There has never been a better time to have a career in IT security. That’s because the demand for IT security people of all skill levels continues to skyrocket and, what’s more, it shows no sign of coming back down to more moderate levels.

With IT security threats showing no sign of abating and data privacy laws like CCPA raising the stakes, the cybersecurity jobs market should remain strong for some time.

Last year there was an estimated global cybersecurity staffing shortage of three million people, and that has now grown to over four million, according to research by ISC2. Put another way, the global? IT security workforce needs to grow by almost 150%, according to the research. That means there will be plenty of jobs, and plenty of opportunities to switch to more interesting, more specialized, or simply better paid roles for those with the right mix of skills and experience.

The corollary of this massive staff shortage is that there is strong upward pressure on salaries for IT security roles, with those roles with the biggest supply gaps seeing the biggest raises. This is being borne out in the real word: IT security jobs are seeing average salary increases of 7%, compared to just 3% for software developers, according to a Robert Walters salary survey. Anecdotal evidence suggests that the most senior IT security roles are seeing salary inflation of as much as 12%.

Cylance just released a 44-page report that provides detailed salary profiles for five popular security positions: Security Analyst, Threat Intelligence Specialist, SecurityCloud Security Architect, Penetration Tester and Security DirectorManager. The report looks at location (North American jobs tend to pay more than elsewhere), degrees (they don’t improve salary), industry (banking and finance pay the best), experience (quality counts more than experience) and gender (a significant shortage of women), among other issues.

In-demand security positions

When it comes to specific roles that are in demand, it’s worth bearing in mind that these can change rapidly due to evolving circumstances. However, the roles currently in high demand include:

• App security engineer
• Cyber security consultant
• Data protection officer
• Chief security officer
• Security analyst
• Security engineer
• Security architect
• Security and penetration testing expert

Certifications in high demand

One way for candidates to be sure of getting an IT security job at the top end of the pay scale is to hold the most in-demand security certifications. The certifications where demand is likely to outstrip supply the most in 2020 include:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)

That’s not to say that people who lack the skills and experience for these roles will struggle to find any IT security job, according to Graeme Enfields, an IT recruitment consultant at Henry Nicholas. “It’s not always about specific skills. Many companies will get one or two higher-level IT security experts in the door, and then recruit graduates and teach them,” he says.

Most companies would like graduates to have studied a relevant course but few specify a particular qualification. Among those that do, the most commonly specified qualifications are CREST penetration testing and ethical hacking ones, he adds.

Best places to get an IT security job in 2020

According to Cyberseek, there are a handful of U.S. states where IT security skills are particularly in demand and will remain so next year, and these include:

• Florida
• Texas
• California
• Illinois
• New York
• North Carolina
• Virginia
• Maryland

At a local level the IT security skills demand hotspots are more geographically dispersed, with notably high demand in areas that include:

• Salt Lake City
• Denver
• Colorado Springs
• Minneapolis
• Phoenix
• Portland
• Seattle
• Oklahoma
• Kansas
• Nashville
• Cincinnati
• Boston

What will AI mean for the IT security job market?

The use of artificial intelligence (AI) in IT security is likely to explode over the next few years: 69% of SMEs are planning to use it in some security role or another in the next five years, according to research carried out by Senseon.

The important question to ask, then, is what effect will AI have on the job market? Which roles will be threatened, and which ones will see demand increasing?

According to the Ponemon Institute, the most common applications of AI in IT security are the automation of malware analysis, threat detection, and log analysis, with automated response to threats also becoming increasingly common. Ponemon found that 79% of IT departments already use automation to some extent or plan to do so within the next three years.

The obvious conclusion is that jobs relating to these activities will be directly threatened by AI and automation, but the truth is likely to be somewhat different, according to Larry Ponemon, the Ponemon Institute’s chairman and founder.

“Contrary to the popular belief that the rise of automation will threaten the job market, organizations now feel these technologies will help ease the current strain on resources, and offer the potential to promote job security for highly skilled staff while strengthening cyber security defenses” he said in a recent Ponemon Institute report.

Many companies have plans for strengthening their security postures, but when senior staffers are busy working on the front line of security reacting to incidents they have little time to implement these plans. AI and automation will increasingly allow these staffers the time to think about the big picture and evolve the security stance of their organizations.

There will also be an increasing need in 2020 for security experts who can manage, govern and integrate these AI-driven security systems.

What about DevSecOps?

DevSecOps will continue to flourish in 2020, and that means that developers with security expertise will be in high demand. But the demand for security experts with developer skills is also increasing, as organizations look at automating their security systems.

