very clear, it’s not that there are multiple definitions of risk, or that the definition of risk is unclear. It’s that we as security professionals aren’t speaking the right language. When we speak about security risks, we should be speaking about the probability of successful exploits, and the magnitude of the corresponding business impact.

Imagine yourself in the role of the business decision-maker, and imagine that your subject matter experts presented you with the following assessment of risks related to endpoint security:

  • Cleverly engineered stealth malware, rootkits, is designed to evade detection, and persists on endpoints for prolonged periods of time. And new strains of malware are targeting an area of endpoints that performs critical start-up operations, the master boot record, which can provide attackers with a wide variety of capabilities for penetration, persistence, and control. In both cases, we may already be infected, but not even aware.
  • There is a 15 percent probability that an endpoint security exploit will result in business disruption and productivity losses that may exceed $5M.

internet-security1Which of these would be more helpful to you in terms of informing a decision about endpoint security? (It should go without saying that this point could just as easily apply to managing identities and access, or data protection, or application security, or mobility initiatives, and so on. Endpoint security is just an illustrative example.)

Clearly, the second option is more helpful. And the second option is properly framed in terms of risk.

In no way does this guarantee what the actual decision will be. One decision-maker might conclude, “I approve your request to invest in additional endpoint security controls to reduce this risk,” while another decision-maker might conclude, “that’s a risk I’m willing to live with.” But that’s okay—as security professionals, we will have done our job.

By better understanding how to communicate about security risks, we will also enjoy the benefits of being better understood.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)