STE WILLIAMS

The US Federal Trade Commission (FTC) is yet again beating the drum for the long-discussed, much-debated, when-in-the-world-will-this-happen national data privacy law, the lack of which keeps the country from parity with the EU and its General Data Protection Regulation (GDPR)…

…or, for that matter, with the state of California, with its California’s Consumer Privacy Act (CCPA).

FTC commissioners testified before the House Energy and Commerce subcommittee on Wednesday. As the New York Times reports, they addressed how a national privacy law could regulate how big tech companies like Facebook and Google collect and handle user data.

Besides consumer protection, the FTC is looking for more power. Commissioners asked Congress to strengthen the agency’s ability to police violations, asking for more resources and greater authority to impose penalties.

At this point, as lawmakers squabble over the details of various approaches to a national law, the US lags behind European and other nations that have acted to rein in the growing might of big tech.

In February, both the House and Senate held hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations.

A new, single federal law

Lawmakers tend to agree that we need a new, single federal privacy law. At this point, we’ve got a hodgepodge of state laws and a slew of proposed federal laws. Lawmakers are now considering one such: the Data Care Act.

Other bills: In September, Suzan DelBene introduced a privacy bill that would require information transparency and personal data control. In November, Senator Ron Wyden proposed a bill that would throw execs into jail for up to 20 years if they play loosey-goosey with consumer privacy. Senator Marco Rubio announced yet another bill in January, titled the American Data Dissemination Act.

In previous hearings, the squabbling has been over concerns such as existing privacy laws – the GDPR and CCPA – being cost-prohibitive for small businesses and startups, and that California shouldn’t get to dictate the nation’s approach to privacy.

Suitable punishments

This time around, concerns rose about the implications of making punishments fit the crime. As it is, the FTC is in settlement talks with Facebook following its 13-month investigation into privacy violations – a case that was opened following the Cambridge Analytica privacy debacle.

People familiar with those settlement talks told the Times that Facebook is expected to create several positions dedicated to privacy compliance and oversight. They also told the Times that the severity of punishments is a divisive topic, and one that’s split along party lines: three of the FTC commissioners are Republicans, and two are Democrats.

During Wednesday’s hearing, the two Democrats called for punishments that send a clear, strong message to tech companies about the necessity to change behavior after they’re found guilty of privacy rule violations. In other words, punishment a la Senator Wyden’s “throw-the-execs-in-jail” proposal.

The Times quoted Rohit Chopra, one of the Democratic commissioners:

For some firms fines are a parking ticket and the cost of doing business and cannot change behavior unless penalties are painful and finding out who at the top called the shots. [Strong enforcement should include] looking at the role of individuals who made the decision that it was worth violating the law in order to profit.

Should Zuck be held accountable?

Execs, as in, the top execs. The Times’ sources said that at one point, FTC officials mulled naming Facebook CEO Mark Zuckerberg as a responsible party, which would make him liable to financial and other penalties if Facebook got in more trouble over privacy in the future.

Holding Zuck personally culpable for privacy fumbling, however appealing that might sound to some, isn’t expected to happen – at least, not at this stage of the privacy game.

Given how long it’s taking the country to do anything at all, he probably shouldn’t have to hold his breath to find out how likely it is he’ll wind up behind bars. Give it another few decades, and maybe then he’ll face the now-remote possibility that somebody will ask him for his shoelaces.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aIz1CTNNGl4/

Another day, another massive MongoDB exposure. This time, a security researcher has discovered a public-facing database with over 275 million records containing personal information on citizens in India.

The researcher is Bob Diachenko, who spends a lot of time poring over Shodan search results. Shodan is a search engine, but unlike Google or Bing it indexes devices and software applications connected to the internet and viewable by the public. Shodan regularly surfaces everything from unsecured webcams to exposed databases.

Shodan first indexed the MongoDB instance on 23 April 2019. Its records included not only the individuals’ name, gender, and email address but also their employment history, current employer, current salary, and mobile phone number.

In his blog post on the topic, Diachenko explains that there were no clues in the database about who owned it. His best guess is that the database was the product of a data scraping operation.

Putting people at risk

This is one of the most frustrating things about public database exposures: Someone who doesn’t know what they’re doing can put millions of people in danger, and there’s no way to get hold of them so they can rectify the problem.

