10:30 AM
Connect Directly
E-Mail vvv

Survival Tips For The Security Skills Shortage

No matter how you slice it, creating a security professional with 10 years of experience takes, well, 10 years. Here are six suggestions for doing more with less.

Your organization’s greatest security resources are people. They see the trouble spots and can intelligently investigate incidents and raise red flags (often at a higher level than the green-yellow-red lights on system dashboards). They keep the lights on, the employees working, the customers satisfied, the bad guys at bay.

But organizations aren’t hiring as many security professionals as they need, and very often, it’s not because of budgetary pressures. It’s because they can’t find skilled people. No matter how you slice it, creating a security professional with 10 years of experience takes … well, 10 years. All of this makes it imperative to use your security professionals in the most effective way possible to make your organization as secure as possible and make their jobs interesting and rewarding so that you retain top talent.

Tip #1: Take humans away from the daily techno-drudgery
Start by freeing up your security professionals from mundane, repetitive tasks. That often means automation. I don’t mean automation to replace staff, but automation to elevate your most skilled professionals to focus on security initiatives that increasingly support the competitiveness of the business.

Work with your team to identify the tasks that are most ripe for automation, including those where security policies are followed in a straightforward manner, where it might be hard to spot an admin’s mistakes and where mistakes can threaten security and increase risk. If many “things” have to be touched in order to accomplish a task, that’s where automation can save precious human resources, a tremendous amount of time and significantly reduce errors.

Tip #2: Let software do the heavy, repetitive lifting
Validating security is a related area where automation can deliver huge efficiencies by eliminating human labor. Humans find this kind of work slow and laborious, and might take weeks to perform a routine audit. Automation can do that job in minutes. Not only that, but automation is far more likely to do an accurate job. Humans do not excel at repetitive, detail-oriented tasks such as updating a hundred firewall devices with a new policy, or validating that their settings conform to policies. Humans make mistakes, possibly miss a setting or forget to save a change. Automation will get it done not only faster, but more accurately — and can log everything it does, without complaining about the paperwork.

Tip #3: Automate audit preparation
Preparing for audits remains an incredibly time-consuming and potentially error-prone activity that takes precious times from strategic security initiatives. Audit preparation can vary from the mundane to the insane – like documenting backups, checking firewall configurations, validating that files are properly encrypted, making sure patches have been applied, and so-on. Audits can be all-consuming, and require significant human intervention but this time and effort can be saved through automation.

Tip #4: Offload security operational tasks to the IT operations teams
In many organizations, security teams often handle operational tasks that touch on security. Consider offloading these tasks to IT operations so that security staff can focus purely on security-related tasks. Since the general IT market has not witnessed the same growth in demand for skilled employees as security, hiring IT Ops personnel is often less of a challenge.

Tip #5: Make “tribal knowledge” available to all
In too many organizations, critical knowledge is not hoarded in notebooks or SQL databases, but in human memory. Think about the veteran network architects who know the system inside and out, including where the “official” plans don’t represent the physical reality. We call that information “tribal knowledge.” While those individuals (who I like to call Network Ned) are corporate treasures, it’s simply not good policy to silo tribal knowledge within cranial wetware. Not only are you going to have a bad day when these people leave the company, it also makes ramping up new and lesser-skilled engineers a lot slower and more difficult. If you can use software tools to document the reality of the network and its security configurations, Network Ned won’t have to be a corporate Wikipedia of critical data. Instead, Network Ned can apply his/her talents to driving innovation and adding value to the business.

Tip #6: Use scarce, hard-to-find security professionals smarter
We are all under pressure to improve the efficiency of our security teams. But we are also under pressure to strengthen the business by increasing competiveness and agility -- without increasing risk. Security professionals can play an important role in this through big-picture thinking, problem solving, and finding better ways to manage risk. My suggestion is to take repetitive tasks off their plates. This will free them to execute many of those tasks more efficiently and more accurately. That’s how we do more with less in today’s security-intensive world.

Originally a software engineer and then a product manager for security products, Nimrod (Nimmy) Reichenberg now heads global strategy for AlgoSec. Nimmy is a frequent speaker at information security events and a regular contributor to industry publications including Security ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
John S.J547
John S.J547,
User Rank: Apprentice
6/18/2015 | 2:09:52 PM
Computer security legal hazards
Within the last well, 10 years there were issues with computer security professionals getting prosecuted for doing their jobs, often due to political conflicts and kinks in the system, such as reporting of problems that made some executives look bad, or that they didn't want fixed. Hazardous-duty pay seemed appropriate.

I've heard much less of this recently. Have the problems been corrected (for example by clear guidelines and standards of professional organizations)? If so, maybe we need more effort to let people know, to avoid deterring future security professionals.

We will need their services for a long time.
Andre Gironda
Andre Gironda,
User Rank: Apprentice
6/14/2015 | 3:50:07 AM
Re: Budget Constraints
Free, open-source software can provide automation just the same as commercial or SaaS offerings can. 

For incident response, try Google Rapid Response. For network and app penetration testing and vulnerability assessment, try sixdub-Minions and Arachni, plus metasploitHelper. DLP, use OpenDLP. Firewall and IPS, try Untangle firewall or Suricata IPS. SIEM, use OSSIM. Log management with file integrity monitoring -- easy peasy with OSSEC. Access controls needed, then U2F is a must-have. smicallef-spiderfoot or the Collective Intelligence Framework for threat intelligence information and Soltra Edge to share it with your industry ISAC.

Yes, you will need people and processes. Tools should support people and proceses. The NIST CSF is a great framework and PASTA is a good process-oriented approach to security risk management. None of these documents are locked up by Gartner paywalls. It's time to say goodbye to the old-school methods and pick up an open-source project or ten to drive results.
User Rank: Apprentice
6/13/2015 | 12:56:13 PM
Tip #4
While agree with you that there is a shortage, I think that security ops tasks can be beneficial for up and coming professionals. I am not talking about autmoated tasks but lower level analsys that the sec ops person has to perform. It is a good area to get your feet wet.
User Rank: Apprentice
6/12/2015 | 3:00:15 PM
Re: Budget Constraints
HI Ryan,

Thanks for your comment. What I have noticed is that the recent publicized breaches have made budgets to be less of an issue than they used to be. The problem is twofold -  when there are not enough skilled security professionals, more budget does not help as much. Additionaly, executives are used to the idea that every problem can be solved if you just spend enough money on it, and unfortunately that is not the case with security.



User Rank: Ninja
6/12/2015 | 1:17:31 PM
Budget Constraints
Unfortunately, there are budget constraints with many of the points that are made in the article, especially around automation. I agree with these points whole-heartedly, but I've seen first hand security professionals performing the work that could be automated due to these budgetary constraints. Yes automating the laborious work is ideal but its costly in both dollars and man hours.
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.