Calls for industry change at SteelCon conference over the weekend
Push for industry change was a major theme at this year’s SteelCon conference, where calls for integration and secure development were major talking points.
No model exists to deal with the realities of the current risk environment, said Digital Interruption’s Saskia Coplans, presenting alongside researcher Alistair O’Neill in Sheffield.
“Technology keeps moving but security isn’t changing,” Coplans told SteelCon attendees, highlighting how both time and cost constraints tend to outweigh the implementation of adequate security measures.
“The need for security isn’t constrained,” added O’Neill. “As long as you’re storing data, you’re going to keep doing information security. It’s a never-ending thing.”
A good example of where these constraints can occur is during a pen test, with time allocated to finding vulnerabilities often relating to the size of the security budget – typically minimal and reactionary-based.
Pen testers typically spend a lot of time warning developers about the same types of vulnerabilities when they could be focused on more complicated exploits, further improving the security ecosystem by taking pressure off infosec employees.
“Basically, this involves integrating security into the development pipeline,” said O’Neill.
“So the responsibility of security is distributed across the entire team, and [after] a period of time you kind of get rid of technical debt.”
To integrate security into the pipeline – a process commonly referred to as DevSecOps – there needs to be less conflict between the different roles involved.
More attention needs to be paid to creating tools that can help secure software from the get-go.
That means creating new ways to build up the already infantile workforce, one known for its non-traditional routes of entry where experience and mentorship can equal qualifications.
“That’s kind of unusual for a profession that deals with risk,” Coplans said.
“Every other profession that deals with risk will have, for example, universal skills, scalability in what they’re doing, regulation, and accountability.”
A lack of clear career pathways and definition of skills puts infosec in a bubble far away from the role of traditional developers.
What the security industry needs is some sort of competency checklist, says Coplans, that ensures businesses, employers, and educational institutions are in agreement about what skills are needed.
Coplans pointed to the Skills Matrix – a document that maps the capabilities required for certain roles in infosec.
It was created, in part, by Mark Carney and Dennis Groves and is aimed at changing the practices of hiring managers and recruiters, while helping provide educators and students with a good foundation of what they should be learning.
“There are technical and non-technical people who are already in the ecosystem of putting together software,” Coplans said.
“If we start empowering them with the tools to get them to think about how to operate more securely, we can start spreading the responsibility of security so that it’s not just all sitting on us as security professionals.”
She added: “This doesn’t put us out of a job, it makes us more useful and targeted.”