With increasing volume and severity of cyberattacks, and the reliance of modern business on information systems, every organization must rely on one or more security professionals to increase their resilience and have the ability to respond to incidents. Across the country, there are far more positions open at companies that need information security talent than there are qualified individuals to fill them. Salaries are high, and in some cases, businesses in areas of lower cost-of-living areas are competing directly with companies that are located in large cities, but allow for remote work.
I’ve discussed offense-oriented testing in previous columns here, and as you can imagine, it’s seen as a glamorous profession. Who in technology wouldn’t want to legally be allowed to be a hacker? This, combined with demand, leads to training and certification programs that prey on those looking to get their “foot in the door,” and, in turn, mislead companies that then hire these individuals or contract with companies that do.
How easy is it for someone to become a “certified” hacker? For most training programs that target this area, the class is brief and focuses on the material that will be tested. In researching the material, I have found that these programs usually neglect covering testing procedures that ensure the safety and security of the client network during the test. Candidates are often allowed to skip the class and go straight to the test. These tests are brief, multiple choice, and very few programs require any demonstration of skill or understanding. In some certification programs, students are required to have a small amount of experience in “security related” fields, but this is often not strictly enforced and “fudged” with unrelated IT experience.
How does this represent a danger to your business? Security testing provided by unqualified professionals that have rushed through these programs has the potential to grind your operations to a halt. Many in this field rely on automated tools that wind up being the wrench thrown into your business’ machinery. Testing systems, they do not understand results in downtime for critical systems and the potential for data loss. Inexperienced security monitoring specialists wind up “chasing ghosts” in networks that aren’t there. All of this will cost you exponentially more than you have budgeted for what appeared to be a good deal for the services you’ve contracted or the people you’ve hired.
How can you make sure you’re getting qualified security help? If it’s too difficult to find individual talent, or too expensive to hire them full-time, you will likely need to have security testing performed on a contract basis (which also provides valuable third-party oversight). Spend some time interviewing your vendors on their qualifications. Years of education associated with related degrees in computer science and experience in security testing should trump week-long training classes every time. Ask them what they had to do to get their certifications, and what impact it has on their testing capabilities. How do they use automated tools (manual verification of automated results is not good enough)? How do they secure their own operations and testing?
While the talent shortage and skills gap in information security may make it difficult to find talent, getting security testing without exploring your vendor’s real qualifications may cost you everything.