Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

5/7/2019
07:00 AM
Steve Durbin
Steve Durbin
Steve Durbin
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Workforce 2019: Closing the Gap Builds a Bridge to the Future

To plug the ongoing cybersecurity skills gap, those doing the hiring need to start thinking outside the box.

The recent government shutdown in the US brought worries about the shortage of cybersecurity workers into stark relief.

In the normal day-to-day, it's easy to get busy "making it work" by making money and keeping the lights on. Seeing the furlough of federal workers and disruption of government functions immediately and visibly impact critical commercial, transportation and public services is an eye-opening and timely reminder of our interconnectedness. It also underlines the danger of understaffing critical cybersecurity programs. The more we transform our businesses, governments, and public and personal lives through digital technology and connectivity, the more we share the accompanying risks. The ancient adage seems timely once again: we're only as strong as the weakest link in the chain. And the security skills gap represents an alarmingly weak link.

In short, as the cyber threat landscape continues to grow more varied and intense in sophistication and strategic intent, the pressure on information security teams continues to mount. When a company doesn't have enough personnel to contain and understand the growing risks it faces, the struggle to hire and retain skilled security professionals becomes a risk not only for that company, but also for any other entity connected to it.

Shortfalls in skills and capabilities have surely contributed to many of the major security incidents, data breaches and ransomware attacks that have filled the headlines and resulted in widespread exposure of sensitive information, damage to brands and reputations, erosion of public trust, increased regulation, fraud and financial loss. Building tomorrow's security workforce is critical if we ever hope to see the day robust, efficient and long-term enterprise security is normal and expected.

We've been talking about this skills shortage for many years now, at many levels of government, industry and higher education. And yet the gap persists. Organizations must commit to changing their attitude and approach to hiring and training, and step up their participation in "joint pipeline" development efforts. The traditional approach to identifying candidates is overly rigid. When combined with over-stressed and under-staffed work environments -- not exactly appealing to the best candidates -- this approach creates a funnel that is too narrow at the top. It's time to apply the creativity and passion for innovation that drove the meteoric rise of the digital economy to meeting this crucial challenge.

Filling the pipeline will require finding a way to channel the vast untapped pools of talent we know are out there. If only 20% of the global cybersecurity workforce is composed of women, there are obviously lessons to be learned about how to attract bright prospects from a wider spectrum of education, experience and expertise. It goes way beyond gender diversity -- organizations must commit to developing initiatives aimed at fostering talent from younger and older age groups, underprivileged school districts, liberal arts colleges and other "outside the box" options.

Organizations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures (e.g. security software platforms, patching and configuration practices, analytics and machine learning initiatives) become more complex.

Past: Security in silos
The security workforce, typically defined as the personnel responsible for an organization's information security activities, has evolved rapidly since its inception. The information security function often exists only as part of another associated business function, such as risk, technical IT operations, legal or audit, and it might be called information, cyber, assurance or operational security. It can also report into various business units, including finance, risk, governance or IT.

Over time, the lack of a consensus definition or integrated structure has allowed numerous, disparate components to form the typical enterprise security workforce. It's shocking how rarely essential infosec contributors -- employees working within threat intelligence, business continuity and security operations -- convene in one distinct function under a designated leader.

Present: Supply and demand are imbalanced
To have any hope of maintaining an effective security posture, enterprise executives must close the gap between supply and demand within their organization through a dynamic combination of workplace culture and appeal, strong processes and policies, and integrated, automated technology support. The scope of the challenge means it needs to be addressed from both sides: widening the funnel and filling the pipeline to fill demand from one direction, and from the other side, reducing the amount of work and the level of expertise required to maintain robust defenses, intelligent monitoring and agile incident response. However it is achieved, closing the gap between supply and demand is imperative for an enterprise to develop an effective security posture -- and on a larger scale, critical to maintaining public trust and reliable public and commercial services.

If the pool of applicants at a certain level of skill, qualification and experience is so small that most organizations (including SMEs, government agencies, and municipal services) can't afford to hire any of the available candidates, something must give. Moreover, talented security staff are in such high demand that even if you manage to hire a choice candidate, they may soon be lured away by better perks and projects at a more prestigious organization. Hence the gridlock we find ourselves in at present. By making reasonable adjustments to requirements for levels of education, certifications and years of experience, companies and industries can loosen the jam and fill up their talent pool.

The delta between security job openings and qualified candidates isn't inevitable. For many organizations, it could be as simple as encouraging those doing the hiring to be more flexible and developing more informed and imaginative recruitment and apprenticeship practices.

Future: Working toward human-centric security
Many promising candidates, including recent graduates, are interested in high-tech companies and careers, but information security is perceived as deeply technical (and let's be honest, also tedious and high stress), leaving recruiters struggling to connect with candidates from less specialized backgrounds.

Smart leaders are swiftly recognizing that bright, diligent, inquisitive individuals are among the most valuable security assets an enterprise can leverage. A human-centric approach to information security will foster a workforce that can meet the challenges presented by digital risk -- not to mention technology solutions that free up human resources and reduce tedium and complexity.

A human-centric approach provides the framework for building a balanced, fully staffed security workforce of proficient and satisfied information security professionals. Of course, this approach requires leadership commitment and budget allocation -- but it's a crucial investment in the future. And in cybersecurity, the future comes at you fast.

The imperative of a sustainable security workforce
Our deepening reliance on connected digital systems, and our subsequent vulnerability to a shifting array of cyber threats, has made the security workforce core to enterprise profitability and survival. But for many enterprises, developing a sustainable security workforce is out of reach because attracting and retaining experienced, certified security experts is a constant battle. To break this impasse, governments, industries and companies need to establish strategic objectives that prioritize transformative investments in developing a stronger workforce and a bigger, more accessible talent pool.

With clear direction and sustained HR efforts, organizations can formalize the structure of security teams, reporting and leadership to bring them into better alignment with the organization's security objectives. An integrated, agile security function can be a powerful partner to the business.

In the bigger picture, the more stakeholders work together towards the common goal of diversifying, growing and advancing the security workforce, the safer shared cyberspace will be. In large part, our digital world runs on shared data and networks and relies on the public trust. Security professionals are the guardians of these assets. In the year ahead, rise above the hiring fray and focus on fresh, strategic, long-term approaches to building, supporting and integrating your security workforce.

Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: They said you could use Zoom anywhere.......
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14483
PUBLISHED: 2020-08-13
A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara (Versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110) and Niagara Enterprise Security (Versions 2.4.31, 2.4.45, 4.8.0.35) to corr...
CVE-2020-11733
PUBLISHED: 2020-08-13
An issue was discovered on Spirent TestCenter and Avalanche appliance admin interface firmware. An attacker, who already has access to an SSH restricted shell, can achieve root access via shell metacharacters. The attacker can then, for example, read sensitive files such as appliance admin configura...
CVE-2020-13281
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a denial of service exists in the project import feature
CVE-2020-13286
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 user controlled git configuration settings can be modified to result in Server Side Request Forgery.
CVE-2020-15925
PUBLISHED: 2020-08-13
A SQL injection vulnerability at a tpf URI in Loway QueueMetrics before 19.10.21 allows remote authenticated attackers to execute arbitrary SQL commands via the TPF_XPAR1 parameter.