This will not come as a surprise to many of you, but there’s a current shortage of cyber security experts out in the field, which is causing job vacancies all over the country. Over the years, we’ve seen the demand for cyber security professionals spike dramatically as organizations realize there’s a problem, and are actively looking to recruit people for these positions. This, of course, leads to a shortage in people that can fill the jobs with the experience they’re looking for. The problem isn’t going away and the threats and risks continue to grow on a daily basis, but now that organizations realize that they have to protect themselves, they’re faced with yet another challenge: The shortage of cyber security professionals.
It can take multiple months to a year to fill certain positions within the geographic area the company is looking to hire, and many companies need to start looking outside their comfort zone to recruit good talent. By allowing the ability for security managers, engineers and analysts to work remotely opens up the possibility of finding the talent that you’re truly requesting and not have to settle for a resource that might not be everything you’re looking for in a candidate, just because they’re local. This goes against the mold of many companies these days, but with the hiring crisis in cyber security, spreading a wider net across the country, or beyond, will allow for a wider scope of candidates to be selected from. Many times there is no direct need to have someone physically sitting in the organization in order to get the work completed. It’s always nicer to have someone you’ve met physically to be in the building, but if you’re not able to hire top-notch cyber security talent, it might be worth attempting to reach out to the world at large and see if building a team with remote access would we worth securing your organization in the long run. Here are a few suggestions for building a remote security team:
Whoever is managing this team needs to be in constant communication with the other team members. There isn’t the ability for you to walk over to an employee’s cube and speak to them, and vice versa, so constant contact with each other is necessary to verify that the lines of communications are open. This includes secure IM, webcams, email and texting. By bringing in this communication to the engineers across the nation, it allows you to setup the comradery that would be developed within the office. It also assists with being able to work on security incidents as they arise and how to handle them, with proper escalation, etc. Setting up tasks in workflow management allows for a good understanding of what’s being completed, too.
Daily Stand Up Meetings
This is where everyone gets together, either via phone or webcam, to explain what they worked on yesterday, what they’re working on today and if there are any blockers in their projects, etc. This doesn’t have to take long but gives the manager and engineers an understanding of how the department is flowing and allows for people to collaborate even further. These shouldn’t be more than 15-20 minutes and can be done at the beginning and end of each day, as needed.
Having the ability for all team members to collaborate securely is mandatory and so is the ability for them to securely access the network. There are many methods this can be done today, with VPNs utilizing multifactor, but all devices being used at remote sites should also be encrypted. Everything that the employee is using remotely should be encrypted, either in transit or at rest, to minimize the risk of having data compromised. By protecting the data outside of your office limits the risks of having employees work remotely.
Scheduled Gatherings and Staff Meetings
Just as important as keeping in constant contact with each other so is keeping some of the normality of the office. Setting up weekly staff meetings to review important topics in more detail than the daily standups is something that allows for team members to go deeper into the projects or issues they’ve been facing all week. Also, setting up a quarterly meet-up, or at another frequency of your choosing, to get all the team members together to build relationships and foster a teamwork environment that will extend back into their remote relationships. This being said, it isn’t something many companies are doing these days after having a culture of being forced into the office, but this is a viable option to building security teams when the talent pool around the hiring location is limited. Many startups are using this model but once it gets into larger organizations, the culture of remote work is often not accepted as widely. I would urge companies that are looking to ramp up teams faster, find good talent and make a culture that people want to work for longer than the average year or so, to consider building remote security teams. With the ability to work remotely and securely, to have secure communication with team members (anything from a configuration to an attack) and the ability to build relationships with face-to-face meetings is something that might be worthwhile to companies looking to secure their organizations. In my opinion, it’s more risky not to do this than hire talent locally that might not have the expertise to protect the organization.
About the Author: Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email [email protected]. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock