Techniques to Coordinate Security with What DevOps Already Prefer

Two years ago, at Black Hat, I produced a silly video asking attendees if security and developers should be in couples counseling. Everyone agreed, yes they should be, but the response from the predominantly security audience was “they should just listen to me.”

If you’ve ever been in couples counseling, you know that technique doesn’t work, no matter how right you think you are.

Developers and IT have already started a great party called DevOps and security has some serious FOMO. The InfoSec team is trying to get involved by placing themselves at the front (shifting left) or inserting themselves (DevSecOps) into the process.

It’s a rather self-interested goal.

“A security team needs to be viewed as a partner that helps move the organization forward vs keeping things stationary,” said Norman Hunt (@normanhunt3), deputy CISO, GEICO.

“Security cannot ask people to reinvent their workflows,” advised Mitch Parker (@mitchparkerciso), CISO, Indiana University Health.

Instead, “work within their existing processes,” said John Prokap, former CISO, HarperCollins.

What would that be? I asked security professionals, “What is it that security is already doing or could do that would be embraced by DevOps?”

Here’s their advice.

1: From the bottom up and the top down

“Tackle from both directions,” said John Karabin, national director cybersecurity, NTT, who recommends both beginner-level security education for developers and supportive direction from management. “Leaders at every level have to insist on it culturally and procedurally.”

2: Stop trying to control DevOps (you’re an imposition)

“Often the security team feels that they still need to control, oversee, and even intervene directly in the testing cycle,” said John Meakin, CISO, Equiniti.

“Listen and learn instead of demand and annoy,” advised Steve Zalewski, deputy CISO, Levi Strauss. “Security is about alignment, influence, and patience to get what you want. Learn the business of DevOps and become the trusted ally over time.”

“Your target is to support DevOps engineers in deploying secure applications and infrastructure without inserting an approval bottleneck that slows down releases,” said Keith McCartney (@kmflgator), CISO, Zenefits, who suggested that with any checks you’re doing (e.g., linters and CI checks) that you’re providing clear and actionable feedback for DevOps engineers.

Continue to the Other 28 Techniques Here

by  @ CISOSeries

Cybersecurity to Have 3.5 Million Unfilled Jobs Globally By 2021

The New York Times reports that a stunning statistic is reverberating in cybersecurity: Cybersecurity Ventures’ prediction that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.

The cyber employment figure has been corroborated by hundreds of media outlets, including the world’s largest, as well as industry associations, universities, governments, vendors, recruitment firms, and security experts, since our original report was published in May 2017.

Soon after our employment data was released, the World Economic Forum (WEF) republished an article with permission from Knowledge@Wharton, the online research and business analysis journal of the Wharton School of the University of Pennsylvania, which shared our report, and observed “nowhere is the workforce-skills gap more pronounced than in cybersecurity.”

Earlier this year, the Harvard Business Review shared our report, and summed up the plight: “The majority of chief information security officers around the world are worried about the cybersecurity skills gap, with 58 percent of CISOs believing the problem of not having an expert cyber staff will worsen.”

Cybersecurity Ventures arrived at our original estimation of unfilled positions after reviewing and synthesizing dozens of employment figures from the media, analysts, job boards, vendors, governments, and organizations globally. In 2019, we’ve conducted similar research, and we stand firmly behind the two-and-a-half-year-old prediction.

Click Here to Continue to the Full Story

– Steve Morgan, Editor-in-Chief @ Cybercrime Magazine

SECURING YOUR DATA: Tips from a Hacker

Recently, I had the opportunity to attend KB4CON here in Orlando. During the event, we had a special opportunity to hear from World famous hacker, Kevin Mitnick. Kevin is a computer security consultant and world-famous hacker after a high-profile arrest in 1995 for various computer and communications related crimes. He currently runs the security firm Mitnick Security Consulting and is Chief Hacking Officer of the KnowBe4, a security awareness training company. We live in a world that is driven by technology and our devices. Unfortunately, it’s not always hackers that cause the most damage or compromise the security of our data. It’s typically the unknowing employee or family member. I would consider myself quite proficient when technology is involved, yet even I was amazed at what I learned. Not to mention, we all get lazy from time to time. Hopefully these tips will help you secure your data.

Joy Fullerton, Tutela Talent, Kevin Mitnick, Luxus, Patrick Sirmeyer, Jesse Meadors

Get a Master Password Keeper

Suggestions: Lastpass, Dashlane, Keeper

Password keepers like those mentioned above can really help secure your data and let you only have to remember 1 master password.

Remove Passwords

Don’t keep them saved in your preferred browsers.

Kevin stated at KB4CON that should a hacker gain access to your computer, the first place they will typically go will be your saved passwords in your browser. Now they have everything! That won’t secure your data.

Don’t Share or Borrow

Keep your charging cords to yourself and do not borrow them from people.

I know, I know, this is a basic we all learned growing up. However, I learned that borrowing a simple charging cord from a stranger could give them access to your entire computer or phone. Not all are hackers, folks. Secure your data.

Secure your data, Tutela Talent, Joy Fullerton, Patrick Sirmeyer, Jesse Meadors

Free Isn’t Always Good

Hello free USB storage thumb drives!!! I’m looking at you.

We all love them, but put it back. Put it back right now! Do you know what’s on a freebie USB sent in the mail, conference, etc? Me neither, but that’s the point. It could be nothing or it could be something terrible. You think, “let’s take a chance anyways.” Next thing you know, you are calling your trusty IT friend. We all know how awkward that call is when you have to explain how your irresistible free deal just cost you time, money and headaches. RESIST FREE on this one and save yourself the agony of damage control and having to re-secure your data.

Be a Guardian of the Door Security Badges

Call I.T. Immediately. You just compromised your place of work.

Did you lose your security badge? Did you let someone borrow your Badge? What we think is harmless can be harmful and waste I.T. department time re-programming to regain a secure work environment. The badges are also ways to track who is in the building. If you loan out your card or lose it, you could be placing yourself in a position of being accused of something you didn’t. Not to mention, if you save your company money on replacing security, it leaves room for things like employee perks.

I hope you enjoyed these tips, and I look froward to hearing your feedback and experiences. We posted an info-graphic on all of our social media pages, so make sure you check it out. Feel free to print and keep it posted around your office. Until next time, keep your information safe!

 

Joy Fullerton has always forged her own path. She has a degree in Psychology and worked as a traveling Certified Respiratory Therapist for 9 years. Eventually, she settled in Orlando, and spent the last 12 years involved in all facets of the staffing industry. She currently resides in Orlando with her husband Seth and their family of rescue animals currently at 2 dogs and 4 cats. She is the Director of Operations for Indigo Alliance and it’s partners.