Blogs | Texas Integrated Services


Cybersecurity is constantly changing!

Cybersecurity is a field that's constantly changing, and we're going to see a lot more of that change over the next five to 10 years. I think our field is shifting. It's shifting from a field that's full of technical doers, to one that's full of integrators and consultants and advisors. And there's three main trends that are really pushing us in that direction. The first one is cloud. By moving a lot of our services to the cloud, whether it's infrastructure as a service, platform or software as a service, we're putting a lot of the deep technical responsibility on those cloud providers.

And certainly, those cloud providers then need security professionals who are capable at working at really low levels in the stack, but it means that our organizations don't. So there's going to be fewer of those types of positions available. In internal IT organizations, we're gonna find ourselves shifting more from positions where we're building our own sans, to ones where we're trying to figure out how to use the security controls offered by our storage providers. So that's one big shift. The second game changer for cyber security is mobile.

We've seen a lot of evolution in the mobile space in the past few years. And a lot of that's been driven by the consummerization of IT. We have employees now who are carrying around in their pockets technology that's far beyond what we ever had in the office a few years ago. And what this is doing is it's setting expectations for IT, and it's doing that in a good way. It's raising the bar and making IT organizations step up and deliver a really solid experience to end users. But at the same time, we're seeing mobile cause some security things that we need to think about a little differently.

People are bringing devices that they own into the office, and we have this whole trend towards bring your own device policies, where organizations are encouraging this. And that's a big shift, and what it's doing is it's moving our focus on security away from a network perimeter and towards the security of data. We can't really secure a network location anymore because those network locations are moving all over the place. What we really need to do is focus on the data and make sure that wherever our data goes, it's secure, whether it's on a corporate owned laptop or a server, or whether it's being accessed by an employee on the road using a mobile device that belongs to him or her.

Really, the situation changes quite a bit, and that's really a big shift for cybersecurity professionals. Then the third game changing development we're seeing in cybersecurity, and this is really just starting to emerge, is the Internet of things. You can't really walk around a store anymore without seeing smart this or smart that. And it started with smartphones, and then moved to smart televisions and other things, and now I even have a smart sprinkler system in my house. You know, if I look around my house now, I have over 100 networked devices in my home, and you probably do too, if you start to think about all the different things that can access a network.

That's only going to continue to evolve as processors get cheaper, networking technology gets cheaper and easier to use, and backend cloud services are developed that can handle and process all of this data and really enable us to do fun and exciting new things. What that causes for us in the cybersecurity profession is some new things that we need to think about. First, some of those consumer smart devices that are beginning to form the Internet of things are making their way to the office. Maybe somebody brings in a network-enabled photo frame for their desk.

Or we start seeing tablets and other devices that people are bringing in. All of these things kind of leak into the office and start joining our networks. And then even businesses are actually starting to deploy Internet of things scenarios to help achieve their business objectives. You know, if it's a manufacturing organization, they probably already are using all sorts of sensors on the factory floor. But even in my office at the university, we just had a smart thermostat installed the other day to help manage temperature. So, all of these things are joining our networks, and we need to make sure that they're secured to the same standards that we use for computers and other devices, because anything on the network can pose a risk to anything else.

So we really just need to think about network segmentation, separating things that might be risky from other devices, and making sure that the devices that are connected to the network are configured and maintained in a secure manner.

What are some of the key controls in the cloud?

Encryption is one of the most important controls that an organization can use in the cloud. I can't say enough about it. Encryption is just awesome. It's like waving a magic wand over your data. If you use encryption appropriately, you can take sensitive information and turn it into non-sensitive information that you can then put almost anywhere. You can take encrypted data, put it in a cloud provider or anywhere else, ship it over the internet, mail it, with the confidence that nobody is going to be able to decrypt that information without access to your decryption keys.

Now that's why key management is an absolutely critical concern when you're using encryption as a control in the cloud. You need to make sure that you know where those keys are, and that you manage access to them very carefully, because if anyone gets access to those keys, they're basically getting access to your data. So when you're storing data in the cloud, even when it's in an encrypted form, you want to make sure that you don't also store the decryption keys with that data, because if someone is able to defeat the security controls at that cloud provider and gain access to your encrypted information, if your keys are also there, they can then use those keys to decrypt your information and they have access to what you had in the first place, and you've really defeated the purpose of using encryption.

How secure is cloud computing?