We’ve seen this before. Late last month, researchers stumbled on a database with information about 80 million US households, owner unknown.

Diachenko found another last September, again without an owner, exposing email addresses and physical addresses in a 43.5 GB data set. He has a long track record of exposed database discoveries.

Who is to blame for these exposed databases?

MongoDB has offered the ability to limit remote access since its early days. Version 2.6, released in April 2014, turned it on by default in certain distributions, while version 3.6 turned it on across all available versions of the product.

Whoever put this thing online was using an old version they hadn’t reconfigured, or a newer version with the protection disabled. They might do that for convenience, ignorant or uncaring about the security implications.

Naked Security asked MongoDB why it couldn’t just force developers to turn on authentication whenever they deliberately removed the remote access protections on the database. A spokesperson told us:

We respect that our innovative users ask for freedom to set their own course and we do what we can to keep that possible, while at the same time answering to the standards of care expected in safety-conscious measured operations. That balance has meant offering both a frictionless experience for developers and a thorough configuration guide to complex controls like authentication. We believe setting localhost by default puts users in a mode where they have to make a conscious decision about their own appropriate path to network safety.

At some point, Diachenko notified the Indian CERT team, but the database remained public until Wednesday 8 May, when someone hacked it and erased all its content. They left a message with the email address [email protected], suggesting that the database owner could contact them to restore the data.

That’s the other thing about unprotected MongoDB instances: they’re hackable. Someone that finds them can access the database, delete it, and then hold the owner to ransom.

If you’re using a MongoDB server, take care when using anything other than the default configuration, with networking turned off, and make sure to follow its security checklist.

Naked Security’s Paul Ducklin on the responsibilities of data handlers:

If you collect data from other people, especially for your own commercial benefit, you owe it to them to look after it properly. If it so much as crosses your mind to slap it into an online database ‘just using the default settings’, whatever they might be, then you’re nobody’s true data friend. So don’t even think of taking shortcuts like that!

As for the rest of us, there’s no way of knowing whether someone has our data in a publicly facing server somewhere.

Turn on multi factor authentication in the services you use where possible. Use strong passwords and a reliable password manager, and don’t reuse your passwords. Keep an eye on your bank accounts. Check your credit, or even better still, set up a credit freeze. There’s no guarantee you won’t still get pwned, but personal risk lies on a continuum and multi-layered defences will help reduce it.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ojFwsWi7bv8/

Insurer Chubb scored a privacy own goal recently when a double-sided printing error on bulk mailers sent to customers about a policy document change contained a stranger’s personal details on one side of the sheet.

The single A4 page included names, addresses and policy document numbers in addition to the policy update and was dispatched in the last week of April, according to sources.

“Unfortunately,” said one Reg reader who asked to remain anonymous, “they printed the mail shot double-sided – so one person’s letter was on one side, and somebody else’s was on the other.”

This means that one Chubb customer received the document intended for them and on the flip side of the page the details of someone else, which could mean that second person didn’t receive any details.

Chubb noticed the error of its ways and then wrote to customers at the end of last month into May.

“We regret any inconvenience or misunderstanding this message may have caused you,” the apology letter stated, before continuing on a theme oft heard in recent years. “Chubb takes the protection of your personal data very seriously and is committed to protecting the privacy and security of all data entrusted to it by customers, employees and others.”

The firm holds the security of this information in such high regard that it urged customers to simply “discard this previous letter and refer to this version only, which details important information below about core for insured persons”.

Chubb added: “We have corrected the error and have taken steps so this does not happen again in the future… please accept our apologies for this oversight.”

An ICO spokeswoman told The Reg: “We have received a report from Chubb European Group SE and we will assess the information provided.” ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/10/chubb_doublesided_printing_data_breach/

A Russian hacking outfit says it has stolen confidential data from a trio of US antivirus companies.

Security firm Advanced Intelligence (AdvIntel) has “high confidence” in the legitimacy of a posting from hacking group calling itself Fxmsp, which is advertising data and source code from the three unnamed AV companies. AdvIntel said it has already alerted law enforcement.

“Fxmsp is a high-profile Russian and English-speaking hacking collective,” AdvIntel said of the group. “They specialize in breaching highly secure protected networks to access private corporate and government information.”

