Editor’s note: This is the second in a weeklong ISACA Now blog series looking ahead to top priorities in 2022 for practitioners in digital trust fields. See the earlier post looking ahead to 2022 for audit practitioners.
The availability of security talent — or lack thereof — has emerged as the key limiting factor in information security’s ability to secure the modern business. Every year I build a study plan for myself and my team, as I believe truly great security professionals are developed as a result of continuous learning. I align my learning and that of my team with key business goals and objectives. To build a business-centric, transparent portfolio of security services, organizations should use business objectives to define a set of portfolio objectives to guide how they invest in technology, skills and process development across the enterprise’s diverse needs before considering individual projects. Rather than dividing investments evenly across portfolio objectives, CISOs should deliberately channel disproportionate investment toward the enterprise’s key strategic priorities. We must recognize that our talent development should reflect our portfolio roadmap and be part of the budgeting for new service development.
Here are the three cybersecurity areas that I am focusing on building in myself and my team for 2022:
Priority 1: Cloud Security
Organizations’ move to the cloud has accelerated as a result of the pandemic, driven by hardware shortages and remote work. It is critical that the organization builds out a cloud security center of excellence. According to the Cloud Security Alliance and the analyst firm Gartner, cloud misconfiguration remains one of the top cloud threats.
The cloud is complex with AWS and Azure having over 200 services. If you haven’t started to build out your cloud knowledge, then you must begin that journey today. It is critical to understand how the shared responsibility model has changed governance and risk. I have completed my knowledge on cloud basics but if you haven’t, an excellent place to start is the ISACA Cloud Fundamentals course as part of the Certified in Emerging Technology (CET) credential. Each of the cloud service providers also has a cloud fundamentals training course: AWS, GCP and Azure. You can easily set up a free tenant in the cloud of your choice to ensure you are getting hands-on experience.
As part of the development of a cloud security center of excellence, I also recommend building out a training program that clearly outlines the levels of knowledge you should achieve or that you require your team to attain. I always add mentoring to my skills roadmap because I acknowledge that the best way of knowing if I truly understand something is if I can explain the concept to others. It also allows me to build out the cloud security knowledge within my organization and an environment of continuous learning and mentoring which, in turn, enables a learning pipeline.
Priority 2: Data Security
Data is the oil that powers digital transformation, but if data is the new oil, then we have sprung a leak. Data is a company’s biggest asset and regulators globally are increasingly looking to create data privacy laws to ensure that organizations are taking sufficient care of the data that they gather. As a security professional, understanding how we maintain not only the security, but the privacy of data is critical. I completed the Certified Data Privacy Solutions Engineer (CDPSE) this year and I am continuing to focus on developing my skills in
- Privacy governance
- Privacy architecture
- Data lifecycle
Increasingly we are storing data on IoT sensors, at the edge, in data lakes in the cloud and in data repositories on-premises. I am also working hard to make sure I understand not only the fundamentals of the data lifecycle but also the key architecture that is enabling the collection and use of data.
Priority 3: Next Generation Secure Operations
Malware travels at the speed of light. The WannaCry attack of 2017 covered 150 countries in 24 hours before security researcher Marcus Hutchins found a kill switch. The Security Incident and Event Management (SIEM) is no longer the heart of the SOC. Instead, we are moving towards XDR. Extended detection and response, or XDR, is a new approach to threat detection and response enabling automatic isolation of threats. Security Operations Centers need to collect and automatically correlate data across multiple security layers – endpoint, server and cloud workload. I want to ensure that I fully understand how to modernize and optimize SOCs.
I am working my way through the Google, Amazon and Microsoft training around modern SOC operations to get additional information around how the CSPs envision the SOCs of the future. Much of the automatic response to threats is powered by scripts. I am focused on building out a script catalog of security responses and risk assessments. This means that learning Python and PowerShell is at the top of my list and there are some great resources on PowerShell and Python. While I may never be a programming genius, I want to be able to speak a scripting language well enough so that I can automate what I need to automate. I might focus SOC operations personnel on ISACA’s CSX Cybersecurity Practitioner (CSX-P) certification or courses from SANS. As a manager, I may focus my knowledge more on the design aspects.
Good security is a combination of people, processes and technology. It is people and processes that drive the technology. A culture of continuous learning allows you to build a security talent pipeline and enable the people and process part of the equation in cybersecurity delivery. Each professional should have a personal skills development plan and we must value and reward knowledge in every area of the enterprise. This is the key to building a truly successful and resilient, future-proof organization.