As we look forward, we can see a future where security operations are still hampered by a shortage of trained and experienced personnel. Even if our current efforts to encourage an increase in security training and enrollment in appropriate university programs work out, it will take more than four years for this new talent pool to begin having an impact on staffing threat operations teams. Moreover, threat actors are not going to back off until then and will continue to innovate and evolve their tactics, techniques, and procedures.
As a result of this continuing talent shortage, companies should try to figure out how to maximize their available resources and leverage emerging technologies. For example, expert systems, machine learning, and other technologies that augment human capabilities are promising developments, but they will take some time to mature into products or services that can reduce our dependence on human skill and judgment.
In the meantime, you still need resources with an understanding of both security technologies and your business. My recommendation is to develop skilled security resources from the existing talent pool inside your organization. Consider internal recruiting of experienced development, IT operations, or other technology specialists from within your organization and provide security training in an apprentice-style model.
There are several advantages to including strong internal recruiting. These recruits will have a firm understanding of network, systems, and cloud technologies deployed in complex real-world operating environments. They will have a firm understanding of your business and the implication of security incidents. Successful candidates will have demonstrated effective critical thinking during troubleshooting and problem-resolution situations. All of these attributes give them a solid foundation for expanding into the security domain.
Educate Your Security Staff
An important corollary of the skills shortage is the need for continuing education for your in-house security and IT staff. The more specialized security defenses and services get, the easier it becomes to put blind faith in a black box. As your team learns to defend against emerging attacks and incorporate new defenses, look for ways to expand their technical and business knowledge. For instance, send them to Black Hat to learn about new exploit techniques. They also need opportunities to learn about new security technologies and services, whether from conferences, security vendors, or online courses.
Perhaps more important, your security and IT staffers need to continue to learn more about your business so they can identify critical risks, evaluate potential threats, and make quick decisions based on the big picture. For example, is your organization embracing DevOps, and is your security team involved?
Many of the most serious threats today are exploiting human vulnerabilities, not technological ones. Phishing, credential theft, social engineering, and other attack vectors leverage publicly-available knowledge of your industry and organization to get the first step inside. Greater knowledge of your business will help the security team identify the most likely threats more quickly and take proactive measures to protect the internal targets and detect the attack vectors.
Another outcome of the workforce crisis in security will be the development of new technologies and service offerings. While the biggest organizations may still try to staff all of their resources in-house, the need for specialization will result in pools of trusted and experienced people who are available on-demand. This requires further changes in education and operations, which I will explore in my next blog, “Preparing for Emerging Technologies.”