Top 7 Strategies for Overcoming IT Talent Shortages
-
Upload
cenzic -
Category
Technology
-
view
222 -
download
0
description
Transcript of Top 7 Strategies for Overcoming IT Talent Shortages
1
Cenzic Live! Webinar: Top 7 Strategies For Overcoming IT Security Talent Shortages
Chris Harget - Product Marketing
Agenda
Symptoms
Strategies
Finding The Win
2 Cenzic, Inc. - Confidential, All Rights Reserved.
3
Symptoms Of IT Security Talent Shortage
Know The Signs
Incomplete picture of security posture
Backlog of untested applications
Slow remediation when app vulnerabilities discovered
Things done wrong/done twice
Too many long shifts
Open reqs, hiring freezes, “irreplaceable” departures
No vulnerability monitoring of production apps
Data Breeches
4 Cenzic, Inc. - Confidential, All Rights Reserved.
The Need Is Significant
5 Cenzic, Inc. - Confidential, All Rights Reserved.
Source: Cenzic Application
Vulnerability Trends Report 2013
Mobile App Vulnerability Types - 2012
6 Cenzic, Inc. - Confidential, All Rights Reserved.
Source: Cenzic Application
Vulnerability Trends Report 2013
Benchmarks For IT Security Staffing…
…Are Really Hard To Come By.
How many security analysts/100 apps?
That depends on;
– Size of apps
– Depth of scan desired
– Coding practices
– Scanning frequency
– Quality of scanning tools
– Division of labor with QA/Dev/Production/GRC
7 Cenzic, Inc. - Confidential, All Rights Reserved.
Know Your Specific Shortage
Not enough bodies
Not enough time
Not enough skills
Not enough tools
8 Cenzic, Inc. - Confidential, All Rights Reserved.
9
7.2
Strategies For Overcoming IT Security Talent Shortage
Bodies: Finding/Hiring/Renting
Job titles include;
– Application Security Analyst/Architect
– Penetration Tester
– Application Security Engineer/Tester/Specialist
– Ethical Hacker
If you can’t hire locally, consider managed services
– May be easier/faster than getting increased headcount
– Helps jump-start process
10 Cenzic, Inc. - Confidential, All Rights Reserved.
Time: Prioritize, Specialize, Automate
Prioritize
– Are you mitigating the biggest risks first?
Specialize
– What tasks are best done by your team?
– e.g., Remediation, Management,
– What tasks can be offloaded?
– e.g., Dev trains app traversals or Managed Service runs scans
Automate
– Leverage Enterprise-grade tools
11 Cenzic, Inc. - Confidential, All Rights Reserved.
Talent/Skills: Train, Borrow, Rent
Train
– How to scan, coding best practices, how to manage
Borrow
– Get Developers for app training & Remediation
– Get QA for re-running scans
Rent
– Managed Services can augment specialized tasks
12 Cenzic, Inc. - Confidential, All Rights Reserved.
Tools: Quality and Quantity
Quality
– More accurate scanners improve security and save time
– Quantified app risk scores enable optimal risk mitigation
– Enterprise dashboard shows total risk and trends
Quantity
– Web-based app-training tool goes everywhere needed
– Having enough seats for each Analyst, Developer, QA, GRC, and Executive leverages whole organization
13 Cenzic, Inc. - Confidential, All Rights Reserved.
Top 7 Strategies
1. Hire
2. Prioritize
3. Specialize
4. Automate
5. Train
6. Borrow
7. Rent
8. Quality/Quantity
14 Cenzic, Inc. - Confidential, All Rights Reserved.
15
Finding The Win
Justifying Resources
16 Cenzic, Inc. - Confidential, All Rights Reserved.
Non-technical people need non-technical explanations
– Keep it simple
– Use cost-benefit for budget
– Use relative-risk for reallocating people
Quantified risk is easier to understand
– E.g., Cenzic’s HARM™ scores
Bonus: Watch “Top 10 Ways To Win Budget for Application Security”
https://info.cenzic.com/webinar-security-budget.html
Making the Case Simply…
Hackers use hidden Application commands to steal data and damage web sites.
