Top 7 Strategies for Overcoming IT Talent Shortages

1

Cenzic Live! Webinar: Top 7 Strategies For Overcoming IT Security Talent Shortages

Chris Harget - Product Marketing

Agenda

Symptoms

Strategies

Finding The Win

2 Cenzic, Inc. - Confidential, All Rights Reserved.

3

Symptoms Of IT Security Talent Shortage

Know The Signs

Incomplete picture of security posture

Backlog of untested applications

Slow remediation when app vulnerabilities discovered

Things done wrong/done twice

Too many long shifts

Open reqs, hiring freezes, “irreplaceable” departures

No vulnerability monitoring of production apps

Data Breeches

4 Cenzic, Inc. - Confidential, All Rights Reserved.

The Need Is Significant

5 Cenzic, Inc. - Confidential, All Rights Reserved.

Source: Cenzic Application

Vulnerability Trends Report 2013

Mobile App Vulnerability Types - 2012

6 Cenzic, Inc. - Confidential, All Rights Reserved.

Source: Cenzic Application

Vulnerability Trends Report 2013

Benchmarks For IT Security Staffing…

…Are Really Hard To Come By.

How many security analysts/100 apps?

That depends on;

– Size of apps

– Depth of scan desired

– Coding practices

– Scanning frequency

– Quality of scanning tools

– Division of labor with QA/Dev/Production/GRC

7 Cenzic, Inc. - Confidential, All Rights Reserved.

Know Your Specific Shortage

Not enough bodies

Not enough time

Not enough skills

Not enough tools

8 Cenzic, Inc. - Confidential, All Rights Reserved.

9

7.2

Strategies For Overcoming IT Security Talent Shortage

Bodies: Finding/Hiring/Renting

Job titles include;

– Application Security Analyst/Architect

– Penetration Tester

– Application Security Engineer/Tester/Specialist

– Ethical Hacker

If you can’t hire locally, consider managed services

– May be easier/faster than getting increased headcount

– Helps jump-start process

10 Cenzic, Inc. - Confidential, All Rights Reserved.

Time: Prioritize, Specialize, Automate

Prioritize

– Are you mitigating the biggest risks first?

Specialize

– What tasks are best done by your team?

– e.g., Remediation, Management,

– What tasks can be offloaded?

– e.g., Dev trains app traversals or Managed Service runs scans

Automate

– Leverage Enterprise-grade tools

11 Cenzic, Inc. - Confidential, All Rights Reserved.

Talent/Skills: Train, Borrow, Rent

Train

– How to scan, coding best practices, how to manage

Borrow

– Get Developers for app training & Remediation

– Get QA for re-running scans

Rent

– Managed Services can augment specialized tasks

12 Cenzic, Inc. - Confidential, All Rights Reserved.

Tools: Quality and Quantity

Quality

– More accurate scanners improve security and save time

– Quantified app risk scores enable optimal risk mitigation

– Enterprise dashboard shows total risk and trends

Quantity

– Web-based app-training tool goes everywhere needed

– Having enough seats for each Analyst, Developer, QA, GRC, and Executive leverages whole organization

13 Cenzic, Inc. - Confidential, All Rights Reserved.

Top 7 Strategies

1. Hire

2. Prioritize

3. Specialize

4. Automate

5. Train

6. Borrow

7. Rent

8. Quality/Quantity

14 Cenzic, Inc. - Confidential, All Rights Reserved.

15

Finding The Win

Justifying Resources

16 Cenzic, Inc. - Confidential, All Rights Reserved.

Non-technical people need non-technical explanations

– Keep it simple

– Use cost-benefit for budget

– Use relative-risk for reallocating people

Quantified risk is easier to understand

– E.g., Cenzic’s HARM™ scores

Bonus: Watch “Top 10 Ways To Win Budget for Application Security”

https://info.cenzic.com/webinar-security-budget.html

Making the Case Simply…

Hackers use hidden Application commands to steal data and damage web sites.

Gartner Group says 75% of attacks now target the Web Application Layer

Scanning tools and App Security experts help efficiently find and patch these vulnerabilities.

17 Cenzic, Inc. - Confidential, All Rights Reserved.

Detects Web & Mobile App Vulnerabilities

Easy-to-use Software, DIY Cloud, or Managed Service

Accurate behavior-based Scanning protects

– 500,000+ online applications

– $Trillion+ of commerce

Delivers best continuous real-world Risk Management

18 Cenzic, Inc. - Confidential, All Rights Reserved.

Tools

Cenzic Enterprise

– Unified console

– Web-based app-configuring makes it easier/more affordable for people all over your enterprise to contribute

– E.g., Developers can define traversals of their own apps

19 Cenzic, Inc. - Confidential, All Rights Reserved.

20 Cenzic, Inc. - Confidential, All Rights Reserved.

One-click virtual patching

via tight integration with leading

Web Application Firewalls

Application Vulnerability Monitoring In Production

.

+

Identify Risk

Mitigate

Risk

=

=

Managed Services Offerings – At-a-glance

21 Cenzic, Inc. - Confidential, All Rights Reserved.

Bronze Silver Gold Platinum Industry Best-Practices for

Brochureware sites

Industry Best-Practices for forms and login protected

sites

Compliance for sites with user

data

Comprehensive scans for Mission

critical applications

Phishing X X X x

Light input validation X X X

x

Data Security X X X x

Session management X X

x

OWASP compliance X

x

PCI compliance X x

Business logic testing

x

Application logic testing

x

Manual penetration testing

x

Compliance in a Hurry

Who?

– A Health Maintenance Organization

Need?

– Deep scan of a new application on a tight development schedule to ensure compliance.

Solution?

– Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning to provide a very thorough scan which could suffice for any compliance or audit need.

22 Cenzic, Inc. - Confidential, All Rights Reserved.

Rapid OnBoarding of New Apps

Who?

– A Fortune-100 Banking and Services company

Need?

– Quickly begin scanning 110 applications

Solution?

– Cenzic PS did Custom Onboarding Engagement, training each app traversal so that the Bank’s IT Security Analysts could then run scans themselves using Cenzic Enterprise software.

Result?

– Met their timeline needs, and kept the scanning results in-house, per their corporate policy.

23 Cenzic, Inc. - Confidential, All Rights Reserved.

Methodology Assessment With Developers

Who? – Global NGO with thousands of web sites

Need? – Methodology Assessment of their security posture, and

real-world training of their Developers

Solution? – Cenzic PS did a 3-day engagement with their App

Developers.

– Reviewed 10 most common vulnerabilities, found examples in their production apps.

– Cenzic PS demonstrated on a Live Demo site how a hacker could exploit those specific types of vulnerabilities

– Reviewed coding best practices to completely eliminate said vulnerabilities.

24 Cenzic, Inc. - Confidential, All Rights Reserved.

Vulnerability Scanning a Mobile App

Who?

– High technology company with a mobile application that accessed sensitive customer data

Need?

– Vulnerability Scan a mobile app that can not be traditionally traversed with a spider.

Solution?

– Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data.

25 Cenzic, Inc. - Confidential, All Rights Reserved.

Fitting Strategy to Your Need

1. Hire

2. Prioritize

3. Specialize

4. Automate

5. Train

6. Borrow

7. Rent

8. Quality/Quantity

26 Cenzic, Inc. - Confidential, All Rights Reserved.

Cenzic Can Help

Train your people

Give them better gear

Have someone else carry the baton

27 Cenzic, Inc. - Confidential, All Rights Reserved.

www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Questions?

request@cenzic.com or 1.866-4-Cenzic

Blog: https://blog.cenzic.com