Top 7 Strategies for Overcoming IT Talent Shortages

1

Cenzic Live! Webinar: Top 7 Strategies For Overcoming IT Security Talent Shortages

Chris Harget - Product Marketing

Agenda

Symptoms

Strategies

Finding The Win

2 Cenzic, Inc. - Confidential, All Rights Reserved.

3

Symptoms Of IT Security Talent Shortage

Know The Signs

Incomplete picture of security posture

Backlog of untested applications

Slow remediation when app vulnerabilities discovered

Things done wrong/done twice

Too many long shifts

Open reqs, hiring freezes, “irreplaceable” departures

No vulnerability monitoring of production apps

Data Breeches


The Need Is Significant


Source: Cenzic Application

Vulnerability Trends Report 2013

Mobile App Vulnerability Types - 2012


Source: Cenzic Application

Vulnerability Trends Report 2013

Benchmarks For IT Security Staffing…

…Are Really Hard To Come By.

How many security analysts/100 apps?

That depends on;

– Size of apps

– Depth of scan desired

– Coding practices

– Scanning frequency

– Quality of scanning tools

– Division of labor with QA/Dev/Production/GRC


Know Your Specific Shortage

Not enough bodies

Not enough time

Not enough skills

Not enough tools


9

7.2

Strategies For Overcoming IT Security Talent Shortage

Bodies: Finding/Hiring/Renting

Job titles include;

– Application Security Analyst/Architect

– Penetration Tester

– Application Security Engineer/Tester/Specialist

– Ethical Hacker

If you can’t hire locally, consider managed services

– May be easier/faster than getting increased headcount

– Helps jump-start process


Time: Prioritize, Specialize, Automate

Prioritize

– Are you mitigating the biggest risks first?

Specialize

– What tasks are best done by your team?

– e.g., Remediation, Management,

– What tasks can be offloaded?

– e.g., Dev trains app traversals or Managed Service runs scans

Automate

– Leverage Enterprise-grade tools


Talent/Skills: Train, Borrow, Rent

Train

– How to scan, coding best practices, how to manage

Borrow

– Get Developers for app training & Remediation

– Get QA for re-running scans

Rent

– Managed Services can augment specialized tasks


Tools: Quality and Quantity

Quality

– More accurate scanners improve security and save time

– Quantified app risk scores enable optimal risk mitigation

– Enterprise dashboard shows total risk and trends

Quantity

– Web-based app-training tool goes everywhere needed

– Having enough seats for each Analyst, Developer, QA, GRC, and Executive leverages whole organization


Top 7 Strategies

1. Hire

2. Prioritize

3. Specialize

4. Automate

5. Train

6. Borrow

7. Rent

8. Quality/Quantity


15

Finding The Win

Justifying Resources


Non-technical people need non-technical explanations

– Keep it simple

– Use cost-benefit for budget

– Use relative-risk for reallocating people

Quantified risk is easier to understand

– E.g., Cenzic’s HARM™ scores

Bonus: Watch “Top 10 Ways To Win Budget for Application Security”

https://info.cenzic.com/webinar-security-budget.html







Making the Case Simply…

Hackers use hidden Application commands to steal data and damage web sites.

Gartner Group says 75% of attacks now target the Web Application Layer

Scanning tools and App Security experts help efficiently find and patch these vulnerabilities.


Detects Web & Mobile App Vulnerabilities

Easy-to-use Software, DIY Cloud, or Managed Service

Accurate behavior-based Scanning protects

– 500,000+ online applications

– $Trillion+ of commerce

Delivers best continuous real-world Risk Management


Tools

Cenzic Enterprise

– Unified console

– Web-based app-configuring makes it easier/more affordable for people all over your enterprise to contribute

– E.g., Developers can define traversals of their own apps



One-click virtual patching

via tight integration with leading

Web Application Firewalls

Application Vulnerability Monitoring In Production

.

+

Identify Risk

Mitigate

Risk

=

=

Managed Services Offerings – At-a-glance


Bronze Silver Gold Platinum Industry Best-Practices for

Brochureware sites

Industry Best-Practices for forms and login protected

sites

Compliance for sites with user

data

Comprehensive scans for Mission

critical applications

Phishing X X X x

Light input validation X X X

x

Data Security X X X x

Session management X X

x

OWASP compliance X

x

PCI compliance X x

Business logic testing

x

Application logic testing

x

Manual penetration testing

x

Compliance in a Hurry

Who?

– A Health Maintenance Organization

Need?

– Deep scan of a new application on a tight development schedule to ensure compliance.

Solution?

– Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning to provide a very thorough scan which could suffice for any compliance or audit need.


Rapid OnBoarding of New Apps

Who?

– A Fortune-100 Banking and Services company

Need?

– Quickly begin scanning 110 applications

Solution?

– Cenzic PS did Custom Onboarding Engagement, training each app traversal so that the Bank’s IT Security Analysts could then run scans themselves using Cenzic Enterprise software.

Result?

– Met their timeline needs, and kept the scanning results in-house, per their corporate policy.


Methodology Assessment With Developers

Who? – Global NGO with thousands of web sites

Need? – Methodology Assessment of their security posture, and

real-world training of their Developers

Solution? – Cenzic PS did a 3-day engagement with their App

Developers.

– Reviewed 10 most common vulnerabilities, found examples in their production apps.

– Cenzic PS demonstrated on a Live Demo site how a hacker could exploit those specific types of vulnerabilities

– Reviewed coding best practices to completely eliminate said vulnerabilities.


Vulnerability Scanning a Mobile App

Who?

– High technology company with a mobile application that accessed sensitive customer data

Need?

– Vulnerability Scan a mobile app that can not be traditionally traversed with a spider.

Solution?

– Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data.


Fitting Strategy to Your Need

1. Hire

2. Prioritize

3. Specialize

4. Automate

5. Train

6. Borrow

7. Rent

8. Quality/Quantity


Cenzic Can Help

Train your people

Give them better gear

Have someone else carry the baton


www.cenzic.com | 1-866-4-CENZIC (1-866-423-6942)

Questions?

[email protected] or 1.866-4-Cenzic

Blog: https://blog.cenzic.com

https://blog.cenzic.com/

Top 7 Strategies for Overcoming IT Talent Shortages

Technology

Top 7 Strategies for Overcoming IT Talent Shortages