AdvIntel says that late last month the group began advertising in various darknet forums that it had obtained network access and source code for the three companies and was selling its purloined loot for the sum of $300,000.

In addition to source code and network access, the group says the 30TB data cache includes documentation about development plans and AI technology as well as information about web security and antivirus products.

Further legitimizing the claim, says AdvIntel, is the fact that the hacking group has been dark for the last several months, indicating the crew was working on something big.

Bucharest’s Bayrob boys blasted based on bogus buys, Bitcoin banditry, bound to be behind bars

READ MORE

“The actor claimed that antivirus breach research has been their main project over the last six months, which directly correlates with the six-month period during which they were silent on the underground forums where they normally post,” the company explains.

“This period started with their seeming disappearance in October 2018 and concluded with their return in April 2019.”

While the methods of this intrusion are not yet known, AdvIntel notes that, in the past, Fxmps (who is either a million-dollar “hacking collective” or a guy from Moscow named Andrey, depending on who you ask) has used RDP and Active Directory to get into corporate networks. From there, the hackers harvest and export the data for sale on underground forums.

For companies worried about falling victim to the hacks, the security firm recommends locking down all external-facing RDP and Active Directory machines and keeping source code air-gapped from the main corporate network. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/10/hackers_take_cybersecurity_firms/

Chelsea Manning has been released from prison after 62 days for refusing to testify to an American grand jury investigating WikiLeaks.

The former US Army intelligence analyst was released because the grand jury’s term had ended. But her lawyer said in a statement that she might be heading back to jail as soon as next week because she has been served with a second subpoena from another grand jury.

The statement said: “Unfortunately, even prior to her release, Chelsea was served with another subpoena. This means she is expected to appear before a different grand jury, on Thursday, May 16, 2019…

“It is therefore conceivable that she will once again be held in contempt of court, and be returned to the custody of the Alexandria Detention Center, possibly as soon as next Thursday, May 16.

“Chelsea will continue to refuse to answer questions, and will use every available legal defense to prove to District Judge (Anthony) Trenga that she has just cause for her refusal to give testimony.”

Manning is represented by Moira Meltzer-Cohen, appellate attorney Vincent Ward, and local counsel Chris Leibig and Sandra Freeman.

Manning has stated in the past that she objects to the secrecy of the grand jury process and does not have “anything to contribute to this, or any other grand jury”.

She received a record 35-year sentence for sending information to WikiLeaks in 2010. She served seven years before her sentence was commuted by then US President Barack Obama in 2017.

She celebrated her release with pizza and champagne.

A personal statement is “forthcoming”, according to Twitter, presumably once the pizza is finished. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/10/chelsea_manning_released_from_prison/

Rana targets airline companies and others in well-planned, well-researched attacks, Israel’s ClearSky says.

Newly leaked documents purportedly about a hitherto unknown Iranian cyber espionage group called Rana show in some detail the considerable planning and attention that goes into modern advanced persistent threat (APT) operations.

For enterprise organizations, the documents — if authentic — provide a rare glimpse of the methodical manner in which APT groups go after targets, gather information, find weak spots, and devise strategies for exploiting them.

“For cyber defenders around the world, it is important to understand how the attackers are working,” says Boaz Dolev, CEO at ClearSky Cyber Security, an Israel-based cybersecurity firm that claims to have inspected the documents and found them to be authentic. “Looking at what they are doing tells us a lot of what needs to be done to protect against them,” Dolev adds.

Dozens of documents supposedly pertaining to Iran’s Rana operation was publicly leaked May 5 via a user group on the Telegram app called Black Box. The Rana documents were the third set of documents on Iran’s cyber espionage operations that have been leaked in recent weeks by an unknown actor whose motives remain unclear.

Last month, details on attack tools attributed to Iran’s OilRig APT group were publicly released via another Telegram group called Lab Dookhtegan. A few days later, details on attack tools associated with Iranian attacker MuddyWater were released, this time through Telegram channel Green Leakers.

Robert Falcone, senior principal researcher for Unit 42 at Palo Alto Networks, says the company has not so far been able to validate the authenticity of the leaked documents. But some of the tools released in the first data dump appeared to be consistent with previous observations and research on the OilRig group. Another leaked tool appeared to be part of DNSpionage, a cyber espionage campaign that targets organizations in the Middle East, Falcone says.

