By Dr. Charlotte M. Farmer, Independent Director

Rapid Impact

Faced with rapid changes in technology and evolving cyberthreats, leaders quickly find themselves overwhelmed by knowledge and capability gaps.  For example, organizations are encountering a significant change in processes and protocols to operate and secure the enterprise effectively.  Realizing that the skills needed to execute are becoming radically different, leaders are compelled to reset or upskill the workforce.  With the heightened emphasis on mobility, organizations seek application skills that enable the development and management of various cloud services.  Organizations and their service providers are upskilling employees through acquisitions, training, retraining, or talent acquisition mechanisms.

Given that certifications deliver targeted guidance in a timely fashion, leaders look to certifications as a rapid approach to keep skills fresh and relevant whenever, wherever needed.  Pursuing a degree program is not always a practical option.  In some cases (e.g., cybersecurity, AI, data analytics, etc.), textbooks are outdated by the time they are published.  Certifications have rapidly become a stop-gap solution to help keep pace with technology acceleration.

Also see: EC-Council Launches a Specialized Web Application Hacking and Security Certification

Return On Investment

With the rapidly changing demand for new solutions, (e.g., AWS Certified Solutions Architect – Professional, Certified Cloud Security Professional [CCSP], Certified Data Privacy Solutions Engineer [CDPSE], etc.), some organizations may not understand the available capabilities or how to employ them. This cripples leaders as they strive to actualize strategies. Playing the long-game: Once the strategic direction is established, a 2–3-year Information Technology (IT) roadmap should be established to identify: 1) business needs, challenges, and aspirations, 2) functional capabilities needed to tackle challenges and achieve aspirational goals, 3) the talent needed to perform capabilities, and the 4) professional development needed for the workforce.

In situations where individuals are faced with trade-off decisions between pursuing a certification or degree, it can be helpful to establish decision criteria that will be used to measure ROI.  Criteria could include (but is not limited to):

• salary impact
• urgency (needed to address the emerging threat or enable business transformation)
• intent (professional positioning/growth or intellectual fulfillment)
• organizational risk (ensure sustainability, drive compliance, etc.)

With personal, professional, and corporate ROI in mind, this author is adding CISSP to her portfolio of certifications along with free online courses by Harvard, MIT, Berkeley, and more (via EDx).  EDx offers access to 2,000 free online courses from 140 leading institutions worldwide.

Professional Certifications for the Competitive Edge

In this “micro-wave” economy, lifelong learners may turn to certifications to stay sharp in their area of expertise while banking on rapid ROI.  In this environment, certifications appear to offer a high-value, fast-paced means to enhance skills.  CAUTION:  Certifications are not panaceas and should not

be treated as such.  Depending on the circumstances, certifications may not substitute for formal education or experience.  Appropriate certifications should be included as part of a holistic professional development plan that includes a proportionate amount of:

1) learning on the job through hands-on stretch assignments

2) learning via engagement with subject matter experts using an apprentice model, and

3) formal training in relevant classes/degree programs, seminars, and workshops.

Keep in mind that professional development plans should align with the individual’s learning style, environmental drivers (e.g., industry, technology, processes, etc.), and strategic direction of the organization.  Most importantly, individuals should co-create a development plan with their management team to determine the most appropriate certification and optimal balance of work, mentorship, and training.

Conclusion

Arguably, professional certifications offer a value-added approach to rapidly skill-up the workforce.  While certifications help enhance skills and experience, they should be included in a holistic professional development plan that includes a proportionate amount of learning on-the-job, engagement as an apprentice, and formal training.  Many venues are offering free courses to help gain new skills and earn a certificate of completion. Pick one and join today.

About the Author

Dr. Charlotte Farmer is an experienced Director and Board Member with proven value creation across blue chip companies and top-tier general management consulting firms. Over the last 25 years, she has served as Board Chair, Committee Chair, or Board Advisor to 16 non-governmental organization (NGO) boards. Currently, she serves as Board Chair of a tech start-up and advisor to a private equity company in The Carlyle Group portfolio. Her board expertise includes strategy, governance, and turnaround with proven results building high-performing, growth organizations. Her leadership roles in high-tech manufacturing, global operations, finance, and digital transformation would also be an asset to companies eager to expand their footprint or companies in need of turnaround guidance.