The world is shifting towards cloud computing and it's clear that the cloud is the future of information technology. The great thing is is there's no reason that the cloud can't be secure. And in fact, in many ways, we can find cloud services where security controls actually far exceed what we're currently doing in on-premise situations, or even what we're capable of doing. Take physical security as an example. Many, many organizations run their own data centers today, and if you look at how those run and if you look at the physical security controls around them, they're typically protected with card readers, maybe some biometric access controls, maybe a few security cameras.

Compare that type of situation to the data centers that are run by major cloud providers. If you look at what Amazon and Google and Microsoft are doing, they run their data centers like fortresses, with 24/7 security guards and roving patrols and cameras and barbed wire and the types of controls that we could never even possibly dream of, because on the scale of a single organization, putting those controls in place just simply isn't practical. So that's one example of a place where operating in the cloud can actually really enhance our security controls.

How is security different in government, business, and education?

If you look at the foundations of information security, they're all there. For example, we look at the CIA triad, the three things that information security professionals always think about. Confidentiality. Making sure that nobody has access to sensitive information that shouldn't. Integrity. Making sure that nobody can make an unauthorized modification to information. And availability. Making sure that authorized users have access to the information that they need when they need it.

Those three things are the cornerstone across all industries of information security. The other thing that's true across all industries, is that security is about risk. It's about risk management. Going out and looking at different situations, trying to figure out what risks are involved, and then taking actions to mitigate that risk to the extent that's appropriate given the business context. Now, there are also differences in information security across different industries. When you're in the government, you're in a situation where maybe you're involved as a regulator, or you're trying to sort through a lot of different regulations that actually apply to you as a government agency.

And the government tends to move pretty slowly. So, being in security in that type of environment can sometimes be a little frustrating, but you know that the work that you're doing is contributing to society as a whole. In business, you wind up with a much faster pace, and you have different goals though. The organization has clear business objectives, and the role of security in those situations is to make sure that the organization can achieve its business objectives without jeopardizing it's security objectives at the same time.

And then, education works actually in ways that are pretty similar to the way business works, but you have an added twist. You have a mission of educating students. So, you often find students involved in your security operations. You might have student employees working side by side with your regular staff, and part of our mission is to make sure that we educate our students about the field, and give them opportunities for professional growth and development, as well.

How can organizations prevent incidents?

I'll let you in on a secret. There's one security control that organizations can use that really will help with security incidents, but it's so often overlooked. And it's minimizing the amount of information that you have. When you look at the history of security breaches, probably the most damaging breaches that have occurred, and the ones that make news headlines are the ones that involve really sensitive personal information. Things like social security numbers and credit card numbers. When you start digging into what happened during those breaches, so many times the organization just had maintained massive amounts of information that they either never needed in the first place, or the need that they had for it had passed and it was just kept either by accident or just because somebody never bothered to go and clean it up.

So one of the most important things an organization can do is go through and search all their systems and databases and other information repositories and seek out the really sensitive information. There are tools that can go and search for social security numbers and search for credit card numbers based on pattern matching and other algorithms that can really reduce the number of false positives and zero in on those sensitive pieces of information. If you go out and remove as much of that as you possibly can you're really going to limit the amount of damage that occurs during a breach.

If you can get rid of it, a breach, if a hacker manages to break into your network and there's some sort of security incident, it might not be something that you even need to report, because there wasn't any sensitive information stolen. If there is, that sensitive information stolen, by deleting most of it, you've managed to really narrow down the number of people that it affects.

What career opportunities exist in cybersecurity?

So there are really three different ways you can move in your career in security. If you go down the technical route, there are many sub-disciplines of information security that you can explore. Forensics analysts can get involved in all sort of investigations, either on the law enforcement side working for the government, or an internal group within an organization that's just looking at internal investigations and incident response, and those sorts of things. You can also get involved in becoming a security architect, figuring out whenever you're designing new systems, networks, whatever it might be, how to make sure that security is a key design element from the very beginning of that project and make sure that it permeates the rest of the project.

It works much better when security is designed as an architectural consideration instead of trying to be bolted on afterwards, it just doesn't work well that way. So those are some of the more technical things you can do. On the consulting side, there's a lot of roles both within organizations, and with consulting firms. You could be a security consultant and travel around the world quite a bit, work with different clients, and projects every week and have a really deep specialty in one particular area where knowledge is sought out. Or, you could be an internal consultant and help different business functions within the organization to figure out how to incorporate security into the different efforts that they're engaging in.

