Let’s start with two numbers:
60,000: The number of security professionals in the United States with a CISSP (Certified Information Systems Security Professional) certification.
50,000: The current demand for additional CISSP professionals.
Everyone talks about the industry shortage of security professionals as an inhibitor to providing competent resources to deploy security technology and services. In reality, even with well-trained security professionals available, the turnover and hot job market expose companies to incomplete deployments that are not being properly funded or commissioned.
It is common, with the demand for security professionals, to see job tenures averaging about six months for a security engineer and one year for a security architect or mid-level manager. One of the biggest issues with this turnover rate is that the people who start projects are rarely around to see them implemented. In other words, the people who are currently accountable for your security system did not create the original scope, requirements, budget, or design. Was the original budget too low, specifications inaccurate, or the promises too ambitious? This is tough for the new person, who is now accountable to someone else’s earlier promises. But it is also a risk if you have people scoping or budgeting projects that they know they will not be around to implement or operate.
Not only does this turnover jeopardize your security posture, it discourages people from working in the field because it increases the pressure, making them accountable for someone else’s work and commitment. Also, there is little opportunity for project handoff or knowledge transfer as security professionals are typically walked out once they announce their intent to leave, due to their privileged access.
Less Dependence On Individuals
With many years of experience over a wide variety of security projects, I have not seen a single project have the same people working on it from start to finish. To address this, we learned to put in place a number of processes to reduce the dependence on individuals and ensure that projects are delivered on-time, within scope, and with measurable results.
First, make sure that at the outset, your project scope, budget, and implementation plan are reviewed and approved by multiple stakeholders, architects, and engineers. If you do not have enough staff or expertise for this in-house, an alternative is to ask one of your security vendors to participate. They will bring in their knowledge of best practices, as well as their experience with similar projects. Leveraging the professional service arm of your chosen vendor will also reduce the chance of having an unsupportable or inferior implementation.
Second, as the project moves from implementation to production, make the time to continue to document operating details, new best practices, and other significant events. Yes, this takes personnel time in a department that typically runs pretty thin, but it will save you time in the long run. Moving security functions to the cloud is a good mechanism to alleviate some of the problems inherent with project turnover because you have to clearly document the functions and operations in order for the service transition to be successful and measurable.
Finally, when turnover happens, as it will, this detailed documentation becomes your knowledge transfer process to new personnel. As the team deals with incidents and new threats, your documented practices and technologies can be readily reviewed and adjusted, with less chance of breaking existing deployments or accidentally weakening your security posture.
Some security experts have proposed a correlation between major breaches and attrition of security personnel. These three steps will help you significantly reduce the probability that your organization is a future security headline.