According to ClearSky, the documents on Rana appear to be from a hacking and penetration testing team within Iran’s Ministry of Intelligence and shed light on the group’s targeting, its victims, cyberattack strategies, and its members.

Rana’s hacking and cyber espionage activities appear to be part of much broader set of objectives, ranging from the propagation of Islamic culture and ideas to gathering strategic intelligence, developing technological capabilities, and keeping an eye on dissidents in the country, according to ClearSky.

The leaked information shows the group (and, likely, other Iranian APTs) is heavily focused on airline companies, government agencies, and communications and phone companies. Rana and likely other operatives in the past few years have targeted and seemingly compromised multiple airlines and other companies. Among the airlines the groups have targeted are Ethiopian Airlines, Malaysian Airlines, AirAsia, Philippine Airlines, and Thai Airways.

One of the leaked files is a report describing Rana’s activities between March 2016 and August 2016. The document has references to attacks on and analysis of databases at Qatar Airways, Israeli airline Israir, Turkish police, and an insurance company in Saudi Arabia. The document suggests that attackers gained access to their targeted systems on multiple occasions. A reference to an attack on an Israeli hotel website, for instance, suggested the attackers had gained full access to the website’s database and to data such as names, password, and credit card data belonging to some 86,000 users.

Careful Planning
Another document describes the group’s preparation before launching an attack. This included meeting with employees at Tehran’s international airport to learn about airport’s systems and gather information on flight and check-in systems as well as security procedures. The team also conducted research on Oracle, SQL Server, and other databases and learned how to quickly enter databases with SQL Loader and Bulk Insert, according to ClearSky.

A report on Rana’s activities between March and August 2017 describes an attack against an email service provider in Kuwait involving the use of two separate teams — a hacking squad and a social engineering team. The attack was apparently designed to gain access to the Kuwait Ministry of Foreign Affairs. The hacking team’s activities included penetration tests against Foreign Ministry systems and mapping of all IP addresses, domains, websites, and applications that the ministry used, according to ClearSky.

The objective was to find out what systems were open and accessible from the Internet. That information was later relayed to the social engineering team, which then targeted specific people related to the foreign ministry while concurrently setting up a server and website for the operation.

Other documents show that in preparing for attacks on Ethiopian Airlines and Malaysia Airlines, Iranian attackers gathered information on the operational technologies used by airlines and airports and identified database admins and admins of various Internet-exposed systems.

Related Content:

• Iran Ups its Traditional Cyber Espionage Tradecraft
• Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues
• Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East
• 7 Key Stats That Size Up the Cybercrime Deluge

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/data-dump-purportedly-reveals-details-on-previously-unknown-iranian-threat-group/d/d-id/1334678?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A former US Air Force intelligence analyst who fed documents to the press detailing the American military’s classified drone programs has been indicted on five criminal charges.

Daniel Hale, 31, is believed to have been the source of top-secret documents that lead to reports from The Intercept in 2015 and 2016 detailing the Air Force’s use of unmanned drones in combat operations.

A grand jury indicted Hale on one charge each of obtaining national defense information, retention and transmission of national defense information, causing the communication of national defense information, disclosure of classified communications intelligence information, and theft of government property. He faces up to 10 years in prison for each charge if convicted.

According to the indictment (PDF), Hale met an unnamed reporter – widely assumed to be Intercept editor Jeremy Scahill – in 2013 and 2014, and handed over printouts of documents classified as secret and top secret.

Hale is said to have obtained the documents while in the Air Force, from 2009 to 2013, and later when he was working as a defense contractor.

May Day! PM sacks UK Defence Secretary Gavin Williamson for Huawei 5G green-light ‘leak’

READ MORE

Authorities would find one of the documents, which Hale had unsuccessfully attempted to delete, on a thumb drive, along with conversations on Hale’s phone with a journalist, it was claimed. Those were hardly the only indicators that Hale had leaked documents – he also appeared under his first name discussing the leaks in a 2016 documentary, apparently.

The DOJ did not say why it is only now pursuing charges.