Then the last career track, and this is usually for people who have a few years of informational security under their belt, is going into management. You can become a team lead within a security organization and manage a team of security professionals working in one particular area. Or eventually maybe move on to become a chief information security officer and have responsibility for security across the entire organization. And one of the things we've seen is information security specialists actually moving into more scener roles within the IT organization.

Security really does cross all the different areas of IT and that forms a really great basis for someone to potentially move on and become a senior IT leader, or even a chief information officer.

What are entry-level security positions like?

A cyber security professional usually begins his or her career more on the technical side of things. It's pretty rare for someone to come into the field and begin on the consulting side. And that's really important, because what it does is allows someone to start building a base of knowledge that's going to serve as the foundation for the rest of their career. Typically a cyber security professional just starting out will do things like log monitoring and analysis, and some of the other deeply technical parts of the field, where you're really getting hands-on and rolling up your sleeves, dealing with the data, trying to figure out what's going on on the network, and that helps build really important skills, because you learn to put together differences sources of information and figure out the role that different security technologies play in an organization's infrastructure.

So during that time that someone's in their first position, they really should be thinking about how everything works and really making sure that they have that solid base.

What are a security professional’s main responsibilities?

The responsibilities of a cyber security professional can vary quite a bit. It really depends on two things, where someone is in their career and the type of position that they have. Positions really fit into two different categories. You can be more on the technical side where you're working hands on with some security equipment, or you could be more on the consulting side where you're spending a lot of your day working with people and projects. On the technical side, cyber security professionals do all sorts of different things, sometimes there are operations responsibilities where you might be managing a firewall, or installing intrusion detecting systems and doing that type of work, or you might be doing monitoring and log analysis and watching for signs of unusual activity on the network.

Cyber security professionals also get involved in desktop management and server administration and those sorts of things as well. On the consulting side, cyber security professionals spend a lot of time working with projects and people. A lot of the profession is about building relationships and being able to work across the organization and explain to people the importance of cyber security, and also how the actions that they're taking can have an impact on the organization that they might not otherwise foresee, so the the cyber security professional in that role is really there as an advisor and a consultant to help bring subject matter expertise and a security perspective to different work that the organization is doing.

What’s the appeal of working in cybersecurity?

I think the great thing about security is that it's a field where you can have an immediate impact on the business. Protecting information is really critical in this day and age. Information has just become so important to us, and there's so many ways that things can go wrong. And security is like a puzzle. You're playing defense, and you're trying to make sure that you've put all the controls in place that are going to prevent something bad from happening. And the threats that are out to get you are changing all the time.

And you have to make sure that the controls that you've put in place are evolving to meet those new threats. So it's a challenge that never ends. And it's a field where you can just learn so much because it touches every other discipline of information technology. So to be a good security professional, you have to have an amazing breadth of knowledge. It doesn't necessarily have to be very deep, but you have to understand how storage works, how networks function, how a database works. You might find yourself looking at packets on a network one day and digging into the commands that a web application is sending to a database the next day.

So you have to have this breadth of knowledge across the entire field of IT, and you just learn something new every single day in security.

How does your experience influence your personal security practices?

I think one of the challenges for new cyber security professionals is as you're getting into this field you start to realize all of the possible things that can go wrong. There are just so many threats out there, and there are so many different ways that security can be jeopardized that you really start to get this paranoid attitude that everybody's out to get you, and if you don't do everything exactly right the world is going to end, and eventually you develop a little wisdom and maturity that comes with time, and you realize that you can't live your life that way, and you really have to introduce reasonableness to it, and just like you would in your business, it's all about risk, and it's about risk assessment and risk management, and when you think about analyzing a risk you have to look at two different things, you look at the probability of that risk occurring and the impact if the risk actually does occur, and if either one of those things is relatively low it's not that critical that you address that risk.

It's when something's a high risk that has high impact and high probability that you really want to think about the situation. Now, that said, I can't say that the habits I've developed as a security professional don't sometimes drive the people around me nuts, like I have an incredibly complex password on the WiFi in my house because I want to make sure that's protected, and it's a little difficult for the members of my family to remember that long password, and especially to share it with guests when they come to our home, so sometimes you have those little quirks as a security professional that drive the people around you just a little bit crazy.


Subscribe to RSS - blogs