The information security space is quite a disaster.
We have data breaches being disclosed constantly; and half of the time these breaches could have been easily avoided.
Then, we hear statistics about the talent shortage.
They say that we’re over a million professionals short, yet when you ask anyone trying to get into the industry, looking for security jobs is hopeless.
Recruiters want professionals with 10 years of experience in technology that was only developed 2 years ago.
These are all problems that Greg Van Der Gaast seeks to shed light on in his new book Rethinking Infosec.
In this, the first book of the InfoSec Leadership series, we explore what is going wrong with our general approach to Information security.
Why is it that, despite huge amounts of effort and spending, we are unable to stop the increasing occurrence of breaches?
And why are those breaches so often caused by the simplest and most preventable of issues?
Are we approaching the problem correctly?
Is there a simpler way? A cheaper way? A more rewarding way? I think there is.
Check out our video interview.
Greg Van Der Gaast is unique among cybersecurity professionals.
He got his start in information security several decades ago when the industry was nowhere near as mature as it is today (if you can actually call cybersecurity programs these days mature).
A lot of his experience came from his own hacking.
For example, he often put systems online and challenged other hackers to break into them.
That is to say, he has a deep technical background, but he does not believe in abiding by the status quo.
If you watch any of his talks, or read any of his articles, you will immediately notice this.
As a result, Greg’s opinions seem to ruffle other cybersecurity professionals.
In my opinion, Greg makes valid points.
As security professionals, we must keep open minds.
Rethinking InfoSec – 3 Main Ideas
Being that Rethinking InfoSec is 57 chapters long, there’s no way that we can discuss all of the valuable ideas from the book here.
Plus, it really wouldn’t be fair to the author if I “spilled the beans.”
So, I have chosen three of the main ideas from Rethinking InfoSec that resonated with me.
You need to solve problems upstream
Many of the issues that security teams have to deal with are the result of issues further up the “IT stream.”
Think about it for a minute.
How many security incidents could be eliminated by having solid IT processes in place.
For example, that incident that an attacker used an exploit to attack a vulnerable service on the web server – wasn’t there a patch out for that?
Or, the employee who fell for a phishing email and gave their credentials to an attacker – what about Multi-Factor Authentication?
In fact, recent research showed that nearly one-third of breaches were caused by missing patches.
You see, when your organization does have a security incident, you should trace all the way back to the root cause to eliminate this issue.
Sure, it’s more effort, but if you do this a few times, you will soon find yourself with fewer incidents.
Rethinking InfoSec does a great job explaining this concept.
Organizations can do more with less
Statistics show that businesses’ cybersecurity spending is rising rapidly.
It’s quickly consuming more and more of IT spend.
There are huge problems with this.
First of all, think about this from a board’s perspective – why is a department making literally $0 for the company consuming so much money?
It’s a valid question.
To answer this question, first think about the reason we even have information security operations – to enable the business, right?
If the company couldn’t send emails, for example, because they didn’t have a way to secure them, how could the business function?
At its core, the job of infosec is to enable the company to function.
So, why are we spending so much on it?
To finish this idea, we have to go back to our previous Rethinking InfoSec idea – solve problems upstream.
If we solve problems upstream, we have fewer incidents to deal with.
And if we have fewer incidents, we need fewer analysts.
And if we need fewer analysts, we consume less of the IT budget.
You get the point, right?
There is no skills shortage
This is possibly one of Greg Van Der Gaast’s most controversial points.
His LinkedIn articles on the topic bring a mix of comments – some supporting the idea and others rejecting it.
But the ominous security shortage that everyone is talking about may not actually exist.
If you spend any amount of time looking at cybersecurity job listings, there’s something that you immediately notice.
The experience and skills required on them are quite unrealistic.
There’s usually a long list of certifications desired.
Additionally, they typically want someone with 10 or more years of experience in very specialized tools and solutions.
It’s like the industry is pigeon-holing everyone.
Is there no such thing as someone well-versed in multiple security skills?
Or can you not hire someone with a solid foundation and train them on the tools that your organization uses?
Overall, the security industry isn’t using the full capabilities of its human resources.
These are all things that Rethinking InfoSec reviews.
So, should you read Rethinking InfoSec?
Are you an IT manager or director who must handle the security for your organization?
Are you a cybersecurity professional already working in the industry?
Are you a student or aspiring security professional?
If you are any of these, you should grab a copy of Rethinking InfoSec.
The thought-provoking approach that Greg Van Der Gaast takes to tackle some of the fundamental issues that we are facing today, is a must read.
Here’s a word of warning:
You shouldn’t expect a step-by-step approach to solving cybersecurity problems.
Instead, you should expect guidance on mindset shifts that must take place.
It’s pretty obvious that as a whole the security industry is failing miserably.
There are a lot of “fundamental” security concepts challenged in the book.
Read it with an open mind.
Forget what you’ve been taught or learned on certifications.
If we can’t accept some criticism and look deeply at how we as individuals can improve, how will we bring change to the security industry?
So, if you grab a copy of Rethinking InfoSec, temporarily ignore conventional security thought and look at things in a new light.
I’m sure, you’ll take away some keys to make you a much better cybersecurity professional.