#RSAC Interview: SANS Institute’s Rob Lee Discusses the State of Technical Skills in Cybersecurity

Written by

While there is a growing appreciation of the need for soft skills in cybersecurity, the industry remains, at its core, deeply technical. Areas such as incident response, threat hunting, digital forensics, vulnerability and exploit discovery and intrusion detection/prevention are becoming increasingly pivotal amid surging cyber-threats. During this year’s RSA Conference 2022Infosecurity caught up with the SANS Institute’s chief curriculum director and faculty lead, Rob Lee, to discuss trends being seen in respect of these technical aspects of cybersecurity and how this field can be improved.

Lee highlighted how the shift to remote work during COVID-19 has made it harder to watch attacker activity, who now have many more entry points into an organization. This is due to two main factors – the move to the cloud and a dispersed workforce “sitting on a plethora of crucial data on multiple devices.”

Another issue for security teams in conducting activities like threat hunting is ensuring they are equipped with the right skills. Lee noted that while many cybersecurity professionals have a lot of experience, some of their skills are outdated and need updating amid rapidly evolving technologies. “The laws of gravity have changed, and they need to reskill and get their skills upgraded to the latest technologies. People who used to do perimeter defense and firewall tuning – those skills are antiquated right now,” he warned. This includes in the area of cloud security. Unfortunately, “organizations really haven’t done a good job with workforce development,” he stated.

Lee observed that as the “laws of gravity are constantly changing in cybersecurity,” a number of soft skills are required among those entering even deeply technical roles. These include passion, illustrated by “the capacity to learn and desire to be an expert.” Another is persistence, continuing to learn complex tasks when they are finding it difficult and frustrating to do so. “Everyone’s in the same boat – someone who’s worked in the industry for 20 years or someone who’s at month one,” noted Lee. “They need to have the attitude of ‘I’m going to work through my frustration.’ If you get anyone who does that, they will be OK.”

As part of this process, organizations need to consider: “Am I consistently retraining my workforce and giving them the right skills to meet the ongoing cybersecurity demands?”

Technologies such as automation have great potential to enhance cybersecurity teams’ capabilities in areas like threat hunting. However, combining these tools with human skills is a big challenge for all organizations, according to Lee. He believes organizations’ technology investment should focus on understanding “why they may be a target.” In particular, identifying those threat actors most likely to target them and the techniques they use “and then tuning your senses to looking for those sorts of attacks.” Therefore, “growing investment in those threat intelligence streams is the most important way organizations can improve their security today.”

Finally, the discussion turned to the topic of incident response. Lee said the biggest issue with how organizations undertake incident response is that “most executives do not understand the strategy of choosing the least worst decision.” Instead, they are looking to get through cyber incidents unscathed, “which is nearly impossible.” Either acting too slow or too soon can worsen the problem, making this the “ultimate catch-22 for organizations.”

Lee commented: “This is one of the reasons I recommend organizations go through incident table-top exercises so they’re able to understand that a loss is about to happen – it’s a case of how bad of a loss do you want to endure.”

Lee also emphasized the importance of using threat intelligence to learn from cyber incidents – something that often does not occur. “It frustrates a lot of incident responders because it’s a never-ending cycle of playing whack-a-mole until the attackers get their way.”

What’s hot on Infosecurity Magazine?