In a previous post
, I shared some expert insight into how organizations can address the challenges of hiring skilled talent despite the ongoing infosec skills gap. Organizations can’t rest easy once they’ve brought on new talent, however. They need to make sure they hold onto their existing workforce.
That’s easier said than done. Cybersecurity Ventures
forecasted that a total of 3.5 million infosec-positions will be unfilled in 2021. Clearly, skilled infosec professionals have plenty of other places to go should they be unhappy with their current employer.
Acknowledging that reality, we at the State of Security asked security experts to weigh in on the impact of the infosec skills gap on existing security teams. We then asked them to share their thoughts on how organizations can keep their current teams intact. Here’s what they had to say.
It’s challenging. I accept that there will always be four times more work than I have resources. My mantra is to prioritize. Make sure we are working on the highest risk, the most likely security issues, and communicate the residual risk.
The other solutions are extending the responsibility for protecting the business into all parts of the business. I “deputize” people onto the cybersecurity team, and I recognize that people bring cybersecurity issues and solutions. I even have silver deputy badges that I found on Amazon for .50 each that I hand out with a certificate of recognition. I love walking by people’s cubes and seeing them pinned on the wall!
There is also an opportunity to leverage low tech solutions like easy-to-find and easy-to-follow security cheat sheets, so people whose core competency is customer service, legal, or administration can know how to do things securely without being frustrated or inadvertently causing a security incident.
David Henderson | Sr. Systems Engineer, Tripwire
The infosec skills gap impacts security teams today by putting additional stress and reliance on specific personnel who have attained the necessary skillsets to perform at peak. In many cases, that’s only one or two individuals. This can create a potential single point of failure, putting stress on hiring managers to fill that gap.
One solution to the infosec skills gap problem is to reach out to Market Vendors for readily available SAAS solutions. Other options include onsite or remote contract staff as well as customized support options with SLA’s that can assist with daily cybersecurity support operations and maintenance. After all, sleeping peacefully at night leads to less stress and better health.
Chris Hudson | Lead Professional Services Consultant, Tripwire
Despite constantly fighting for bandwidth, the really successful small security teams I’ve seen have mastered processes and constant improvement to win out more often than not.
How that works in reality varies from business to business, but it can generally be summarized by having a program of small improvements that can be constantly assessed and scored, thus providing evidence to the rest of the business that the team is busy but successful. For example, having the team focus on a single area of improvement (implementing improved password policies, hardening software firewalls, etc) and making sure they can measure the number of devices touched and the number of configuration changes made helps justify new team hires as well as keeping forward momentum. (Hopefully, these different effects are tracked already by your compliance tools, so measuring your success shouldn’t take any extra human bandwidth.)
In terms of processes, making sure that your response is consistent, well-documented and easy to do (preferably by multiple team members so processes don’t break down simply due to short term staff absences, etc) can be the difference between beating the influx of new risks and challenges and collapsing under a deluge of repetitive and inefficient workflows. The people closest to the problem should also be closely involved in developing those processes to make sure they really can be achieved, too!
Discussions about the infosec skills gap often focuses on hiring, training, or outsourcing. Those are a few ways to fill the gap, but how do you stop the gap from widening at your organization? Keeping talent is just as important as bringing it in, and when demand is high and supply is short, keeping talent isn’t easy. It isn’t just about money, either. There will always be another company who can pay more, which is why culture, personal development, and a reasonable workload are just as important. Remember Daniel Pink’s keys to motivation in his book “Drive.” Everyone seeks mastery of their domain, autonomy in their work, and purpose for what they are doing. It’s less costly to keep a person than to hire one.
Of course, you could always outsource, a decision which comes with its own sets of pros and cons.
Haydn Johnson | Information Security Manager, Points
My thoughts are akin to Schrödinger's cat. There is both a skills gap and not a skills gap. By that I mean that there is potentially an infosec skills gap and that hiring practices are not helping. These two factors culminate in a situation where jobs are not being filled.
Nothing I am saying is ‘new.’
Barriers to entry and hiring are multifaceted issues. Let’s consider the following:
● Job postings appear to request skills that are both beyond what is needed for the role and that require a high amount of years of experience. This potentially screens candidates from being reviewed and prevents others from applying.
● Infosec is a large space, as demonstrated by the number of certifications in our industry. As a result, newcomers to our field might not know which skills are foundational to having a career in information security, while HR might not have an accurate understanding of what skills are needed for which roles.
● Many companies exhibit a lack of communication on the status of an application after someone has applied.
● Diversity (or lack thereof) also plays a role here
This ‘infosec skills gap’ or ‘ineffective hiring process’ is also creating multiple issues downstream:
● Companies are becoming increasingly tool heavy due to an effort to counteract the lack of human analysts on the ground. However, good intentions don’t mean that tools are deployed effectively and or that alerts are reviewed as often as they need to be.
