Many IT specialists are familiar with this: the bigger the company is, the more likely it is, that encapsulated components are supported by one specialist alone or by a team of specialists. Unfortunately, this means that often they alone are aware of the complexity and the challenges of what they do. However, good specialists in cyber security do not shine just because of their technical knowledge in their specialist field. It is at least just as important – if not even more important – for them to understand the interrelations as well as the interfaces they deal with every day. In part 1 of my blog series about cyber security specialists, you will have found out how to get, keep and motivate good employees. Now I’m going to explain to you what differentiates good cyber security staff from the top employees.
Penetration tests and published breaches over the last months and years prove it - No matter how much money you invest in IT security if it’s wrongly configured it won’t do what it promised in the end. All the more important that the most crucial components – your staff - keep their promises.
Confidentiality, integrity and availability – the basic requirements of every cyber security expert
A good IT security solution stands out by ensuring that every aspect is covered by the three general security objectives of confidentiality, integrity and availability.
- Confidentiality: restricting access authorisations and data transmission encryption
- Integrity: ensuring the immutability of data and traceability in the event of data mutation
- Availability: preventing systems failures
These safety objectives are not only true for your company’s “crown jewels”, they are also central to every project and solution that provides access to or preparation of data. Solutions that run IT administration or even IT security products are often completely forgotten about. You need either a great deal of experience or a strong imagination to be able to assess the fall-out from poorly-configured IT security products. This is why it is crucial for your cyber security specialists to always have these three security aspects in the backs of their minds when they are working, and then to act accordingly.
The 5 (+2) W’s of Cyber Security
Good cyber security experts master their products and are able to apply their knowledge to the relevant context like no other, whereas technically highly-versed cyber security experts not only understand the 5 ‘W’s (What, Why, Where, Who, When), for every issue that arises. They can also demonstrate the ‘How’ (How did something happen) or ‘Which’ (How will this be resolved, e.g. process, people, tools). Based on these basic questions, systems and possible weak points on all possible levels of the design are scrutinized ‒ from the OSI layers via the cyber kill chain up to the STRIDE model. On the basis of the gaps identified, the “Red Team” develops ‘Proof of Concepts’ to demonstrate these weak points. The “Blue Team” subsequently revises the architecture of the solutions to either completely resolve the issue or to increase detection possibilities when vulnerabilities are being exploited. In the future, problems like these can then be circumvented. Your own technical skills may help to identify a challenge as comprehensively as possible – but they are by no means a guarantee for success!
Your employees – a good Investment
To maximise the potential of your cyber security experts, you should be investing in their continuing development, particularly in areas of interest to them, even if you only perceive an indirect interest for your company. New outlooks and a more profound understanding in another specialisation will enable them to ask detailed questions and recognise where the technical obstacles are lying in wait. You will also benefit from increased employee motivation, more networked thinking and knowledge reaching beyond their own area of responsibility. However, many managers fear just the opposite. This is understandable as, after all, most training and further education do not come at bargain prices and also means absences from work.
However, there are now countless opportunities for training and further education in IT Security. One example is the Certificate or Master of Advanced Studies (CAS/MAS), which can often be started without a university degree. Another example is using the shorter options available, such as week-long courses (for example at Digicomp Academy or SANS), boot camps or free online courses like GitHub or Open Security Training.
The most important area where your company can make its contribution is with time because, for all of us, this remains finite. But it’s worth it! Good staff – cyber security experts – is the most important capital for any company, now and in the future.
Make an investment yourself in your own future…
…and come to InfoGuard! We are always looking for motivated cyber security experts in the areas of consulting, engineering and cyber defence. We are not just about working, we’re also about learning. We both challenge and support our staff with targeted on- and off-the-job training. We also offer an exciting environment with interesting projects and clients, as well as the opportunity to work alongside specialist cyber security experts.
Interested? You will find our current job offers on our careers website. Can’t see anything that suits you? Unsolicited applications can also pay off. We look forward to hearing from you.