I am a huge fan of automation; I strongly believe that automation, machine learning and / or artificial intelligence (whatever these terms mean for different people) are our best chance to tackle one of the biggest problems we have in the cyber security industry: the human limitations.
Last Thursday I took my CRISC exams and - the restless person I am - I had already arranged to take sailing classes over the weekend. I always wanted to take sailing classes, and I had gone sailing once several years ago when I was still living in Greece. My idea was that when I grow old I will buy a small sailing boat and sail around my beloved Crete.
Some major breaches have seen the light of day lately, and everybody agrees that they will keep coming. I don't believe you will find any security professional respecting himself to tell you that this will stop. The reasons are many, but the most important one is the (lack of) security design. Systems, processes and services have been moving to production without security design for years. And unfortunately in many cases they still do.
In our (security) profession it is becoming common to jump on each other's throat; and the result is the public blaming of the CISO involved - like leaving them alone to take some hard steps in the middle of no man's land.
Building a Security Operations Center from scratch is not an easy thing. But since it's not the first time I'm doing it, I am familiar with the challenges. These challenges include the building of the processes in a company-adjusted manner, the selection of the toolset and integrations to match the company's enterprise architecture, network architecture and of course my own security architecture, but nowadays, and due to the significant skill shortage in cybersecurity the major challenge is finding the right people.
Whoever knows me can tell you: I enjoy learning. I enjoy it so much that I'm always looking for opportunities to learn more on any random subject that I find interesting. Lately, i.e. the last 2 or three years, I find psychology to be very interesting. I was even thinking of taking a degree in psychology and information security (aka social engineering :)) but with my work schedule it seems to be a difficult task. Let's park this thought...
The discussion about talent and skill shortage in areas such as IT and mainly Information or Cyber Security is getting significantly more intense. At the same time, the unemployment in EU ranges from 5% to 25% (1). And the usual time to fill a position is over 3 months, in cases can reach even to a year (2), with just the interview process to be close to one month in most countries (3, 4). These are alarming indicators about how effective the recruiting industry is - or is not.