That means that anyone with existing DevSecOps experience will be in high demand, and specific language skills will also be sought after as script-based security processes proliferate. Particular language skills that will make it easy to walk in to an IT security job in 2020 include:

• Python
• JavaScript
• PHP
• SQL
• Bash
• C and C++

Best areas to specialize

Regardless of how the economy develops in 2020, security jobs in certain specific industries and fields will be in particular demand. Here are some of the safest bets:

Critical infrastructure: Protecting critical infrastructure from cyber attacks is a matter of national security as well corporate security, so companies in critical infrastructure industries will continue to boost their defenses against criminals and government-sponsored hackers. Critical infrastructure industries, as defined by the Department of Homeland Security, include chemicals, communications, energy, financial services, and twelve other industries.

Industries subject to complex regulations: Compliance with regulations such as the Payment Card Industry (PCI) regulations and the Health Insurance Portability and Accountability Act (HIPAA) mean that security jobs in industries related to these regulations will be plentiful.

Risk management: All IT security activities are exercises in risk management to a greater or lesser degree, but some of the less glamorous ones are often overlooked – yet vital nonetheless. Valmiki Mukherjee, chairman of the Cyber Future Foundation, told CNBC that people with skills such as translating specific risks in dollar terms or business needs, or anticipating trends in regulatory affairs, will be ones where demand outstrips supply in 2020.

IoT security: The Internet of Things continues to proliferate at a prodigious rate. Thanks to the introduction of 5G wireless services, which are due to be rolled out throughout 2020, richer and more valuable data will be collected by IoT sensors. This data will be an increasingly tempting target to criminals, so IoT security skills will be particularly sought after.

Blockchain skills: Although still in its infancy, the use of blockchain technology for security purposes is just starting to become a reality. One of the first commercially available applications of the technology is in self-sovereign identity systems, but other applications are likely to follow in 2020. That means that anyone with blockchain skills will be well positioned to find employment in a security-related project in the next 12 months.

What all of this adds up to is another bumper year for the IT security job market in 2020, with vacancies for recent graduates and experienced practitioners plentiful and salaries increasing. Since cybersecurity threats show no sign of going away there will be strong demand for “boots on the ground” in the IT security job space and plenty of job security for many years to come.

The post Cybersecurity Jobs & Salaries: Outlook 2020 appeared first on eSecurity Planet.

When the California Consumer Privacy Act (CCPA) – sometimes referred to as AB-375 – takes effect on Jan. 1, 2020, it will impose a host of obligations on all but the smallest companies that do business with California residents.

The risks for businesses that don’t comply with CCPA are severe: They can be fined up to $7,500 for each individual violation, and in the event of a data breach they can be forced to pay statutory damages of up to $750 per customer per incident, or actual damages – whichever is greater. While these baseline figures may seem small, the total damages from a single incident could add up to a very significant sum.

Strict data privacy laws come to the U.S.

CCPA is the latest data privacy law to take effect in the wake of the EU’s sweeping General Data Protection Regulation (GDPR) and heralds the arrival of strict data privacy regulations in the U.S.

The only organizations that are exempt from CCPA are ones that:

• have gross revenues of less than $25 million;
• and possess personal information about fewer than 50,000 consumers, householders and devices;
• and earn less than half their annual revenue from selling consumers’ personal information.

All other companies, charities, and not-for-profit organizations must comply.

CCPA compliance requirements

The goal of CCPA is to allow California residents to know what personal information companies hold about them, and whether that data is sold or disclosed to other organizations. They have the right to tell companies not to sell their personal data, to access the personal data that a company holds about them, and to request that the organization delete the personal information that it holds about that person.

The definition of personal information is broad (but arguably not as broad as the GDPR) and includes names, addresses, IP addresses, biometric information, network information such as browsing histories, search histories, geolocation data and much more – but not information which is publically available.

In order to comply with the Act, organizations have to provide adequate security for the data they hold, provide a “Do Not Sell My Personal Information” link on the front page of their website, provide a way for customers to request access to their data, including a toll-free phone number, and they must update their privacy policies to describe California residents’ rights.

Complying with CCPA

So what should companies have done, or be doing now, to prepare for the Jan. 1 CCPA implementation date?

The number one priority should be focusing on the security of the personal information that an organization holds, because of the risk of lawsuits and class actions from consumers following a data breach, according to Shahryar Shaghaghi, a CCPA expert at CohnReznick Advisory, a New York- based professional services and public accounting firm.

“This is the first and most important risk that companies are subject to,” Shaghaghi said in an interview with eSecurity Planet. That’s because the Office of the Attorney General of California will not impose sanctions for other forms of non-compliance until July 1, 2020, even though CCPA comes into force on Jan. 1, he said.

The Act calls for companies to implement reasonable security measures to protect personal data, so Shaghaghi said companies need to demonstrate that they have taken reasonable steps to achieve this. “That means they must have performed a security risk assessment, identified any security control deficits, and implemented mitigation strategies.”

Perhaps the most difficult thing to comply with as far as CCPA is concerned is that customers have the right to know what data an organization holds about them, and to request its deletion. Although that sounds innocuous enough, the reality is very different. That’s because companies may have information stored in many different data silos, they may have data stored with third parties with whom they have shared the data, and data may also be stored in the cloud.

