Top IT Security Bloggers

Network World - Networking Nuggets and Security Snippets
  • Identity and access management infrastructure is misaligned with security

    Network World - Networking Nuggets and Security Snippets
    Several CISOs I’ve spoken to over the past few years agree that identity is a new security perimeter. The thought here is that a combination of mobile device and cloud use renders existing network perimeters obsolete, so security policy enforcement decisions must be driven by identity attributes (i.e., user identity, role, device identity, location, etc.) rather than IP packet attributes. We see this transition coming to fruition with the concept of a software-defined perimeter (SDP) and technologies such as Google BeyondCorp and Vidder PrecisionAccess.
    Yup, this makes sense. Armed with identity attributes, organizations can make intelligent network access decisions on who gets access to which IT assets regardless of their location. Unfortunately, there is a big problem here. The identity and access management (IAM) infrastructure was built organically over the last 10-15 years, so it depends upon a morass of disconnected and fragile elements. This situation greatly impacts security. To read this article in full or to leave a comment, please click here
  • Cloud security: A mismatch for existing security processes and technology

    Network World - Networking Nuggets and Security Snippets
    To use a long-forgotten metaphor, cloud deployment is moving forward at internet speed at many enterprise organizations. According to ESG research, 57 percent of enterprise organizations use public and private cloud infrastructure to support product applications/workloads today, and an overwhelming majority of organizations will move an increasing number of applications/workloads to cloud infrastructure over the next 24 months (note: I am an ESG employee).Now, no one would argue the fact that cloud computing represents a different compute model, but it is really based upon the use of server virtualization for the most part. And since a VM is meant to emulate a physical server, many organizations approach cloud security by pointing traditional security processes and technologies at cloud-based workloads.To read this article in full or to leave a comment, please click here
  • Next-generation endpoint security market bifurcation

    Network World - Networking Nuggets and Security Snippets
    Just what the heck is next-generation endpoint security? Cybersecurity professionals remain pretty confused around the answer to this question. To help, ESG conducted a research project on the subject that was coordinated by my colleagues Doug Cahill and Kyle Prigmore and me (note: I am an ESG employee).For the purposes of the research project, ESG defined next-generation endpoint security as:Endpoint security software controls designed to prevent, detect and respond to previously unseen exploits and malware.As part of this project, ESG interviewed dozens of organizations that were either supplementing or replacing traditional antivirus software on PCs of all kinds. I’ve written a few blogs about why these organizations were moving beyond AV alone, how they selected new endpoint security products, and some details about their testing and deployment methodologies. Aside from this technology overview, however, I did come away with some strong theories about the next-generation endpoint security market in general. To read this article in full or to leave a comment, please click here
  • High-demand cybersecurity skill sets

    Network World - Networking Nuggets and Security Snippets
    Back to one of my pet issues, the global cybersecurity skills shortage.According to ESG research, 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016 (note: I am an ESG employee). By comparison, 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015. That means we’ve seen an 18 percent year-over-year increase.So, there is a universal shortage of infused talent, but where are these deficiencies most acute? According to a survey of 299 IT and cybersecurity professionals:
    33% of organizations say they have a shortage of cloud security specialists.  This makes sense, as it combines the shortage of cybersecurity skills with evolution of cloud computing. Other ESG research also indicates that large organizations are creating jobs for cloud security architects, so demand is especially high. Cybersecurity professionals should think about pursuing a cloud security certification from CSA or SANS as part of their career development plan.  There are more jobs than people, and enterprise organizations are tripping over each other to hire talent as quickly as they can. 
    28% of organizations say they have a shortage of network security specialists. To me, this really reinforces how bad the cybersecurity skills shortage is, since network security is the “motherhood and apple pie” core cybersecurity skills needed by all organizations. Still, there are numerous changes in networking (i.e. SDN/NFV, micro-segmentation, attribute-based access controls, etc.) that will require strong network security skills. Networking professionals may want to consider a career change to capitalize on this opportunity.    
    27% of organizations say they have a shortage of security analysts. No surprise here. Security analyst skills (i.e. threat analysts, SOC personnel, incident responders, etc.) take years to develop, so organizations are constantly poaching talent from one another. Recently, I heard that big cloud and social networking services such as Amazon, Facebook and Google have been especially aggressive in their hiring efforts. Recognizing that they can’t compete, CISOs are recruiting at the entry level, investing in training and mentoring programs, and asking new hires to give them a few good years.
    26% of organizations say they have a shortage of data security specialists.  This one may surprise some folks but not me. Data security tends to include major projects like discovery and classification, granular policy development, and esoteric skills like key management. Overall, data security is one of the most under-appreciated disciplines in the cybersecurity body of knowledge. There aren’t enough good technologies, and there aren’t enough skilled people. Data security may not be the sexiest cybersecurity skill set, but employers are paying top dollar and there aren’t many candidates in this area. Cybersecurity professionals who specialize in this area may have job security for life. 

