top 7 strategies for overcoming it talent shortages
DESCRIPTION
Top 7 Strategies for Overcoming IT Talent Shortages Learn from Cenzic's Chris Harget as he describes the top strategies for maximizing security effectiveness of current staff and resources. Specifically, you'll learn: - Symptoms you are short-handed - Key indicators for which strategy will maximize value from existing staff and resources - Creative tips for convincing your organization to make changes The current market environment makes finding, training and retaining the right IT employees challenging. Challenges or not, you can gain the skills to protect your organization from excessive security risk. This presentation is a great place to start.TRANSCRIPT
1
Cenzic Live! Webinar: Top 7 Strategies For Overcoming IT Security Talent Shortages
Chris Harget - Product Marketing
Agenda
Symptoms
Strategies
Finding The Win
2 Cenzic, Inc. - Confidential, All Rights Reserved.
3
Symptoms Of IT Security Talent Shortage
Know The Signs
Incomplete picture of security posture
Backlog of untested applications
Slow remediation when app vulnerabilities discovered
Things done wrong/done twice
Too many long shifts
Open reqs, hiring freezes, “irreplaceable” departures
No vulnerability monitoring of production apps
Data Breeches
4 Cenzic, Inc. - Confidential, All Rights Reserved.
The Need Is Significant
5 Cenzic, Inc. - Confidential, All Rights Reserved.
Source: Cenzic Application
Vulnerability Trends Report 2013
Mobile App Vulnerability Types - 2012
6 Cenzic, Inc. - Confidential, All Rights Reserved.
Source: Cenzic Application
Vulnerability Trends Report 2013
Benchmarks For IT Security Staffing…
…Are Really Hard To Come By.
How many security analysts/100 apps?
That depends on;
– Size of apps
– Depth of scan desired
– Coding practices
– Scanning frequency
– Quality of scanning tools
– Division of labor with QA/Dev/Production/GRC
7 Cenzic, Inc. - Confidential, All Rights Reserved.
Know Your Specific Shortage
Not enough bodies
Not enough time
Not enough skills
Not enough tools
8 Cenzic, Inc. - Confidential, All Rights Reserved.
9
7.2
Strategies For Overcoming IT Security Talent Shortage
Bodies: Finding/Hiring/Renting
Job titles include;
– Application Security Analyst/Architect
– Penetration Tester
– Application Security Engineer/Tester/Specialist
– Ethical Hacker
If you can’t hire locally, consider managed services
– May be easier/faster than getting increased headcount
– Helps jump-start process
10 Cenzic, Inc. - Confidential, All Rights Reserved.
Time: Prioritize, Specialize, Automate
Prioritize
– Are you mitigating the biggest risks first?
Specialize
– What tasks are best done by your team?
– e.g., Remediation, Management,
– What tasks can be offloaded?
– e.g., Dev trains app traversals or Managed Service runs scans
Automate
– Leverage Enterprise-grade tools
11 Cenzic, Inc. - Confidential, All Rights Reserved.
Talent/Skills: Train, Borrow, Rent
Train
– How to scan, coding best practices, how to manage
Borrow
– Get Developers for app training & Remediation
– Get QA for re-running scans
Rent
– Managed Services can augment specialized tasks
12 Cenzic, Inc. - Confidential, All Rights Reserved.
Tools: Quality and Quantity
Quality
– More accurate scanners improve security and save time
– Quantified app risk scores enable optimal risk mitigation
– Enterprise dashboard shows total risk and trends
Quantity
– Web-based app-training tool goes everywhere needed
– Having enough seats for each Analyst, Developer, QA, GRC, and Executive leverages whole organization
13 Cenzic, Inc. - Confidential, All Rights Reserved.
Top 7 Strategies
1. Hire
2. Prioritize
3. Specialize
4. Automate
5. Train
6. Borrow
7. Rent
8. Quality/Quantity
14 Cenzic, Inc. - Confidential, All Rights Reserved.
15
Finding The Win
Justifying Resources
16 Cenzic, Inc. - Confidential, All Rights Reserved.
Non-technical people need non-technical explanations
– Keep it simple
– Use cost-benefit for budget
– Use relative-risk for reallocating people
Quantified risk is easier to understand
– E.g., Cenzic’s HARM™ scores
Bonus: Watch “Top 10 Ways To Win Budget for Application Security”
https://info.cenzic.com/webinar-security-budget.html
Making the Case Simply…
Hackers use hidden Application commands to steal data and damage web sites.