“In order to be compliant with CCPA you need to carry out a data mapping exercise so you can see where you get your data from, and where it goes,” said Shaghaghi. “And if a customer requests its deletion then you have to respond in a certain amount of time, so you have to be able to understand what data you have and how you delete it.”

But this is complicated by the fact that companies are also subject to local requirements, Shaghaghi said. “Entities like the IRS and the FTC all have retention guidelines, and data may be subject to legal holds,” he said. “That means that an analysis has to be done before deletion, and you may have to go back to a customer and say that we cannot delete your data as you requested because of X, Y, or Z.”

The good news is that companies that have taken steps to comply with GDPR will already have carried out this data mapping exercise, so compliance with CCPA for them will be much easier.

CCPA enforcement

The big difference with GDPR and CCPA comes down to enforcement, according to Shaghaghi. Many organizations in the U.S. think that enforcement action by the EU would be difficult, but if they don’t comply with CCPA then they may have local U.S. governments coming after them too.

When it comes to ensuring that data is not sold to other companies when customers withhold permission for that, compliance is complicated by the fact that companies may be sharing or storing data with third parties, including service providers, Shaghaghi warned.

“If you take someone’s personal data then you own it, and if you then share it with a third party you are still responsible for it. That means you have to go back through all of your contracts with these companies and see what they are doing with the data and whether they are selling it. If they don’t agree not to sell it then you have no option but to terminate your contract with them,” he said.

Businesses also need to ensure that they comply with the requirements to ensure that privacy policies are updated and that their website also displays the mandatory links to information allowing customers to opt out of having their data sold. Although this is largely an administrative task, it can be extremely time consuming so companies need to start thinking about that as soon as possible and making plans for compliance if they have not already done so, Shaghaghi said.

‘Reasonable efforts’ important

Are U.S. companies doing enough to comply with CCPA? Shaghaghi said no company is 100% compliant – and in fact large organizations will probably never be fully compliant, such is the complexity of what would be required. “My view is that your efforts will be viewed as reasonable as long as you can demonstrate proactive measures that you have taken towards compliance,” he said. Companies need to think about the balance between the costs of compliance versus the risks of non-compliance, he added.

But companies shouldn’t just think about compliance; they should also think about their corporate culture. “If you go through a CCPA compliance process, you will have a more realistic privacy and security policy. And in the end, that will give you an advantage in the market,” he concluded.

The post CCPA Compliance Checklist & Requirements appeared first on eSecurity Planet.

See our complete list of Top CASB Vendors.

Microsoft entered the CASB market in earnest with the acquisition of Adallom in late 2015. Microsoft Cloud App Security (MCAS) is now a reverse-proxy-plus-API CASB available as a standalone offering and also as part of Microsoft’s Enterprise Mobility + Security (EMS) suite. Microsoft Cloud App Security is targeted at organizations of all sizes.

Notable features

• Microsoft Cloud App Security is a user-based subscription service. Each license is a per user, per month license. Microsoft Cloud App Security can be licensed as a standalone product or as part of several different bundles, depending on organizational size and needs. Customers can also choose to license feature subsets of Microsoft Cloud App Security.
• The service integrates with various Microsoft products to deliver capabilities such as integration with Microsoft Defender Advanced Threat Protection, which provides a single click deployment to enable the Discovery of Shadow IT directly from devices from within?and outside of the corporate network.

Supported platforms and applications

Natively built into the Microsoft cloud platforms: Office 365 and Azure. Featured connectors support Box, Dropbox, Salesforce, ServiceNow, AWS, G-suite, Okta, Cisco WebEx, Workday, Workiva, Workplace by Facebook, Tableau, Slack, JIRA/Confluence, GitHub, Egnyte, CornerStone, Concur and others. Microsoft Cloud App Security supports any cloud app in proxy mode, allowing customers to onboard any public or LOB apps to its protection platform. In addition, on premises apps can also be integrated via the proxy, using Azure AD App Proxy.

Size limits

No limits

Security certifications

CSA Star (Gold level), EU-U.S. Privacy Shield, FISC, HIPAA/HITECH, ISO 9001, ISO/IEC 27001, ISO/IEC 27018, PCI DSS, SOC 1 and SOC 2 Type 2, SOC 3, UK G-Cloud

Delivery method

Cloud Service

Technology (API, proxy or hybrid)

Hybrid (API + Proxy) and log collection

Additional features

Microsoft Cloud App Security can take advantage of Microsoft Flow, enabling customers to use more than 200 first- and third-party connectors to automate the triage of alerts.

Pricing

Cloud App Security is available for purchase as a subscription for $5 per user per month as the estimated retail price. It is also a component of Microsoft Mobility + Security E5.

The post Microsoft Cloud App Security (MCAS) Review appeared first on eSecurity Planet.

See our complete list of Top CASB Vendors.