Dr. Farmer is also on the CISO MAG Editorial Advisory Board.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. 

The post The Real Value of Professional Certifications appeared first on CISO MAG | Cyber Security Magazine.

By Brian Pereira, Editor-in-Chief, CISO MAG

Our first question was: What are the career opportunities for software developers in cybersecurity?

Ram Movva, President and Co-founder of Cyber Security Works (CSW) says there are a lot of career opportunities for software developers in cybersecurity.

“From a career opportunity perspective, a software developer can build products for the cybersecurity industry, especially SaaS-based software. We have 100+ openings for software developers in CSW and are building SaaS products,” says Movva.

We also spoke to DevSecOps specialists. Ambuj Kumar, DevSecOps Engineer at Curl, says software developers have a “bright career” if they come over to cybersecurity because they know coding, which is “helpful in the long run.”

Both Kumar and Movva believe that cybersecurity is important for every industry and every business. So, it does not matter which industry a software engineer is writing the code for – it is about the security aspects in the coding and “security by design.” In industry terms, this is called “shift-left,” which means security should come in at the very beginning of the software development lifecycle.

Riddhi Patel, Sr. DevSecOps Engineer at IBM, concurs with their views and says everyone wants their product or data to be secured. She tells us that organizations are now thinking more about secure coding principles.

“Enterprises have started understanding their liabilities and realize that having cybersecurity analysts in the organization is not enough. They are now training their developers to build security into software and learn code securely. Today, every organization is shifting security to the left in the software development lifecycle. So, it’s a great opportunity for developers to work with Security Engineers and learn more about cybersecurity,” says Patel. 

Skills and Training

Our next question to them was about skilling and training. We asked: What are the additional skills that a software engineer needs to acquire? And what is the best way to go about it?

“Software professionals who understand the security aspects of safe coding can become successful security practitioners, ethical hackers, and security analysts. They can implement DevSecOps for companies that are building products or providing security services,” informs Movva. “If you are a major in computer science, with a B.Sc, MCA or BE degree, and know how to write code, you can thrive in the cybersecurity industry — even if you are fresh out of college.”

Kumar says software developers need to understand network security, web security, and mobile security — and different security vulnerabilities. He says they should opt for training and certifications such as OSCP, CISSP, CEH.

Brought to you by:

The EC-Council, which owns and publishes CISO MAG, offers various courses to train software engineers for cybersecurity. One can also pursue CISSP, CEH and other certifications through the EC-Council. View a list of courses and certifications here: https://www.eccouncil.org/programs/

The Right Approach

And what are the opportunities? What is the best approach?

“In my opinion, if a person is working as a developer/software engineer and thinking about a career in cybersecurity, I would suggest that they aspire to be a security engineer (DevSecOps Engineer). They can start understanding more about cybersecurity attacks and how they happen due to insecure coding — and the impact of those attacks. As much as they learn about security attacks, they can start thinking about secure coding, which is more in demand,” says Patel.

Patel also mentioned Static Application Security Testing (SAST), a white box method of testing where security engineers will have the source code, and they need to run a SAST tool. With this tool, they can review source code manually for some critical functionalities (like authentication, business logic functionalities, any payment-related functionality) to find the vulnerable functions or vulnerability in third-party libraries used in the application.

Another method is Dynamic Application Security Testing (DAST), a black-box testing method that examines an application while it is running to find vulnerabilities that can be exploited by an attacker.

“There are a lot of things to test in DAST, but one area that needs developer attention is to review client-side coding or a script which is executing at client side. I believe the experience of secure coding will help to find out vulnerable client-side code easily,” added Patel.

Patel also suggests that developers should take part in the discussion/process of threat modeling because it provides a better idea to develop secure code, which helps to understand how to focus on functionality based on the highest risk while developing and have the least authorization for the same that helps to reduce Application Vulnerability Risk.

So how long will it take to acquire all these skills?

Says Kumar, “Overall, for a software developer, it tasks five to six months of consistent hard work to establish a career in cybersecurity.”

Patel agrees and says it will take time to understand security concepts. But one must learn “in the right direction” and “be consistent.”