Gartner Group says 75% of attacks now target the Web Application Layer
Scanning tools and App Security experts help efficiently find and patch these vulnerabilities.
17 Cenzic, Inc. - Confidential, All Rights Reserved.
Detects Web & Mobile App Vulnerabilities
Easy-to-use Software, DIY Cloud, or Managed Service
Accurate behavior-based Scanning protects
– 500,000+ online applications
– $Trillion+ of commerce
Delivers best continuous real-world Risk Management
18 Cenzic, Inc. - Confidential, All Rights Reserved.
Tools
Cenzic Enterprise
– Unified console
– Web-based app-configuring makes it easier/more affordable for people all over your enterprise to contribute
– E.g., Developers can define traversals of their own apps
19 Cenzic, Inc. - Confidential, All Rights Reserved.
20 Cenzic, Inc. - Confidential, All Rights Reserved.
One-click virtual patching
via tight integration with leading
Web Application Firewalls
Application Vulnerability Monitoring In Production
.
+
Identify Risk
Mitigate
Risk
=
=
Managed Services Offerings – At-a-glance
21 Cenzic, Inc. - Confidential, All Rights Reserved.
Bronze Silver Gold Platinum Industry Best-Practices for
Brochureware sites
Industry Best-Practices for forms and login protected
sites
Compliance for sites with user
data
Comprehensive scans for Mission
critical applications
Phishing X X X x
Light input validation X X X
x
Data Security X X X x
Session management X X
x
OWASP compliance X
x
PCI compliance X x
Business logic testing
x
Application logic testing
x
Manual penetration testing
x
Compliance in a Hurry
Who?
– A Health Maintenance Organization
Need?
– Deep scan of a new application on a tight development schedule to ensure compliance.
Solution?
– Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning to provide a very thorough scan which could suffice for any compliance or audit need.
22 Cenzic, Inc. - Confidential, All Rights Reserved.
Rapid OnBoarding of New Apps
Who?
– A Fortune-100 Banking and Services company
Need?
– Quickly begin scanning 110 applications
Solution?
– Cenzic PS did Custom Onboarding Engagement, training each app traversal so that the Bank’s IT Security Analysts could then run scans themselves using Cenzic Enterprise software.
Result?
– Met their timeline needs, and kept the scanning results in-house, per their corporate policy.
23 Cenzic, Inc. - Confidential, All Rights Reserved.
Methodology Assessment With Developers
Who? – Global NGO with thousands of web sites
Need? – Methodology Assessment of their security posture, and
real-world training of their Developers
Solution? – Cenzic PS did a 3-day engagement with their App
Developers.
– Reviewed 10 most common vulnerabilities, found examples in their production apps.
– Cenzic PS demonstrated on a Live Demo site how a hacker could exploit those specific types of vulnerabilities
– Reviewed coding best practices to completely eliminate said vulnerabilities.
24 Cenzic, Inc. - Confidential, All Rights Reserved.
Vulnerability Scanning a Mobile App
Who?
– High technology company with a mobile application that accessed sensitive customer data
Need?
– Vulnerability Scan a mobile app that can not be traditionally traversed with a spider.
Solution?
– Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data.
25 Cenzic, Inc. - Confidential, All Rights Reserved.
Fitting Strategy to Your Need
1. Hire
2. Prioritize
3. Specialize
4. Automate
5. Train
6. Borrow
7. Rent
8. Quality/Quantity
26 Cenzic, Inc. - Confidential, All Rights Reserved.
Cenzic Can Help
Train your people
Give them better gear
Have someone else carry the baton
27 Cenzic, Inc. - Confidential, All Rights Reserved.
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)
Questions?
[email protected] or 1.866-4-Cenzic
Blog: https://blog.cenzic.com