Bitglass began shipping its CASB product in 2014 and remains independent. Its focus is on sensitive data discovery, classification and protection. It also includes several document management and protection capabilities, such as watermarking and encryption methods that support searching and sorting functions in SaaS applications. Bitglass Next-Gen CASB is aimed at SMBs to large enterprises.

Notable features

• A combination of forward proxies, reverse proxies and API-integrations into cloud apps
• Real-time threat protection that is capable of detecting zero-day malware at upload, download, and at rest using machine learning
• Searchable cloud encryption that protects cloud data-at-rest
• Zero-day Shadow IT Discovery automatically scrutinizes applications on the fly. Unmanaged app security renders any application read only, allowing employees to use the tools they need while preventing data leakage

Supported platforms and apps

Any cloud application or workload, including SaaS apps like Office 365 and Salesforce, IaaS platforms like AWS, Azure and GCP, as well as private cloud apps.

Use cases

Bitglass has found particularly strong interest in heavily regulated industries such as financial services and healthcare.

Size limits

There are no user number or throughput limits – Bitglass is deployed in AWS and is fully scalable.

Delivery method

Bitglass is primarily deployed as a cloud service, but can also be deployed via software installed on on-premises servers in certain niche use cases.

Technology (API, proxy or hybrid)

Hybrid

Deployment time

Bitglass can be deployed in an average of under 90 days.

Pricing

Starts at $2 per user per month for breach discovery and log analysis, with additional protections costing more.

The post Bitglass Cloud Security: CASB Product Overview and Insight appeared first on eSecurity Planet.

See our complete list of Top CASB Vendors.

Netskope began shipping a CASB product in October 2013 and was one of the early CASB vendors that emphasized both cloud application discovery and SaaS security posture assessments. It includes well-developed behavior analytics and alerting within managed and unmanaged SaaS applications. Netskope for SaaS is aimed at enterprises.

Notable features

• Netskope can be deployed either 100 per cent in the cloud, as an on-premises appliance, or via a hybrid configuration that includes both.
• Cloud and web traffic is steered to Netskope for inspection using a patented all-mode traffic steering technology that provides several out-of-band and inline options. This is designed to ensure 100 per cent coverage for users on premises, mobile, and remote.
• Real-time inline (proxy) capabilities include the ability to SSL-decrypt cloud and web traffic at scale in order to enable full visibility of data movement and user activities.

Supported applications and platforms

Netskope can secure and manage the use of thousands of cloud services — including sanctioned services like Office 365, Box and AWS, as well as unsanctioned ones like DocuSign.

Use cases

Automotive and manufacturing, financial services and insurance, government, healthcare and life sciences, legal, oil and gas, retail and hospitality, and utilities.

Size limits

Netskope’s cloud-native architecture is able to accommodate the requirements of the largest enterprises.

Security certifications

ISO 27001:2013, ISO 27018:2014, SOC 2, SOC 3, Cloud Computing Compliance Controls Catalog (C5), CSA Star – Cloud Security Alliance

Delivery method

Cloud service, appliance or both

Technology (API, proxy or hybrid)

API, proxy, and hybrid

The post Netskope for SaaS: CASB Product Overview and Insight appeared first on eSecurity Planet.

See our complete list of Top CASB Vendors.

Proofpoint acquired FireLayers in 2017, adding CASB to Proofpoint’s threat response, mobile threat defense, remote browser isolation, and threat intelligence offerings. Proofpoint has a large installed base for its email security product; the target market for Proofpoint’s CASB is as an add-on for this installed base plus new customers not currently using Proofpoint products. Proofpoint CASB is aimed at small to large enterprises, from 300 users and up. It focuses on detecting and stopping threats, and access to risky services can be forced through a remote browser isolation mechanism that protects users, devices and applications from remote attack.

Notable features

• Proofpoint CASB identifies top users at risk facing potential account compromise from threat activity across cloud and email.
• The service combines contextual data, such as user device, location and login time, and user behavior analytics with global threat intelligence to detect cloud account compromise.  Machine learning helps detect unusual access attempts, non-human brute force campaigns and suspicious file activities after an account is compromised.

Works with: Proofpoint CASB works with Office 365, G Suite, Box, Dropbox, Salesforce, Slack, AWS and more.

Size and scalability limits

None

Security certifications

SOC 1, SOC 2 and  ISO 27001

Delivery method

Cloud Service

Technology

API, proxy or hybrid

Other features

Customers can enable their application APIs to access the Proofpoint service in minutes, and onboard customers’ application APIs in less than a day, the company claims.

The post Proofpoint CASB: Product Overview and Insight appeared first on eSecurity Planet.

See our complete list of Top CASB Vendors.

Symantec added CASB capabilities to its portfolio in 2016 with the acquisition of Blue Coat Systems’ Perspecsys and Elastica. These two CASB products were merged to create Symantec’s current CASB offering, CloudSOC, which is aimed at enterprise customers with strong cloud discovery, usage monitoring and DLP needs. Gartner placed the solution among the leaders in its most recent CASB Magic Quadrant.