Views expressed in this article are personal and should not be attributed to the organizations where these individuals are employed.

About the Author

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

The post What are the Opportunities for Software Developers in Cybersecurity? appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

In addition to various cybersecurity profiles, the demand for penetration testers gained mainstream momentum as companies are now more focused on mitigating risks before they happen.

What is Penetration Testing?

Penetration testing is a simulated attack against a company’s network systems to find out unpatched vulnerabilities before threat actors exploit them. It is like a mock attack to check the security capabilities of the existing digital infrastructure and associated processes. In penetration testing, ethical hackers or pen testers attack existing systems and applications to find out their defensive capabilities.

What Does a Penetration Tester Do?  

A Penetration Tester, also called a Pen Tester or Ethical Hacker, is responsible to perform in-depth tests across a company’s network systems and web applications to find vulnerabilities or any security loopholes before they are exploited by cybercriminals.

Responsibilities of a Penetration Tester

• Designing penetration tests
• Carry out attack simulations
• Creating vulnerability reports and recommendations
• Advising the management on security developments
• Work with other employees to enhance the company’s overall cybersecurity posture

How to Become a Penetration Tester

Ethical hackers need to possess a strong understanding of the psyche and motives of cybercriminals in order to conduct pen testing to discover security vulnerabilities and gaps in the network.

Required Skill Set

• A bachelor’s degree in computer science, cybersecurity, IT, or engineering
• Good networking skills
• Knowledge of Java, Python, and Perl platforms
• Black box testing
• Coding skills
• Vulnerability analysis
• Proficiency in command-line scripting
• Sound knowledge in operating systems concepts
• Strong reporting and presentation skills

EC-Council’s certification courses like  Certified Penetration Testing Professional (CPENT), Licensed Penetration Tester (LPT), and Certified Ethical Hacker (CEH) will certainly help students and interested candidates in the pursuit of this role and opportunity. 

Wrap Up

Detecting and defending against evolving cyberthreats is critical for every organization to remain secure, and penetration testing will continue to be part of it. The field of penetration testing will evolve in the years to come and will remain a key component in the cybersecurity development program.

About the Author:

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

Read More from the author.

The post What is Penetration Testing? What Does a Penetration Tester Do? appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

What is Digital Forensics?

Digital forensics or computer forensics is a field of uncovering, identifying, extracting, and documenting evidence after a cybersecurity or data breach incident. The digital artifacts found by the forensics team can be used to determine the culprits and help in law enforcement proceedings. Digital forensics is a critical category in cybersecurity with several branches including, firewall forensics,  network forensics, computer forensics, database forensic, and mobile device forensics.

A forensic team is responsible for retrieving deleted, lost, manipulated, or stolen data. They are required to work closely with the law enforcement authorities to investigate cybercriminal activities.

Digital Forensics vs Computer Forensics

Though the two approaches have the same purpose, digital and computer forensics differ in their investigation processes. Digital forensic investigation includes gathering digital artifacts such as mobile phones, networks, USB drives, hard disks, CDs, digital cameras, and electronic files like JPEGs, and emails. Computer forensics is mostly limited to computer analysis to find the evidence.

What Skills are Required?

For one, you need to have an investigative mindset and good problem-solving skills. Most organizations are deploying a digital/computer forensic analyst in their security team to boost their incidence response plan.

Requirements

• Bachelor’s degree in computer science or cybersecurity
• Work experience in a related field would be an added advantage
• Good investigation and presentation skills
• Knowledge in cyber law and criminal investigation
• A sound analytical mind with attention to detail

Certifications

In addition to academics, relevant certifications will help individuals excel in the digital forensic field. Get started with EC-Council’s certifications like:

• Computer Hacking Forensic Investigator v8 (CHFI)
• Certified Threat Intelligence Analyst (CTIA)

The eligibility criteria for forensic analyst varies from one company to another. But most organizations are willing to employ one due to rising cyberattacks and to meet audit and compliance requirements.

Cybersecurity is an ocean of exciting opportunities, there are multiple reasons to pursue one.

About the Author:

 

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

Read More from the author.