    Cybersecurity education tends to follow an extremely broad curriculum. Some institutions (like my alma mater, University of Massachusetts) don’t even break out cybersecurity on its own but rather treat it as a subset of computer science. Yes, we need cybersecurity generalists, but ultimately specialization matters. Employers need specific skills to fill gaps while cybersecurity professionals can accelerate their careers with training and skills development in high-demand areas. To read this article in full or to leave a comment, please click here
  • Cybersecurity Plan for POTUS 45

    Network World - Networking Nuggets and Security Snippets
    OK, the presidential primaries are winding down, and while I expect lots of name-calling, insults and general sophomoric behavior this summer and fall, it’s time for both parties to step up with a strong plan for cybersecurity.Cybersecurity? You’d really never know that it’s a national issue based on the proceedings so far. Gov. Jeb Bush put out a two-page overview, while Dr. Ben Carson’s team drafted a high-level proposal. Neither one of those documents really dug into existing policies, domestic challenge, or international issues. With the exception of John McAfee, no one has gotten into any detail on this topic.+More on Network World: Obama’s new cybersecurity agenda: What you need to know+To read this article in full or to leave a comment, please click here
  • The Rise of Threat Intelligence Gateways

    Network World - Networking Nuggets and Security Snippets
    According to ESG research, enterprise organizations continue to invest in all types of threat intelligence (note: I am an ESG employee).  For example, 60% of organizations have had a threat intelligence program in place for more than 2 years, 69% consume 6 or more open source or commercial threat intelligence feeds as part of cybersecurity analytics efforts, and 72% of enterprises plan on increasing spending on their threat intelligence programs over the next 12 to 18 months.Why is threat intelligence gaining momentum?  Security professionals know that since they can’t block every conceivable cyber-attack, they need to collect, process, and analyze all types of internal and external security data to improve their incident detection and response capabilities.  Many also want to use threat intelligence more proactively for threat prevention.  In fact, 36% of enterprise cybersecurity professionals say that their organizations intend to use threat intelligence feeds to automate remediation actions over the next 24 months.To read this article in full or to leave a comment, please click here
  • If I were the next CEO of Symantec – Redux

    Network World - Networking Nuggets and Security Snippets
    I just read a Bloomberg article proclaiming that Symantec cut its quarterly revenue forecast and announcing that CEO Michael Brown will step down. Unfortunately for Symantec, the company has had a revolving door of chief executives—four different individuals since 2008, and now onward to a fifth.When Symantec went through a similar CEO transition in 2014, I posted a blog to suggest what I would do as its next CEO, but surprisingly my phone never rang.  Nevertheless, I reviewed my two-year-old recommendations this morning and many of Symantec’s issues back then still need fixing. Given this, allow me to review and update my CEO action plan for Symantec:To read this article in full or to leave a comment, please click here
  • Cybersecurity Salary Inflation – A Red Flag

    Network World - Networking Nuggets and Security Snippets
    If you follow my blog at all you know that I am quite passionate about the cybersecurity skills shortage and its ramifications.  Just to put this issue in perspective, ESG research indicates that 46% of organizations claim they have a “problematic shortage” of cybersecurity skills in 2016 as compared to 28% in 2015 (note: I am an ESG employee). Yup, the ESG research seems to indicate that things are getting worse on an annual basis, and ESG isn’t alone in this belief.  For example:
    According to Peninsula Press (a project of the Stanford University Journalism Program), more than 209,000 US-based cybersecurity jobs remained unfilled and postings are up 74% over the past 5 years.
    Analysis of the US Bureau of Labor Statistics indicates that the demand for cybersecurity professionals is expected to grow 53% by 2018.

    Adding to this trend, Computerworld research indicates that more than half of security managers expect their organizations to increase cybersecurity headcount this year adding more pressure to the pot. To read this article in full or to leave a comment, please click here
  • AV software: “I’m not quite dead yet”

    Network World - Networking Nuggets and Security Snippets
    If you are a cybersecurity professional, you’ve probably read the quote, “AV is dead” hundreds or even thousands of times. The thought here is that antivirus software is no longer effective at blocking modern exploits and malware, thus its useful lifespan is effectively over. Now, when any technology is declared “dead,” it is usually an industry analyst (like me) who makes this type of provocative statement. I remember the analyst declaration “mainframe is dead” from the early 1990s and the more recent refrain portending the death of the PC. In this case, however, many people attribute the “AV is dead” soundbite to a former Symantec VP quote in the Wall Street Journal, which seems to give it more credibility. After all, if Symantec, the market leader, thinks AV is dead, then it sure as heck must be.To read this article in full or to leave a comment, please click here
  • Learning about SDP via Google BeyondCorp

    Network World - Networking Nuggets and Security Snippets
    I’ve been following Google’s BeyondCorp project for a while.  In fact, I was recently quoted in a Wall Street Journal blog on this topic. If you are not familiar with BeyondCorp, it is Google’s spin on what’s become known as a software-defined perimeter (SDP).  SDP, also called a “black cloud” originated at the Defense Information Systems Agency (DISA) and is now being driven by the Cloud Security Alliance (CSA).  To read this article in full or to leave a comment, please click here

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

More videos

Blog Posts

Media Release

More media release

Market Place