Today the cybersecurity sector is fraught with the challenge of a diminished talent pool. Cisco’s report, “Mitigating the Cybersecurity Skills Shortage,” highlights the worldwide shortage of one million information security professionals. It sends out a disturbing warning to the cybersecurity industry to bridge this gap immediately or face consequences with significant costs.

There is no doubt that the number, scale, and sophistication of operational technology attacks will continue to increase thereby putting connected transportation, health, energy and financial systems at risk.

A recent report published by Accenture puts the success ratio of cyberattacks at one out of every three. The threat is clear. The security sector needs to immediately mobilize resources for bridging the gap in numbers without compromising the quality in talent.

Improvements in security technology may offer a partial solution, but ultimately, it’s the people on the frontlines—and in the back office—who are responsible for building and protecting information technology systems.

Unfortunately, there just aren’t enough qualified cybersecurity professionals. The only way for companies and government organizations to fill this talent gap is to comprehensively groom and nourish future cyber warriors.

Three Keys to unlocking the next generation of cybersecurity talent

Research & Development

The first step in increasing the supply of cybersecurity professionals is investing heavily in the field. The investment needs to be directed towards development of hard and soft infrastructure for professional cybersecurity courses, promoting collaboration between universities and the private sector, and providing grants for cybersecurity research.

These steps will serve as push factors for the people already in the cybersecurity domain and pull factors for the students in high school and university to boost the cybersecurity talent pool supply chain.

When it comes to the education sector, it is important to understand that cybersecurity should not be treated as a secondary domain of which students are taught little in other professional courses. Given the emergence of cyberspace as the fifth domain of geopolitical engagement (land, air, water and space being the other four), it rightly deserves to be taught as an independent subject.

Unless dedicated professional security courses are taught in colleges and universities, cybersecurity policy could remain disjointed and disconnected. The private sector needs to step forward and shape the content of these professional courses.

The onus lies on all of us to correct the disjointedness in what is being taught and what is required. A cue can be taken from the recent partnership between Synchrony Financial and the University of Connecticut (UConn) to establish a Center of Excellence in Cybersecurity at UConn.

Recruitment & Hiring

Companies looking to hire cybersecurity professionals may need to rethink their approach. While recruiting, the candidates’ skills and certifications should not be considered in silos but assessed against different attack situations and how they can be utilized.

For example, consider a situation in which hackers have succeeded in raiding your organizational network and breaching it. In these situations, there is a natural tendency to focus on making sure similar incidents don’t take place in the future. Now consider the candidates you are evaluating for recruitment. The focus should be on how effectively the candidates can learn from the breaches and put in fool proof systems to prevent any future attacks from succeeding.

In simple terms, the talent pool you are assessing should be having proactive traits and not just reactive responses that are focused more on following standard practices and less on innovation and improvisation through experience and learning.

That’s why when hiring, it is important to focus more on attitude, passion for learning, and self-reflectiveness than purely technical skills. For a top-notch security team, the team members should be able to solve complex problems. To do so, they need to be able to step back and take an honest look at what is and isn’t working so they can quickly identify the best path to make fixes and move forward. This ability to reflect, learn and adjust is the only way to respond in real-time to an unprecedented attack.

Recruiters should look beyond their usual hunting grounds and consider professionals with diverse backgrounds, from mathematics and computer science to psychology and data science. Companies should also reach out to high-profile hacker conferences like BlackHat and DefCon that may feature talent that bypassed the secondary education system. Diversity of teams leads to diversity of thought, which is essential when trying to solve problems that may not even exist yet.

Training & Mentorship

Businesses need to give their entire IT department the resources and opportunities necessary to stay prepared and up-to-date on the latest cybersecurity defenses. Challenges that may not affect your business or sector today could easily migrate tomorrow. That’s why it is critical to continually train IT and network operations staff on cybersecurity practices.

This can include sending team members to major national and international conferences, providing ongoing certification courses, implementing analyst exchange programs so that cybersecurity professionals can be exposed to different systems, and helping employees build their networks so they can learn from their peers.

Companies should also try to nurture the natural hacker mentality of many cybersecurity professionals to make sure that they stay engaged. For example, organize ‘Capture the Flag’ tournaments, pitting security analysts against each other in a safe, competitive environment that challenges them to solve a complex problem. The security battle can’t be fought single-handedly. Success is dependent on the best cybersecurity professionals working together and helping develop the next generation of talent.

Disclaimer: The opinions expressed in this post are those of Daniel Conroy and do not necessarily represent those of Synchrony Financial or Security Current.

The post How to Unlock Cybersecurity Talent appeared first on Security Current.

All financial institutions and retailers are looking for solutions to protect credit card and other sensitive data from the moment the magnetic stripe of the payment card is swiped through to the end of the payment processing cycle.