The post How to Become a Digital/Computer Forensic Analyst in 2021 appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

Cybersecurity Job Landscape

Amid growing cybersecurity risks, most organizations are stepping up their cybersecurity and digital transformation budgets, which in turn increases opportunities for skilled security professionals. A recent analysis from Gartner revealed that investment in information security and risk management technology and services is expected to grow 12.4% to reach $150.4 billion in 2021. Organizations are looking ahead to growing automation and further adoption of machine learning technologies in support of AI security to combat evolving cyberattacks. According to Cyber Seek, there are nearly 465,000 open job positions in cybersecurity in the U.S. as of May 2021, with a very low cybersecurity workforce supply ratio.

 Here are some of the most demanding cybersecurity jobs:

1. Chief Information Security Officer

Role: Senior level

The Chief Information Security Officer (CISO) is a senior-level executive responsible for meeting the company’s cybersecurity plans with the business goals. Most organizations have a CISO on their management team to oversee the company’s security and IT operations, implementing security strategies and budgets to protect the organization’s critical infrastructure. CISOs keep abreast with the latest industry happenings and offer real-time analysis of threats that might arise during big business moves such as mergers and acquisitions.

To become a CISO, one should have sound experience in different cybersecurity job profiles.

Required Skill Set

• Good experience IT sector
• Incident management and supervisory skills
• Business expertise
• Strong communication and presentation skills
• Risk management

EC-Council’s C|CISO Certification provides a real-world experience to succeed at the highest executive levels of information security.

2. Ethical Hacker

Role: Mid-level

An Ethical Hacker, also called a Penetration Tester or Pen Tester, is responsible to perform in-depth tests across a company’s network systems and web applications to find vulnerabilities or any security loopholes before they are exploited by cybercriminals.

Ethical hackers need to possess strong understanding about the psyche and motives of cybercriminals in order to conduct pen testing to discover security vulnerabilities and gaps in the network.

Required Skill Set

• Good networking skills
• Knowledge of Java, Python, and Perl platforms
• Black box testing
• Strong reporting and presentation skills

EC-Council’s certificates like Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH) will certainly help in the pursuit of this role and opportunity.

3. Security Architect

Role: Senior level

A Security Architect is responsible for designing IT security structures, develop architecture patterns, and new security approaches for an organization. Besides, the security architect is responsible to educate staff on security policies and provide security assistance to prevent cyber risks.

Required Skill Set

• Strong IT background
• Knowledge in cyber risk management
• Network hardware configuration
• Knowledge of security protocols and cryptography
• Analytical and problem-solving skills

EC-Council’s Certified Security Specialist (CSS) will benefit the security architect aspirants in anticipating possible breaches.

4. Network Security Engineer

Role: Senior level

A Network Security Engineer fronts an organization’s digital and physical assets and prevents them from cyberthreats. They oversee IT infrastructure, operational data center systems, and networks. A network security engineer is also responsible for the maintenance of firewalls, routers, switches, VPNs, and other network monitoring tools.

Required Skill Set

• Sound networking skills
• Knowledge security architecture and management of operating systems
• Knowledge of C, C++, Python, and Java is required
• Strong communication and presentation skills

EC-Council’s Certified Network Defense Architect (CNDA) and Advanced Network Defense will boost opportunities in the field.

 5. Digital Forensic Analyst

Role: Mid-level/Senior

A Digital Forensic Analyst is a cybersecurity detective required at the crime scene to investigate the severity of the incident. A DF Analyst studies cyberattacks, collects digital evidence and supervises and trains the team to follow suit. They are responsible for retrieving deleted, lost, manipulated, or stolen data. the digital forensic analysts are required to work closely with the police and law enforcement authorities to investigate cybercriminal activities.

Required Skill Set

• Networking skills
• Knowledge in cyber law and criminal investigation
• A sound analytical mind with attention to detail

EC-Council’s Computer Hacking Forensic Investigator Certification will help aspirants in achieving the desired job.

Cybersecurity is an interesting field, to say the least. And there are multiple reasons to pursue a security career.

About the Author:

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

Read More from the author.

The post These are the Top 5 Cybersecurity Jobs in 2021 appeared first on CISO MAG | Cyber Security Magazine.