Hale is the third Intercept source to be tracked down and charged by the US government for seemingly leaking confidential information. The outlet was also involved with convicted secret-spillers Reality Winner and Terry Albury, both of whom received prison time for their actions.

While the Intercept declined to name Hale or detail any involvement in the leak, the publication did issue a general statement on the case.

“These documents detailed a secret, unaccountable process for targeting and killing people around the world, including US citizens, through drone strikes. They are of vital public importance, and activity related to their disclosure is protected by the First Amendment,” said editor-in-chief Betsy Reed.

“The alleged whistleblower faces up to 50 years in prison. No one has ever been held accountable for killing civilians in drone strikes.”

The Intercept has indeed extensively covered the US government’s deadly drone programs, including the Obama administration’s policies on bombing terrorists with drones strikes that also killed innocent bystanders. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/09/air_force_drone_leak_charge/

US prosecutors today formally accused two people of being part of a Chinese hacking crew responsible for one of the biggest cyber-heists in American history.

Fujie “Dennis” Wang and another John Doe defendant face charges of conspiracy to commit fraud and related activity in relation to computers and identity theft, conspiracy to commit wire fraud, and intentional damage to a protected computer.

The pair were said to be members of a Chinese crew that targeted four US businesses, including health insurance giant Anthem, in hopes of harvesting business and personal information from databases. They would eventually make off with the personal information of more than 70 million people from the insurance biz, it was alleged.

According to an indictment (PDF) filed this week, Wang and the other hackers used spear-phishing operations to gain access to PCs on the target networks. From there, they worked their way to servers containing patient databases, it was claimed.

The pilfered records, which included social security numbers, contact details, and employee documents, were then encrypted and sent to an external server via Citrix ShareFile before the hackers wiped the Anthem machines to cover their tracks, we’re told. The indictment was filed in the Southern District Court of Indiana, where Anthem is based.

Wang is said to have set up the servers, hosted in California and Arizona, used for the attack. According to the indictment, the team first penetrated Anthem on February 18, 2014, and continued for almost a year until January 25, 2015.

The network intrusion would end up costing Anthem $115m in 2017 in a class-action lawsuit, the largest ever data loss settlement at the time.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said assistant Attorney General Brian Benczkowski.

“These defendants allegedly attacked US businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their PII [ersonally identifiable information].”

In addition to Anthem, the Chinese crew was accused of carrying out similar heists against three other unnamed US companies. Those three businesses operated in the technology, basic materials, and communications sectors, respectively.

Indicting Wang and the other members of the group will be the easy part for US authorities. In order to bring the defendants before a judge, investigators will need to identify the crew (aside from Wang), make arrests, and extradite them from China to the US.

Considering the current state of relations between the two countries, the alleged hackers will hardly be losing sleep over their chances of detention and trial. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/09/anthem_hack_indictments_china/

‘100 Women in 100 Days’ is a career development program made possible by a $160,000 gift from Craig Newmark Philanthropies.

A new professional development initiative will give 100 women the opportunity to revamp their careers and prepare for new roles in cybersecurity in only 100 days. “100 Women in 100 Days” is the result of a $160,000 philanthropic investment by Craig Newmark Philanthropies.

Cyber-risk management firm Inteligenca will manage the program and provide free security training to students. CEO Carmen Marsh shared her idea for the program on LinkedIn last October. So far, nearly 200 women have registered and await their turn to participate.

Allegiant Giving, an organization that aims to support students, athletes, and veterans in local community programs, helped Marsh confirm trainers, mentors, facilities, and potential employers. On the program’s website, registrants can choose to pursue a certification: CompTIA A+, CompTIA Network+, CompTIA Security+, and Certified Ethical Hacker (CEH). Intel, IBM, Sutter Health, Centene, and other organizations have signed on to accept students into internships and apprenticeships.

The inaugural class will kick off in Sacramento, Calif., this summer, and Marsh plans to expand the program nationally in 2020 and beyond. Craig Newmark, founder of Craigslist and Craig Newmark Philanthropies, supports the plan to take the program across the county. Newmark works with several groups to create opportunities in security; last year, he gave $1 million to VetsinTech to support bringing veterans into the industry.