The current end-to-end encryption solutions between the merchant system (point of sale or POS device) and the card acquirer offer promising benefits for securing credit card transactions, but do not address the extension of encryption beyond the acquirer host system.

“End-to-end encryption allows protection of data traveling between two nodes without being intercepted or read by anyone except by the sender and the intended recipient. It includes protection of both confidentiality and integrity of the data.”

If it is so secure and protects data during transmission, then why has the adoption been so slow?  This is because the extension of end-to-end encryption across the entire transaction cycle is not simple.

Challenges

To be truly effective, the magnetic card reader would be required to encrypt cardholder information immediately after the swipe and before any transmission, even inside the merchant location. This may present challenges because the account number contains the information needed to route the transaction, requiring at least a portion of the data to be in the clear.

The second biggest challenge is that a financial transaction is processed at multiple stages in transit by different applications and platforms, which require decryption and re-encryption at each transaction point. The points of decryption and the systems handling the credit card number in the clear remain unprotected by end-to-end encryption for even brief periods of time, sufficient to expose those systems to sophisticated attacks. This increases the risk of data being stolen during processing or storage at transaction points.

Additionally, as an authorization transaction message is decrypted and re-encrypted, multiple new encryption keys are necessary and require proper operator management, introducing additional complexity and risk into the authorization life cycle. Improper key management could become a new source of data compromise.

The true endpoint in the payments process is the data on the magnetic stripe stored in the clear on the card, and therefore vulnerable to skimming and cloning. Preventing these attacks would require the use of chip cards or similar technology like tokenization in order to better protect cardholder data, and we are seeing progress here with EMV and mobile payment adoption.

Tokenization substitutes the primary account number (PAN) with a non-sensitive value known as a token. A token is considered non-sensitive and does not require security protection because it has no extrinsic or exploitable meaning or value to an attacker. Tokens can be safely used by any file, application, database, or backup medium minimizing the risk of exposing the actual sensitive data. This approach has become popular as a way to increase security of credit card and e-commerce transactions, while minimizing the cost and complexity of industry regulations and standards.

Tokenization is an evolving technology, and as with many evolving technologies, there is currently a lack of industry standards for implementing secure tokenization solutions.  Additionally, the architecture, implementation, and deployment of tokenization solutions can vary considerably, and the risks either created or mitigated by these systems are equally varied.  The security and robustness of a tokenization system is dependent upon the secure implementation of four critical components: token generation, token mapping, card data, and cryptographic algorithm and key management.

Tokenization can be implemented independently or in concert with data field encryption for the protection of cardholder information. These cardholder security techniques, when implemented using well-known and trusted algorithms, can likely provide the greatest level of data confidentiality.

What Lies Ahead

Given the rapid increase in processing power, it is obvious that the encryption methods used today will become obsolete in the near future. New methods are being explored, such as honey encryption, which deters – or at least slows down – attackers by serving up fake data for every incorrect guess of the key code and eventually burying the correct key in a haystack.

Another method, quantum cryptography, allows one to distribute sequences of random bits whose randomness and secrecy are determined by the laws of quantum physics. These sequences can then be used as secret keys with conventional cryptography techniques to ensure the confidentiality of data transmissions. In explanation, it is impossible to copy data encoded in a quantum state as the very act of reading data encoded in a quantum state changes the state. This is used to detect eavesdropping in quantum key distribution.

There has been a parallel debate on whether government should have backdoor access or duplicate decryption keys. At present, no technological solution exists that would allow government to have as-needed access to company data. Requiring companies to produce duplicate keys would certainly increase the risk of cyber attacks, but government’s argument has been that terrorist organizations recruit their members through mobile messaging apps that are end-to-end encrypted and may not be intercepted.

All we know for sure is that we must continue to prepare for the unknown. With the Internet of Things, the amount of data has risen exponentially. Discovering new methods to safeguard that data is an exciting challenge for all of us in Information Security.

The post Encryption: To Be Or Not to Be appeared first on Security Current.

Things were simpler in the past. I know we hear that sometimes and to a certain degree this is true. It is also true that he who forgets the past is doomed to repeat it. In the world of information security (IS), both adages apply.

Back in ancient history – in this case the 1980s (ancient in terms of IT evolution) – information security was an afterthought. The focus was on building “simple” networks with business enablement and functionality as the primary concerns. Back in those early days, hacking was more of a hobby than a malicious activity.

Those of us old enough to remember the movie WarGames will note its stark warning of how quickly things can unintentionally escalate. The first “simple” computer viruses began to emerge at this time as well. During the 1990s, we started to see more advanced network-aware code with the potential to cause real disruption.

Around this time, both government and private industry began to see the threats and to varying degrees take them seriously. Early intrusion defense tools, intrusion prevention systems (IPS) and intrusion detection systems (IDS), made appearances to mitigate these threats. In retrospect, these were simple and reactionary attempts at best.  The IS model then was to “put out the fires” as they occurred.