Gartner Group says 75% of attacks now target the Web Application Layer
Scanning tools and App Security experts help efficiently find and patch these vulnerabilities.
17 Cenzic, Inc. - Confidential, All Rights Reserved.
Detects Web & Mobile App Vulnerabilities
Easy-to-use Software, DIY Cloud, or Managed Service
Accurate behavior-based Scanning protects
– 500,000+ online applications
– $Trillion+ of commerce
Delivers best continuous real-world Risk Management
18 Cenzic, Inc. - Confidential, All Rights Reserved.
Tools
Cenzic Enterprise
– Unified console
– Web-based app-configuring makes it easier/more affordable for people all over your enterprise to contribute
– E.g., Developers can define traversals of their own apps
19 Cenzic, Inc. - Confidential, All Rights Reserved.
20 Cenzic, Inc. - Confidential, All Rights Reserved.
One-click virtual patching
via tight integration with leading
Web Application Firewalls
Application Vulnerability Monitoring In Production
.
+
Identify Risk
Mitigate
Risk
=
=
Managed Services Offerings – At-a-glance
21 Cenzic, Inc. - Confidential, All Rights Reserved.
Bronze Silver Gold Platinum Industry Best-Practices for
Brochureware sites
Industry Best-Practices for forms and login protected
sites
Compliance for sites with user
data
Comprehensive scans for Mission
critical applications
Phishing X X X x
Light input validation X X X
x
Data Security X X X x
Session management X X
x
OWASP compliance X
x
PCI compliance X x
Business logic testing
x
Application logic testing
x
Manual penetration testing
x
Compliance in a Hurry
Who?
– A Health Maintenance Organization
Need?
– Deep scan of a new application on a tight development schedule to ensure compliance.
Solution?
– Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning to provide a very thorough scan which could suffice for any compliance or audit need.
22 Cenzic, Inc. - Confidential, All Rights Reserved.
Rapid OnBoarding of New Apps
Who?
– A Fortune-100 Banking and Services company
Need?
– Quickly begin scanning 110 applications
Solution?
– Cenzic PS did Custom Onboarding Engagement, training each app traversal so that the Bank’s IT Security Analysts could then run scans themselves using Cenzic Enterprise software.
Result?
– Met their timeline needs, and kept the scanning results in-house, per their corporate policy.
23 Cenzic, Inc. - Confidential, All Rights Reserved.
Methodology Assessment With Developers
Who? – Global NGO with thousands of web sites
Need? – Methodology Assessment of their security posture, and
real-world training of their Developers
Solution? – Cenzic PS did a 3-day engagement with their App
Developers.
– Reviewed 10 most common vulnerabilities, found examples in their production apps.
– Cenzic PS demonstrated on a Live Demo site how a hacker could exploit those specific types of vulnerabilities
– Reviewed coding best practices to completely eliminate said vulnerabilities.
24 Cenzic, Inc. - Confidential, All Rights Reserved.
Vulnerability Scanning a Mobile App
Who?
– High technology company with a mobile application that accessed sensitive customer data
Need?
– Vulnerability Scan a mobile app that can not be traditionally traversed with a spider.
Solution?
– Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data.
25 Cenzic, Inc. - Confidential, All Rights Reserved.
Fitting Strategy to Your Need
1. Hire
2. Prioritize
3. Specialize
4. Automate
5. Train
6. Borrow
7. Rent
8. Quality/Quantity
26 Cenzic, Inc. - Confidential, All Rights Reserved.
Cenzic Can Help
Train your people
Give them better gear
Have someone else carry the baton
27 Cenzic, Inc. - Confidential, All Rights Reserved.
www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)
Questions?
[email protected] or 1.866-4-Cenzic
Blog: https://blog.cenzic.com