Read more details here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/new-initiative-aims-to-fast-track-women-into-cybersecurity-careers/d/d-id/1334666?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New ISSA/ESG survey underscores increasing pressures and security fallout of a strapped security team.

Most cybersecurity professionals are struggling with heavier workloads and insufficient time to properly master and deploy all of their security tools’ features, as well as hone their own skills, according to a new report.

The third annual Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) International report on the state of cybersecurity professionals worldwide says nearly three-quarters of organizations are dealing with the fallout of the industry’s skills gap. In the past two years, nearly half of the organizations surveyed suffered at least one damaging security incident in which a critical system was compromised, according to the report.

More than 65% of security pros say their current job demands typically impede their ability to develop and advance their skills, and 47% say they can’t fully learn and use some security technologies to their “full potential.”

“Cybersecurity professionals don’t have the luxury of time to improve their skills and manage their careers,” says Jon Oltsik, senior principal analyst and fellow at ESG and author of the report. That’s a dangerous trend given the increasing demands of more IT devices, applications, and cloud migration without advancing security with these IT moves, he notes.

Overall, cybersecurity pros are fatalistic about their ability to protect their organizations from attackers: A full 91% say most organizations are vulnerable to a major cyberattack, and 94% say cybercriminals and nation-state hackers have the edge over defenders.

“Cybersecurity professionals feel their organizations are at a significant disadvantage if they don’t have the ability to acquire new skills,” says Candy Alexander, president of ISAA International and an executive cybersecurity consultant.

The report, which drew from a survey by ESG of 267 security and IT pros from ISSA and other groups worldwide, highlights the disconnect between the increasing demands on security pros and the lack of sufficient training and support they need to stay on top of threats.

Some 63% say their organization fails to properly train security staff, which is lacking most glaringly in cloud security, application security, and security analysis and investigation talent.

Filling vacancies and expanding teams takes time. According to a recent ISACA report, finding and hiring qualified cybersecurity pros takes longer than ever now: Thirty-two percent of organizations say filling a position takes six months, up from 26% last year, and more than 60% of organizations say positions sit vacant for at least three months, up from 55% last year.

Stressed Out
Some of the biggest stressors for security pros lie in-house: keeping abreast of new IT projects (40%), learning about new IT projects launched without input or help from the security team (39%), getting end users to embrace best security practices (38%), and getting the business side to better comprehend the risks of cyberthreats (37%).

According to Alexander, those and other organizational stresses are driving some CISOs out the door and to gigs as so-called virtual CISOs, where they operate as a contractor CISO for an organization. It’s sort of a next-generation consultant role for C-level security executives. Some 10% of organizations in the survey employ a virtual CISO, while nearly 30% of CISOs in the survey work on this contractor basis, 21% are thinking about doing so, and 33% say they would weigh that option in the future.

That jibes with Alexander’s own career path from a traditional CISO to virtual CISO, she says. “It’s been a natural progression. Part of that driver is the frustration and stress of being an FTE [full-time employee] CISO,” she says. “By going into this virtual space, I am now able to go and do the work without having to prove the value [of the work]. Organizations who hire virtual CISOs know what they need, and you’re not fighting organizational challenges that could include fighting for budget.”

Meanwhile, cybersecurity professionals remain in high demand in what is still a seller’s market. Some 77% of cybersecurity pros are contacted by recruiters at least once a month, and 44% at least once a week. “If you want to develop your career, cybersecurity will have no shortages of offers,” Oltsik notes.  

Tipping Point
Among the suggestions security pros have for their organizations is to add cybersecurity goals and metrics for IT and business managers, increase training for the security team as well as nontechnical staff, and provide higher security budgets, according to the report.

“We’re at a tipping point in cybersecurity: It’s more strategic to the business now, and things that were done in the past aren’t really working. If you realize that’s the case, then you have to start with strategic changes so the CISO can come in and … help put [together] the right security program and strategy,” Oltsik says.

Related Content:

• 7 Types of Experiences Every Security Pro Should Have
• Nearly Half of Cybersecurity Pros Solicited Weekly by Recruiters 
• ‘Kevin Durant Effect’: What Skilled Cybersecurity Pros Want
• Tips for an Effective Employee Security Awareness Program

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/cloud/how-the-skills-gap-strains---and-constrains---security-pros/d/d-id/1334662?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple