Developing Cyber Security Personnel
～What is the key to success?～
Advanced Persistent Threat (APT) attacks that target specific companies or organizations are increasing in number around the world. In the era of IoT when all things will be connected to the Internet, damage from cyber attacks will not be limited to single companies; it will affect all of society. For many years NEC has been maintaining and improving its multilayered and dynamic cyber security measures in order to protect the important information assets and systems of its customers. In this roundtable discussion, the key people working on the front lines talk about their efforts to reinforce our systems, and how to develop advanced cyber security personnel.
- Part 1
- Part 2
Cyber security personnel are not developed in a day. The front lines of security personnel development as told by pioneers in the field.
Since cyber attacks are becoming more sophisticated by the day, NEC has been reinforcing its development of security personnel in order to improve security measures for products, systems, and services, and also to contribute to the safety and security of its customers in many different fields. We asked Tetsuji Tanigawa and Takeo Tagami—both of whom have been working in the systematic development of security personnel since the dawn of security measures when there were no role models available—about the importance of developing security personnel and the keys to doing so.
People create both the threats and the measures
Damage from cyber attacks is increasing around the world. It is necessary to reinforce cyber security measures from many different points of view, and urgently develop personnel dedicated to cyber security. Executive Security Specialist Tetsuji Tanigawa of the NEC Management Information Systems Division and Cyber Security Strategy Division gave us some background to this topic.
"APT attacks, unauthorized accesses, and denial of service attacks that are increasing recently cannot be prevented with conventional methods such as firewalls and security patches," he says. "This is because the attack methods change dynamically."
To respond to these ever changing attack methods, the IT departments and Computer Security Incident Response Teams (CSIRTs) at companies collect intelligence (information), analyze attack methods, and find solutions that can lead to effective protective measures.
"Security personnel are required to have special skills that differ from general IT engineers, such as information collection and diagnosis, monitoring, incident response, forensics, and analysis skills" says Tanigawa. "They must also have the same level of knowledge and abilities as the attackers in order to respond to the attacks. This is why personnel that specialize in cyber security are necessary."
There is always an attacker in a cyber attack. To cope with attackers who do not show their hand and who always try to do the unexpected, "protectors" who can use technology and information to respond in different ways are necessary. Because both the threats and the responses to the threats come from people, another key point in addition to technology and information is the quality of the people.
The importance of personnel development is pointed out in the "Cyber Security Management Guidelines"
The importance of developing security personnel is also emphasized in the "Cyber Security Management Guidelines" jointly issued by the Ministry of Economy, Trade and Industry and the Information-technology Promotion Agency (IPA) in December 2015.
Specifically, the Guidelines position cyber security as an important management task, and identify three cyber security principles that top management must adopt: (1) demonstrate leadership in security measures, (2) implement business-wide measures that include the supply chain, and (3) implement appropriate communications, such as information disclosure and sharing.
"With the increasing number of cyber attacks every year, it is becoming more difficult to acquire cyber security personnel with advanced skills," says Takeo Tagami, Senior Manager in the NEC Management Information Systems Division and Cyber Security Strategy Division. "This is why the government is emphasizing that top management must clearly understand the need for such people, create a career path that allows security personnel to demonstrate their abilities, and develop mechanisms and systems to provide continuous training and education."
"Bridging personnel" who can connect top management with front line personnel
However, not just anybody can become cyber security personnel. In many cases cyber attacks come from overseas, and the perpetrators are located in places where the Japanese police does not have authority. They also carry out complex attacks that are impossible to predict.
"To handle these complex and advanced attacks, the responders must acquire a big picture of the entire attack, have the knowledge and sensitivity to make detailed technological adjustments, and the strong will and enthusiasm to devise measures without breaking down under pressure," says Tanigawa. "I believe that these are the necessary requirements for cyber security personnel."
Furthermore, there is more than one type of cyber security personnel. NEC defines a "security engineer" as a person with specialized cyber security knowledge and the skills to cope with attacks. This category includes "analysts" who can stop various types of cyber attacks with a wide range of knowledge and analytic skills, and "top guns" who have extremely advanced skills.
In addition, there are "bridging personnel" who in their role as security engineer leaders must have both management and consulting abilities, and act as a bridge between top management and actual front line personnel. This level of personnel is also deemed necessary in Japan's national policy and Management Guidelines.
"To utilize cyber security concepts in all corporate operations, top management and front line personnel must both share the problems they are facing with regards to cyber security, and the direction that solutions need to take," explains Tagami. "Bridging personnel explain the risks within the company to top management and the Chief Information Security Officer (CISO) in language that they can understand, make proposals for security investments based on front line problems, and reflect the will of top management in the front lines."
Developing this level of personnel requires considerable time and the right environment, because these people are specialists who require comprehensive abilities that include advanced knowledge about IT and security, and management skills.
Early development of hybrid personnel
Since NEC has made the security business one of its management pillars, how does it develop its security personnel?
"We have been developing security technologies for some time, but a major turning point was in July 2002 when we introduced the CSIRT, which would act as the command post for cyber security measures," explains Tanigawa. "That is when we started collecting and storing information about potential internal vulnerabilities, honing our technological capabilities and acquiring experience, and connecting with external organizations."
At the same time, NEC was steadily strengthening its CSIRT personnel and organization. From 2011 the number of targeted attacks grew rapidly, and even if the attacks were detected, there were not sufficient personnel available to cope with all of them. It was then that, as part of its CSIRT activities, NEC defined a skill map of the special skills necessary, proactively recruited personnel with advanced skills from Group companies, and accelerated efforts to develop security professionals.