Notable features

CloudSOC offers a number of features enterprise customers will appreciate:

• Cloud service discovery and usage is one of CloudSOC’s strongest capabilities, according to Gartner
• Policy violation notices can include lists of approved cloud services and provide links for users to access them
• Machine learning engines are included for application intelligence, transactional activity, user behavior analytics, and data loss prevention (DLP)
• CloudSOC includes a wide range of predefined DLP selectors based on common data formats and types, dictionaries, file type detection, fingerprinting, and similarity matching that can be trained from a body of positive and negative content

Works with: Microsoft Office 365, Google G Suite, Box, Dropbox, Salesforce, Amazon Web Services, Microsoft Azure, ServiceNow, DocuSign, Jive, GitHub, Slack, Cisco Webex Teams, Workday, Yammer, and more.

Technology (API, proxy or hybrid): API, proxy

Use cases

CloudSOC is used by many industry verticals, among them finance, healthcare, telecom, services, retail, manufacturing, technology and consulting. It is a good fit for organizations with heavy cloud use or that are migrating to cloud use and want protection over all their corporate resources. CloudSOC is also popular with organizations wanting a single integrated DLP solution that can protect their data in the cloud, at the endpoint, in email, in the data center, and on the network.

Security certifications

SOC-2; FIPS; ISO 27001 and FedRAMP in process; CSA STAR Certification; Slack Security Partner; Google Cloud Partner; Microsoft Partner; Dropbox Technology Partner; Webex Teams Partner; AWS Advanced Technology Partner (Jan 2019); Box Partner

Features in depth

CloudSOC is a multimode CASB with strong visibility, data security, and threat protection capabilities. It offers granular access control, data security, and threat protection for the use of virtually any public cloud service. With the integrated Symantec Secure Access Cloud, CloudSOC can also provide CASB protection over use of web apps hosted in private cloud or hybrid data centers. CloudSOC claims a unique ability to protect corporate resources across SaaS, IaaS, private cloud, and hybrid data centers.

Visibility: CloudSOC discovers and monitors Shadow IT use of cloud apps based on log ingestion. It can input logs from virtually any type of system, including firewalls, proxies, endpoints, SIEM systems, and more. It comes with an extensive intelligence system on cloud apps that is refreshed every two weeks to maintain accuracy. It tracks around 300 app and risk attributes and maintains details on more than 40,000 unique apps (a unique app can be represented by multiple domains). CloudSOC also offers discovery and intelligence on mobile apps in addition to cloud server-side apps. Integration with Symantec Secure Web Gateway products can provide additional control and protection.

Data Security: CloudSOC claims a highly accurate, data science-driven DLP to protect data in public and private clouds. Customers can use the ContentIQ system built into CloudSOC or they can protect all data anywhere with tight integration with Symantec’s DLP solution.

Threat Protection: CloudSOC uses Symantec’s anti-malware, file reputation, cloud sandbox, and URL reputation technologies to protect against threats infiltrating and attempting to proliferate via cloud apps. It also comes with an intelligent UEBA capability that automatically identifies high risk and compromised users. It tracks each user with a dynamic ThreatScore and presents a Threat Map for each user so CloudSOC admins can often identify a problem and diagnose the issue at a glance. Automated policies can also take action quickly if a user account suddenly becomes high risk.

The post Symantec CloudSOC: CASB Product Overview and Insight appeared first on eSecurity Planet.

See our complete list of Top CASB Vendors.

McAfee entered the CASB space with the acquisition of Skyhigh Networks in 2018. The product was renamed McAfee Skyhigh Security Cloud, and is now known as McAfee MVISION Cloud. The agentless CASB product offers threat protection and data loss prevention for large and very large enterprises (more than 1,000 employees), along with specialized offerings such as a dedicated GDPR tool for companies regulated by the EU data protection law. It is best for financial, healthcare and government markets, and others with internal policy and compliance requirements.

Notable features

McAfee MVISION Cloud offers:

• API integration to cloud services for real-time control over user access, collaboration and data, along with forward and reverse proxy modes to enforce control over shadow IT and personal device access to the cloud.
• Machine-driven user and entity behavior analytics (UEBA) to identify threats to cloud environments, including credential theft, insider threat, and privileged user escalation.
• Continuous auditing of IaaS environments against Center for Internet Security (CIS) benchmarks for secure configuration, and the ability to automatically update the IaaS platform with the correct configuration.

The CASB product offers pre-built integration for dozens of applications, including Microsoft Office 365, Microsoft Teams, Salesforce, ServiceNow, Box, AWS, Microsoft Azure, Google Cloud Platform and Dropbox, plus a CASB Connect and Custom App Framework that simplifies MVISION Cloud integration into additional long-tail cloud service providers and apps.

Scalability

MVISION Cloud’s largest customer has more than 150,000 users and the product can scale as needed.

