With the leap this year in the number of data breaches there’s enough finger pointing going around to make IT professionals stay in bed forever.
The latest comes from JohnMcCormack, CEO of Websense, a maker of gateways and data security solutions, who blamed employers for the lack of skilled people in data centres.
Security teams are “not keeping up well.” he complained in an interview Tuesday because of a skills shortage, lack of spending on IT security and a failure by vendors to deliver simpler security systems.
“Either we don’t have the technology to defend our selves, we don’t have the buieness behind us to defend ourselves, or we don’t have the competencies. I’m quite sure we have most of the technology to stop many of these problems, many business are spending more than ever on cyber security — although some are clearly making decisions to not spend enough — but most of the issues in my mind boil down to lack competency.
“In the industry we need to deliver simpler systems that just work and don’t require a level of sophistication by the customer that quite frankly isn’t there as we bring more junior people into this industry.”
“Vendors have to continue to simplify their systems. What is it about the Target environment they have so many false positives they bcan’t believe their tools any more?” he asked “What is it about Neiman Marcus that they have so many malware alerts they can’t even see then although they have everything else in place.”
“I’m convinced the amount of competency you need continues to go up, it’s putting pressure on the number of people in the industry, you’re reacting to that because you can’t have holes on your team, organizations are reacting to this by bringing in less skilled people, and yet we’ve got an assumption that the people doing this work have the same level of (IT security) skill as the previous generation had and that’s not a valid assumption.
“We need to drive more actionable intelligence into the hands of these junior people.”
On the recent discovery of the GNU Bash vulnerability (dubbed Sherlock) in Linux, his advice is to patch frequently, look to your security providers for mitigating tools, and assume the sophisticated cyber criminals have known about it so if any system shows a known vulnerability do a forensic analysis.