Mining the 2019 Verizon Data Breach Report for Cybersecurity Career Guidance
Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
Last week Verizon published the 12th Edition of its annual Data Breach Investigations Report (DBIR). This report, looked forward to every year by security professionals, highlights the previous years’ 41,686 security incidents and 2,013 data breaches, as investigated by Verizon and its 66 partners. The report doesn’t cover every breach, since Verizon doesn’t investigate every breach, but it does have a more than good sample size. Most of the information is statistical in nature; specific victims and attacks are not described. The report also has no explicit information on cybersecurity careers. That’s why I connected the dots to create this blog post on cybersecurity career guidance.
Last years’ security failures will be this year’s hot topics in organizations that do not want to be in the 2020 report. These would be the types of organizations you might want to work for. I looked for trends and nuggets of information in the Report that would inform a career planning exercise. Three nuggets are contained in this blog post.
43% of breaches involved small businesses. Verizon defines a small business to be less than 1,000 employees. Some people call this the SMB (Small and Medium Business) market. In any case, does that mean than there are many new career opportunities in such businesses? Probably not. These businesses are looking to outsource security functions to MSS vendors (Managed Security Service) vendors of various types. That’s where the primary job opportunities will be. Gartner estimates that the MSS provider market was $10.7B worldwide in 2018. Not all of this was focused on small businesses, since larger firms also make use of these outsourcing services.
What are the categories of MSS firms?1 Gartner splits the market up into two categories: (1) threat detection and (2) vulnerability management. Additionally, many traditional IT outsourcers and system integrators who support SMB customers are also active in adding security monitoring and configuration services to their portfolios. Threat detection includes monitoring of events across the organization to identify attackers. The end client is notified in the event of active threats. As an additional service, the vendor may respond to the discovered event, for example, by disconnecting the compromised machine. Vulnerability management includes scanning the client’s assets and potentially remediating (patching) any vulnerabilities discovered.
16% of breaches were of public sector entities, second only to SMB. The increased number of attacks attributed to state sponsored entities, means that public sectors will come under more attacks. Such attacks involve voting systems, espionage and other nation state compromises. The public sector has its own security operations issues. According to the DBIR, data breaches are 2.5 times more likely to be undiscovered for years in the public sector vs. the private sector. Traditionally, jobs in the public sector offer lower compensation than private sector jobs. However, the recent Executive Order discussed in the last blog post is focused on improving job opportunities in Federal, state and private sectors. Given the increasing seriousness of the nation state attacks, I believe that the Federal sector will be a great opportunity for new cybersecurity talent.
Cybersecurity tasks are changing; more emphasis must be placed on security incident prevention. This is not a revolutionary idea; but please read on. The five step NIST Cybersecurity Framework playbook includes: identify risks, protect the enterprise, detect threats, respond to threats and recover from attacks. Incident prevention comprises identification of risks and protection. In the past few years industry marketing has focused more and more on detecting and responding to threats. The accompany mantra has been: you will be hacked, so just learn how to respond effectively. Detection and response have given prominence to tools such as SIEM (Security Incident and Event Management) and EDR (Endpoint Detection and Response). Undoubtedly these tools are important. But, finding real security threats is like finding needles in needle stacks. We may need to revise dependence on detection and put more focus, again, on prevention. To justify this radical conclusion, look at the latest data.
The DBIR data indicates that exfiltration of data still occurs within minutes of successful attack. But, the data also shows that detection of breaches still takes months to years. This, after several years of emphasis on this problem. It appears that SOC analysts and AI systems are not yet up to the task of identifying the real attacker from the deluge of false positives.
A new category of tool and corresponding job category has arisen that may strengthen the prevention of incidents. These tools are known as breach and attack simulation tools (BAS). Today’s problem is that the first round of security defense testing is often done by hackers. Some point in time testing is done by pen testing. We need to do more comprehensive, continuous and consistent testing internally. Experts who can use these BAS tools to continuously assess the security controls of enterprises will be in great demand.
If you are a new or experienced security professional, you should peruse the 2019 DBIR and focus on areas of interest, depending on your activities and industries.
1“Foundational Elements to Get Right When Selecting a Managed Security Service Provider,” Gartner, February 2019.