–Shortage of Cyber Security Professionals Felt Worldwide (October 14, 2013) Countries around the world, including the US, the UK, Brazil, and Indonesia, are establishing cyber forces to help defend critical networks from attacks. However, there are not nearly as many qualified specialists as are needed. The governments are also facing competition from private industry for the scarce resources; private industry offers higher salaries. Most universities are not graduating high numbers of students with necessary skills, and the coursework is more theoretical than practical. Hacking contests around the country are designed to identify people who have a talent in the area, and to raise awareness of the need for talented specialists.
http://www.nbcnews.com/technology/cyber-defenders-are-short-supply-hacking-wars-escalate-8C11390053
[Editor’s Note (Assante): Human talent continues to move up the list of vulnerabilities that organizations need to deal with! Managers struggle to identify the best competency mix for their organization. Commercial contracting is their primary means of tapping into deeper hard-to-find, expertise. There have been limited experiments in sharing competencies, such as the ICS-CERT fly-away team and proposals to tap into talent in National Guard cyber units. Figuring out how to get talent to the need will require a massive effort.
(Paller): The one program that has demonstrated it can find and develop the needed talent is Cyber Aces. With more than 7,500 entrants (veterans, college students, job seekers, more) from the efforts of the governors in just 5 states (See “Leaderboard” near the end of this issue), it is clear this program has found the formula for tapping the hidden national talent pool and can scale to meet more of the demand.
The best of last-year’s group is already enrolled in advanced training programs and demonstrating they are exactly the talent that is needed.
To ensure the skills being developed meet employers’ needs, an initial board of founding employer-sponsors is being formed. To be considered for membership, email Kate Straus kate@eventsinc.net.]
–Voluntary Executive Order Cybersecurity Standards Could Become
Baseline Expectations
(October 11 & 14, 2013)
US companies that do not comply with voluntary cybersecurity standards being developed under the White House Executive Order could find themselves facing liability risks. While the standards will be voluntary, organizations that do not adopt them may face negligence, shareholder, and breach of contract lawsuits if they suffer a breach.
The EO standards advise organizations to identify the most valuable data and classify them. The Information Week article points out that, “There is a major difference between being ‘compliant,’ and being ‘secure'” and that securing data is not an endgame – it’s a posture. Defenses built to protect the data must be monitored. The release has been delayed because of the government shutdown. The government will take public comment on the draft standards until February 2014.
[Editor’s Note (Pescatore): Nothing new will come out of the NIST “Yet Another Framework” effort, given the widespread existence of many other voluntary and involuntary frameworks. The baseline expectations already exist – customers expect businesses to protect their data, and it is very, very expensive when businesses don’t.]
–Brazil Plans Secure Government eMail System (October 14, 2013) The Brazilian government has given the country’s Federal Data Processing Service (Serpro) the job of creating a secure email system to protect the government’s electronic communications from being intercepted by foreign intelligence agencies. According to leaked NSA documents, various intelligence agencies have electronically spied on Brazilian citizens, government officials, and the country’s national oil company, Petrobras.
Deja un comentario