Security certifications

FedRamp, NIST, PCI, GDPR, HIPPA, SOC2, ISO 27001 certification, ISO 27018 certification

Delivery method

Cloud service

Technology (API, proxy or hybrid)

API, proxy, and hybrid

Other features

• Simple push of data classifications and policies from endpoints to the cloud for unified data loss prevention (DLP)
• Integration with McAfee ePO for data loss prevention and incident management
• Allows end users to self-remediate DLP incidents, taking the burden off IT

The post McAfee MVISION Features & Pricing appeared first on eSecurity Planet.

Data storage security involves protecting storage resources and the data stored on them – both on-premises and in external data centers and the cloud – from accidental or deliberate damage or destruction and from unauthorized users and uses. It’s an area that is of critical importance to enterprises because the majority of data breaches are ultimately caused by a failure in data storage security.

Well-designed data storage security is also mandated by various compliance regulations such as PCI-DSS and the EU’s General Data Protection Regulation (GDPR), thus adding legal weight to storage security demands. Increasingly, security companies are tailoring security solutions to help companies comply with those regulations, such as the growing market for GDPR solutions.

In general, good data storage security minimizes the risk of an organization suffering data theft, unauthorized disclosure of data, data tampering, accidental corruption or destruction, and seeks to ensure accountability and authenticity of data as well as regulatory and legal compliance.

Threats to data security

Before looking at how to implement data storage security, it is important to understand the types of threats organizations face.

Threat agents can be divided into two categories: external and internal.

External threat agents include:

• Nation states
• Terrorists
• Hackers, cybercriminals, organized crime groups
• Competitors carrying out “industrial espionage”

Internal threat agents include:

• Malicious insiders
• Poorly trained or careless staff
• Disgruntled employees

Other threats include:

• Fire, flooding and other natural disasters
• Power outages

Data storage security principles

At the highest level, data storage security seeks to ensure “CIA” – confidentiality, integrity, and availability.

• Confidentiality: Keeping data confidential by ensuring that it cannot be accessed either over a network or locally by unauthorized people is a key storage security principle for preventing data breaches.
• Integrity: Data integrity in the context of data storage security means ensuring that the data cannot be tampered with or changed.
• Availability: In the context of data storage security, availability means minimizing the risk that storage resources are destroyed or made inaccessible either deliberately – say during a DDoS attack – or accidentally, due to a natural disaster, power failure, or mechanical breakdown.

How to protect data storage assets

The relevant international standard for storage security is ISO/IEC 27040, which calls for the application of physical, technical and administrative controls to protect storage systems and infrastructure as well as the data stored within them. It notes that these controls may be: preventive; detective; corrective; deterrent; recovery; or compensatory in nature.

The bottom line, according to the Storage Networking Industry Association (SNIA) is that ISO/IEC 27040 defines best practices that ultimately set the minimum expectations for storage security.

Data storage security: Physical controls

Physical controls are designed to protect storage resources and the data they contain from physical, as opposed to logical, access by unauthorized or malicious persons.

These physical controls come in many forms but may include:

• Guards or other security personnel monitoring data centers and storage resources to prevent unauthorized access
• CCTV monitoring with video retention
• Access controls such as biometric readers or smart card readers to prevent unauthorized access, along with anti-tailgating/anti pass-back turnstile gates that permit only one person to pass through after authentication
• Internal environment monitoring using systems such as temperature sensors and smoke detectors
• Alternative power sources such as a backup generator

Data storage security: Technical controls

Technical controls include many of the security procedures that are familiar to IT security professionals such as network perimeter security measures, intrusion detection and prevention systems, firewalls, and anti-malware filtering.

In relation to data storage security in particular, the following controls are recommended:

User authentication and access controls: SNIA recommends focusing much of the data storage security effort on user authentication and access controls to help provide secure access to authorized users while keeping unauthorized users out. Many commercial user access and control security systems are available to protect storage resources and data, and best practices dictate taking the following precautions in particular when using them:

• Changing all default credentials
• Avoiding the use of shared credentials, which make accountability difficult or impossible
• Ensuring that users have the minimum privileges they need to carry out their role
• Ensuring that user access rights are retired automatically as part of the HR termination process when employees leave or are transferred to a new role

Traffic profiling: One of the most useful controls that can be applied to data storage security is the profiling of normal data access and movement patterns so that anomalous or suspicious behavior can be detected and flagged for closer investigation. This can be achieved using user and entity behavior analytics (UEBA) software, which is increasingly being incorporated into security information and event management (SIEM) solutions.

Monitoring and reporting: SNIA recommends implementing effective monitoring and reporting capabilities, including enabling application as well as systems logs, to help detect and understand security breaches and prevent similar ones in the future.

Protection of management interfaces: Many organizations set controls to protect data storage resources and data from unauthorized access while forgetting to secure the management systems themselves. This could enable an attacker to set themselves up with access credentials or elevate their privileges, enabling them to access data that they should not.