Fast forward to today and we see that elements of this model still exist in practice. While security solutions and IS programs have become more intuitive and proactive, the firefighter mentality still prevails.  Many of the issues of the past have never been fully eliminated, either.

There are still issues with weak authentication mechanisms and password management. Simple passwords with no multifactor authentication are still widely used! Viruses and malicious code such as SQL slammer and the Nimba worm are still in circulation. Vulnerabilities such as Heartbleed will continue to linger on and haunt organizations for years to come.

Many are still dealing with old, poorly written code. In many cases these exist at an operating system (OS) level and may never be remediated. Bugs in commercially available software pose real threats; how many older versions of Adobe Flash with critical security flaws are still running out there? Things like “bolt on tech” where a point solution is applied that only addresses one or two issues continue to propagate.

What about unchecked mobile apps? Who thought bring your own device (BYOD) was a good idea? It’s a good idea for hackers as it allows them to compromise internal networks via social media.  In many ways, history is repeating itself.

Today, the threat landscape has advanced exponentially.  We are no longer dealing with the Matthew Broderick type of hackers we saw in the 1980s. State sponsored espionage, Denial of Service attacks, botnets, insider threats, cloud migration and mobile devices are some of the top challenges for IS.

The sheer number of devices is further complicating things. Recently the Internet Assigned Numbers Authority ran out of IPv4 addresses in North America. That should give some indication of the scale of the problem. As more and more devices become “smart,” real challenges are on the horizon.

It has been theoretically and practically demonstrated that hackers have the ability to control modern cars[1] and aircraft[2] – in one case causing a passenger jet to turn without the pilot’s input. The Internet of Things (IoT) and the proliferation of “smart,” connected devices means that cyber attacks are getting serious, with the potential to cause serious physical safety concerns – think water treatment plants, power grids, etc.

Another big concern is the ongoing development of artificial intelligence. In the future, how will IS integrate, adapt and most likely defend against “thinking machines”?  Just as we must not forget history, we must look to the future as well. The purpose of this history lesson is to ensure that we also learn from the past, not repeat it.

The old model of information security must evolve to address 21^st century threats. As IS professionals, we must embrace the future and work collectively to educate, hire, train, and retain top talent and promote collaboration in our industry to avoid being “doomed” by the past.

The post Information Security: Learning From the Past to Improve Our Future appeared first on Security Current.

As a CISO, I am often asked, “What is the key component to the success of an Information Security organization?” Too often, we dwell on the failures or gaps, and it is important to recognize where these faults lie in order to enhance the program’s capabilities.

But when things are “working,” it is easy to become complacent.  When a properly planned and managed component protects the firm, in many cases, accolades are not offered.

In the current information security landscape, there are many moving parts that need to work seamlessly to ensure the protection of company assets, maintain compliance and continually evolve to address new challenges.

Vulnerability and threat management, security operations, assurance, data loss prevention, intrusion detection and prevention as well as metrics and reporting, comprise some, but not all, aspects of a successful information security organization.

Much advancement has been and continues to be made in the “intelligence” of these products and today there are multiple vendors and solutions to choose from to achieve the desired results.

For example, detection and prevention tools have advanced from static, signature-based to advanced anomaly detection.  Collecting, correlating and analyzing the data and events generated from these disparate systems, whether network or agent-based, has improved greatly. However, even with advanced analytics and event correlation tools, there is still the human factor that I believe is at the core of any successful program.

In my opinion, people are the most important part of any organization, especially one as dynamic as information security.  All of the most advanced tools, properly planned and implemented are still only “tools” without knowledgeable people to manage, maintain and analyze their output(s).

Knowledge, aptitude and work ethic are desired qualities in individuals, but the ability to communicate and work as a team is what achieves success. No matter what sport you may follow, we have all seen teams with great talent fail time and time again due to internal divisiveness and a lack of cohesion.

Many businesses emphasize employee engagement and have retention policies and incentives to keep their top talent.  Talented individuals tend to be self-motivated and committed. So while it helps to have these programs, they are not the only factors in building and maintaining a great team.

I have found that creating a culture that emphasizes common goals and allows individuals to participate actively is one part; the other is to demonstrate appreciation and loyalty. This last part is the hardest challenge. People want their opinions to be listened to and respected and they appreciate managers who “have their back.” This is my philosophy and I encourage others to consider this approach.

Using a sports team analogy, it doesn’t always matter who the highest paid or most talented player is if the rest of the team won’t block, tackle or make the extra effort on their behalf. Great teams need to understand the game plan and need to communicate effectively. No championship in any team sport has ever been won without good coaching and team coordination.

The post The Most Important Element of Information Security Success appeared first on Security Current.