Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/29/2018
08:05 AM
Steve Durbin
Steve Durbin
News Analysis-Security Now
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Want a Sustainable Security Workforce? Start Getting Innovative

Security is a never-ending struggle to keep up. Staffing your team is no exception. However, the old method of finding talented InfoSec people are no longer working. It's time to get innovative.

As the cyberthreat landscape continues to grow more varied and intense in sophistication and strategic intent, demands on information security teams relentlessly shift and swell.

With limited personnel to manage the rising risk, the difficulty attracting, recruiting and retaining an appropriately skilled workforce has become a risk in and of itself.

Shortfalls in skills and capabilities are manifesting as major security incidents damage organizational performance and reputation. Building tomorrow's security workforce is essential to address this challenge and deliver robust and long-term security for organizations in the digital age.

However, filling the skill shortage will require organizations to change their attitude and approach to hiring, training and participating in collaborative pipeline development efforts. An overly rigid and traditional approach to identifying candidates, coupled with over-stressed and under-staffed work environments, is clearly a stale practice in need of new tactics and fresh ideas.

Consider, for example, that new research by Cybersecurity Ventures, which finds that only 20% of the global cybersecurity workforce is comprised of women.

On its face, this statistic proves that there are large, untapped pools of talent.

Looking deeper, there are lessons to be learned about what organizations must do differently to attract bright prospects from a wider spectrum of education, experience and expertise. And of course, this goes beyond gender diversity -- specifically organizations must figure out how to recruit effectively from younger and older age groups, underprivileged districts, liberal arts colleges and other atypical populations.

Organizations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as attacks and defensive measures -- security software platforms, patching and configuration practices, analytics and machine learning -- become more complex.

Security workforce evolution
The security workforce, typically defined as the personnel responsible for an organization's information security activities, has evolved rapidly since its inception.

The information security function often exists only as part of another associated business function, such as: risk, technical IT operations, legal and or audit. It can be identified as information, cyber, assurance or operational security. It can also report into various business units, including finance, risk, governance or IT.

Over the course of its evolution, the lack of a consensus definition of the information security function has allowed numerous, disparate components to form an organization's security workforce. For example, employees working within threat intelligence, business continuity and security operations are all essential information security contributors, yet they rarely convene in one distinct function under a designated leader.

Supply and demand
Closing the gap between supply and demand is imperative for an enterprise to develop an effective security posture.

It is evident that individuals with the required skills, qualifications and experience are either unavailable or demanding compensation that cannot be met with existing budgets. Because they are in high demand, talented security staff regularly move to new employers as they seek out better salaries and projects at more prestigious companies.

But is this inevitable?

Are hiring managers so inflexible in requiring candidates to have specific skills, qualifications and years of experience that they end up hindering their security teams? Are uninformed and unimaginative recruitment practices contributing significantly to the perceived shortage? As salaries escalate, organizations are urgently seeking a solution to the perceived crisis around hiring information security professionals.

To address the growing demand, organizations should broaden their approach, and work purposefully to recruit security professionals from a diversity of backgrounds, disciplines and skill sets.

Focus on the aptitude and attitude of candidates rather than insisting on a host of specific skills, experience and qualifications that would eliminate a large portion of current and prospective information security professionals.

Human-centric security
As vendors and tools saturate the market of security solutions, potential employees have come to perceive information security as deeply technical, leaving recruiters struggling to identify and appeal to candidates with a less traditional mix of education and experience.

Organizations are swiftly recognizing that bright, diligent, inquisitive individuals are among the most valuable security assets an enterprise can leverage. A human-centric approach to information security will foster a workforce that is capable of meeting the challenges presented by digital risk.

To help achieve a human-centric approach, the information security function should collaborate with HR and take advantage of well-established HR practices to build a diverse workforce of capable individuals. A human-centric approach supported by HR provides the structure for a strong workplace culture characterized by proficient and satisfied information security professionals.

Building a sustainable security workforce
Increasing reliance on digital systems, coupled with a dynamic threat landscape, has made the security workforce core to an organization's survival. But for many enterprises, developing a sustainable security workforce is only an aspiration: attracting and retaining experienced, certified security experts is a constant battle.

Organizations need to establish a series of strategic objectives that lay a foundation for a stronger workforce and more robust pipeline.

With clear direction and sustained HR efforts, organizations can formalize the structure of the security workforce, harness the appropriate talent and bring security teams into better alignment with the organization's security objectives.

As the security workforce matures and finds innovative ways to embrace the vast resources of untapped talent, the exaggerated myth of a looming crisis in the global security workforce.

A robust and diverse security workforce will empower organizations to face future workforce challenges, such as automation, role and function amalgamation and increased outsourcing. Information Security Forum Members are already demonstrating success at cultivating teams with the necessary skills and expertise in progressive and engaging environments.

A sustainable security workforce is essential if the information security function is to become a partner to the business and effectively manage the increasing cyber risk and security burden.

Related posts:

Steve Durbin is managing director of the Information Security Forum. His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. He is a frequent speaker and commentator on technology and security issues. Previously, he was a senior vice president at Gartner.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.