This is by no means a comprehensive list of technical controls. Other storage security measures that should be considered include:

• Strong encryption for data both at rest in storage systems and in motion on the network. This needs to be applied with an effective key management system.
• Endpoint protection for all PCs, laptops and other devices that can access data to minimize the risk of malicious software being installed that could compromise stored data.
• Special measures to protect databases that contain credit card information and other valuable or commercially sensitive data. Database security best practices include database hardening, the use of database firewalls, database activity monitoring and other database security tools.
• Effective lifecycle management for data and storage devices, which ensures that data is securely deleted (including from the cloud) when no longer required. This follows the principal that attackers cannot compromise data that is no longer there. A procedure should also be in place for the secure deletion or destruction of obsolete storage media.

Storage Security: Administrative controls

Administrative controls come down to the three Ps: Policy, Planning, and Procedures, all of which play an important role in data storage security. In particular, security policies for data should include where different types of data can be stored, who can access it, how it should be encrypted, and when it should be deleted.

SNIA recommends considering:

• Incorporating storage considerations into policies after identifying the most sensitive and business-critical data categories and their protection requirements
• Integrating storage-specific policies with other policies where possible
• Addressing data retention and protection
• Addressing data destruction and media sanitization
• Ensuring that all elements of storage infrastructure comply with policies

Compliance considerations for data storage security

Depending on the industries your organization operates in, and the countries in which it does business, your company may be subject to one or more regulations that have implications for storage security, including PCI-DSS, Sarbanes Oxley, HIPAA, and GDPR, among others.

Penalties for failing to protect data under these regulations can be severe – including heavy fines and custodial sentences – yet in some cases they do not prescribe specific security measures.

For example, encryption is mentioned in GDPR, but its use is not mandatory. But in the case of a serious breach, the fact that encryption was not used would reflect badly on an organization, and could even be used to establish that insufficient measures were in place to comply with GDPR.

Other regulations are more specific. For example, PCI-DSS requires that cardholder data be encrypted when transmitted across open public networks.

The key thing to remember is that regulations are designed to help ensure that security is effective. Attaining regulatory compliance does not mean that an organization is secure, but it is very rare that measures taken to ensure compliance would make an organization less secure than they otherwise would be.

The post Data Storage Security: Best Practices for Security Teams appeared first on eSecurity Planet.

With a global cybersecurity staffing shortage of 3 million and growing, including a need for 500,000 IT security pros in North America alone, IT security jobs are going to be in plentiful supply again in 2019, and those with the right skills will be able to take their pick.

The shortage of security talent isn’t putting a dent in demand, as eSecurity Planet‘s 2019 State of IT Security survey found that 57 percent of organizations plan to hire security staff in the next year.

Inevitably some IT security skills will be more in demand than others, and to understand where the specific skill hotspots are likely to be, it’s necessary to understand what the most important security issues are, a good reason to start with our 2019 IT Security Outlook.

Here, then, are the most in-demand cybersecurity skills, along with the metro areas that have the most job openings and where the highest pay can be found.

Cybersecurity skills in demand

These are the areas of cybersecurity where security pros are likely to be most in demand.

Skills shortage, compliance drive demand for services

The skills shortage itself will be one of the big drivers of the security job market, fueling demand for outside IT security consultants. Gartner believes that regulatory requirements like the EU’s General Data Protection Regulation (GDPR) are driving continued growth in the security services market, and consultants with GDPR/CCPA expertise will be in high demand. At least 30% of organizations will spend on GDPR-related consulting and implementation services through 2019, Gartner predicts.

Gartner believes data privacy concerns will drive at least 10% of market demand for security services through 2019 and will impact a variety of segments. The analyst firm expects particularly high demand for people with skills in privacy-related security areas such as identity and access management (IAM), identity governance and administration (IGA) and data loss prevention (DLP).

Data protection grows in importance

Data protection rather than intrusion prevention is increasingly becoming a focus if IT security professionals, because there is a growing recognition (thanks in no small part for the need to comply with stringent regulations such as GDPR) that a security strategy based on “keeping adversaries out” is not practical. As companies move from focusing on perimeter protection to data-centric security, there will be a need for a large number of people with data protection skills.

AI skills on the rise

Artificial intelligence (AI) will become increasingly important in the field of IT security, including offering the potential to detect and automate responses to a variety of threats. On the face of it, the use of AI would appear to be a replacement for people with IT security skills, but it will also spur demand for IT security professionals with AI knowledge and practical implementation and configuration skills.

Clouds are in the forecast

Cloud security is becoming an issue for an increasing number of organizations because more and more are using cloud services, moving some of their operations to the cloud, and offering cloud-native applications that may span both their own data centers and public clouds. While the security of cloud services is the responsibility of the service provider up to a point, the security of corporate data that is used in the cloud is the responsibility of cloud security experts, and these will be in high demand.