● The current talent begin to lose their skills as they become ‘dashboard warriors’ instead of spending their time tuning and managing tools.
● Companies are becoming more vulnerable to digital threats as it becomes harder for them to fill security positions.
For the short term, security teams can attempt to manage these issues by focusing on defense in depth and foundational controls, as found in most frameworks:
● Asset management - Hardware & Software
● Multiple Factor Authentication (MFA)
● Secure configurations and baseline images
● + many others from your framework of choice
Neira Jones | Independent Advisor & International Speaker
Make sure you've got the basics nailed down. You can get to the fancy stuff later. Also, there are lots of free resources available. Seek those out. One of my faves is https://www.globalcyberalliance.org/
Irfahn Khimji | Manager for Canada, Tripwire
Another very important skill is communication. Many technical folks do not necessarily understand the impact that security can have to the operation of their organization. An organization is never going to be 100% secure, so it is very important to understand the tradeoffs in minimizing risk while maintaining optimal business efficiency. This is another area that organizations should spend time training their teams on. Part of the onboarding process should include some training on what it is that the business does as well as ongoing training of the organizational goals and progress towards those goals.
Small teams typically outsource many of their security functions to managed service providers or managed security service providers. When selecting these providers, it is also key to select providers that can integrate the business goals of the organization to the management of their security tools. Focus on implementing security tools with metrics that can clearly help to identify the risk to the business and activities that mitigate that risk. For example, reporting on the number of missing patches means nothing to the business, but reporting on the risk vulnerabilities and insecure configurations present to the organization can show both the current risk posture and the impact a patching program has on mitigating the risk to the business.
Only when maintaining an open dialog of communication can these goals be achieved together.
Small, stretched in-house teams should look to the use of smart technology and automation where they can. Whilst there are a lot of unknowns and variables with cyber detection and defence that will always require a degree of professional judgment, there are also plenty of ‘known knowns’ which can be automatically defended against. In-house teams should also look to establish arrangements with trusted external partners upon whom they can offload specialist activities and whose skills they can use as required rather than trying to retain them in-house.
Chloé Messdaghi | Vice President of Strategy, Point3 Security, Inc
It’s really important to show that you care about your employees. One of the ways you can do that is by providing training for them, having one-on-ones with them, finding out what their goals are, and creating a roadmap together. Of course, you want to see them go and hit that goal. With that said, the best thing you can do to make that happen is to be that manager who wants to see their employees succeed and who cheers them on the entire way.
Now it's also important to have a conversation with your team about work and life balance because burnout is prevalent in InfoSec. Burnout is a mental health issue. When someone on the security team feels burnt out, it puts the security posture of the company at risk. With that said, please take care of your employees and show them that you care.
Matt Pascucci | Sr. Cyber Security Manager, CCSI
Many companies are looking for qualified staff due to the security and compliance concerns mandating that job roles be filled. This has increased the pressure on cybersecurity teams to wear multiple hats within an organization. This skill gap also creates particular roles that can become very focused, the exact opposite of the first issue, and can silo roles into doing one area of security. This creates an ebb and flow when looking for people. The culture of career development will look different in each scenario.
The infosec skills gap will continue to widen as security becomes “everyone’s concern.” Many times, we see teams with a small security team that’s focused full-time on security but that also has a culture of security spread throughout various groups. This allows for a team to have a smaller full-time security team with the greatest reduction in risk.
Zoë Rose | Cyber Security Specialist and Ethical Hacker
Create diverse and inclusive teams that approach security in a holistic and proportionate way. This teams should do the following:
● Include all departments,
● Effectively train consumers on their roles and responsibilities in the cyber defence team,
● Embed intrinsic motivators,
● Enhance existing team members skills,
● Build a culture of trust and understanding where questions are welcomed, and
● Hold formal learning sessions where it’s safe to speak up for the purpose of creating a continuous improvement programme.
Travis Smith | Principal Security Researcher, Tripwire
One of the major barriers on the infosec skills gap is simply knowing where to start. There are many avenues of information security, each with their own complexities that need to be understood. IT departments are tasked with defending endpoints, network devices, applications, the cloud, and more. Gartner’s Adaptive Security Architecture
makes a great visualization on how complex protecting each one of these avenues can be. From a high level, it outlines that first, you need to create a baseline of what you have in your environment, harden what you know about, detect what you cannot harden, and respond to anything that is detected.
Information security teams that are feeling outstretched need to simply get back to the basics. The Pareto Principle
fits into the value of defensive architecture. The rule states that 80% of the effects come from 20% of the causes. Relating that to information security, we can state that 80% of cybercrime type attacks can be mitigated by 20% of the defensive techniques we can take. The Center for Internet Security
(CIS) did a study and found that one could stop up to 85% of attacks by simply implementing the first five of their Critical Security Controls. These five controls are basic and foundational measures such as simply having a baseline of your system and applying hardening benchmarks to your machines.