Blockchain skills in short supply

Blockchain technology may not be such a trending topic thanks to the crash in cryptocurrencies such as Bitcoin that are built on top of it. But the technology itself is here to stay and will likely become a bedrock on which many security systems are built. Possible applications include hardware and software supply chain integrity, control of mobile and IoT devices, network control, and even identity solutions. Blockchain technology skills will therefore be in high demand and are likely to be in particularly short supply for the foreseeable future.

Forensics could fight cyber-espionage

Economic cyber-espionage will become more prevalent, due in no small part to U.S.-China trade tensions, Forrester Research predicts. “No matter how sophisticated your internal teams and tools are, you’ll be up against determined adversaries with access to a government’s resources,” the research firm warns. It therefore expects a high demand for IT security forensics experts who can detect breaches and help their employers prevent and respond to attacks.

Women will gain ground

Women will increasingly land top IT security jobs in 2019, with 20% of the CISO roles in Fortune 500 companies filled by women, compared to just 13% in 2017, according to Forrester. In part this will be because women are chronically underrepresented in the IT security space, and the skills shortage will force organizations to work for a more inclusive culture. And as more women take top jobs in IT security, more are likely to see that opportunities exist and join the security ranks.

IoT still a headache

The Internet of Things (IoT) is no longer an exciting up and coming trend. While the hype surrounding the technology has largely subsided, the billions of devices around the world have not. They still need to be secured, and anyone with IoT security skills is likely to be in high demand in 2019.

Where are the IT security jobs?

To understand where cybersecurity job opportunities are, it is helpful to study job postings, and an analysis carried out by Indeed.com shows that vacancy hotspots exist in tech hubs on both the East and West coasts, as well as cities in the South and Midwest.

Indeed’s research shows the metro areas with the most cybersecurity job postings, by ranking, are:

1. Washington DC
2. New York, NY
3. Dallas-Fort Worth, TX
4. Baltimore, MD
5. Chicago, IL
6. Atlanta, GA
7. Boston, MA
8. San Francisco, CA
9. Los Angeles, CA
10. San Jose, CA

Perhaps the most surprising thing about these results is that tech hotspots San Francisco and San Jose are not near the top, but on second glance the numbers make sense.

Washington, D.C., after all, is a tech hub in itself, and is home to IT security departments protecting the federal government, the defense industry, and other large nonprofits and nongovernmental organizations, Indeed.com points out. And New York is the financial capital of the U.S.

The next three are not obvious tech hubs, but Dallas-Fort Worth is home to 22 companies in the Fortune 500, including AT&T, American Airlines, and ExxonMobil, while Baltimore is home to 15,000 social security and medical centers for Medicare and Medicaid service employees as well as a number of universities and medical centers.

Where are the highest-paid security jobs?

Indeed.com also looked at the average salaries on offer, revealing that the big money for IT security jobs is to be found in San Francisco, San Jose, Chicago, and New York.

But of course that’s not the whole story, because the cost of living in cities like San Francisco and New York can be astronomical, when rent, transportation and even the cost of groceries is taken into account.

When you adjust the average salaries on offer for the cost of living, a very different picture emerges. When it comes to the average salary adjusted for the cost of living in a particular metro, the best paid IT security jobs turn out to be in Charlotte N.C. and Chicago, Il., and only then do the high salaries on offer in San Francisco make up for the high cost of living to put it in third place. San Jose and New York only barely make it into the top ten.

The full ranking of adjusted IT security salaries is:

1. Charlotte, NC
2. Chicago, IL
3. San Francisco, CA
4. Austin, TX
5. Denver, CO
6. Philadelphia, PA
7. Boston, MA
8. Baltimore, MD
9. San Jose, CA
10. New York, NY

Which IT security roles are in demand?

The top two roles that were advertised for in much of 2018 (and likely to carry through into 2019) according to Indeed.com were:

• IT security specialist
• Information security analyst

This ties in with the fact that there is huge demand for all kinds of IT security professionals. But the next three are more illuminating:

• Network security engineer
• Security engineer
• Application security engineer

This reveals that good old fashioned network security is still front and center in many organizations’ minds, and that practical security engineering skills are still highly sought after.

What are the best-paid IT security jobs?

According to recruiter Robert Half, Information Systems Security Managers can command the biggest bucks, with a midpoint salary of about $140,000. For that candidates will need a technical background in systems and network security, and probably a certification such as Certified Information Systems Security Professional (CISSP) or CompTIA Security+.

Just below that in the earning stakes is the position of Data Security Analyst, with a salary midpoint of about $125,000. To get this role candidates need thorough knowledge of system and network security, including firewall administration, encryption technologies and network protocols. A CISSP certification is also likely to be required.

Overall the employment outlook for IT security professionals of all kinds in 2019 looks extremely rosy, and there may never be a better time to start a career in IT security, or to look for a new job to progress up the career ladder. And since the IT security skills shortage shows no signs of disappearing, the excellent employment prospects for IT security professionals may continue well into the next decade.

The post Cyber Security Jobs & Salary for 2021 appeared first on eSecurity Planet.