Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/26/2017
12:41 PM
Josh Mayfield
Josh Mayfield
News Analysis-Security Now
50%
50%

Ways to Win the Security Skills Challenge

Finding and keeping skilled security professionals is hard. But there are ways that can work to keep your best employees on-board and happy.

It can be difficult to locate and hire staff with appropriate technical skills for many reasons. Primarily, the challenge comes from a disconnect between formal education (i.e., university) and the nature of the current environment. By the time a curriculum is established, the world changes. This leaves institutions with the only option to give a basic foundation to their students, and leave deeper skills development to the student.

Second, organizations that need more developed skills are all competing with one another in a labor market. Not only must they compete with one another, but organizations must compete with government agencies, consultancies, and vendors all pursuing the skills for their own benefits. So, we have a demand spike and a supply shortage.

Finally, skills development is generally assumed to be the responsibility of the individual rather than the organization -- and for good reason. If a company invested to build more skills into current staff, those people would have greater marketability in this high-demand environment. This is a dilemma; a prisoner's dilemma. Everyone is looking at the problem from the same vantage point. What is best for the individual organization may have a negative outcome on the market as a whole. Of course, organizations want highly skilled, highly trained staff... they just someone else to train them.

So how can companies help themselves by focusing on upskilling their current technical staff? Might this really be a viable solution to the digital skills gap? The difficulty with upskilling the current staff is that you may be sinking investment into a resource that will soon leave or be lured away to a more lucrative opportunity. This is the dilemma I mentioned earlier. So, organizations are hopeful that individual team members will cultivate their skills, without having to make investments directly in their development.

Some organizations have practiced golden handcuffs methods to secure a staff member. A law firm may pay tuition for a clerk to get a law degree, with the stipulation that the clerk remains with the law firm for several years after graduation. This is a potential option to use to with technical staff to close the skills gap we see in digital and security disciplines.

But information is highly portable. Organizations who train their own staff to improve their technical skills may find themselves losing newly minted minds to competitors or other market participants all clamoring for the same technical skill. This is a risk-return evaluation; couple that with the inherent status quo bias, and you get organizations sitting idle while the skills gap continues to grow.

Upskilling is a viable option, but an option that has to be weighed against the potential loss of the best, most developed staff members. The greatest benefit of upskilling is that it can be calibrated to the most relevant skills an organization needs or prefers. Along with that, there is a sense of gratitude that comes over the trained individual that could inhibit thoughts of taking the new skills to greener pastures. However, in a free society where individuals are competing with one another in a labor market, it is only natural to shop those skills for better individual opportunities.

It is a tricky balance, because organizations can experience stronger contentment while decreasing retention. An individual can be grateful for the skills their employer has helped develop, but still evaluate themselves as being more desirable in the broader market. Leading to both conclusions: more content, less likely to stay.

In my experience, very few organizations are investing in this type of upskilling. However, those who are accomplishing this feat doing it by following a consistent incentive structure. I know of one organization who send their cybersecurity staff to various training modules at SANS Institute. Upon completion of each security track, the employer increases their salary by 5%.

At first, this organization was paying a spot-bonus of 5% of the annual salary for each completed course. The trouble with that is once the bonus is paid and the skills are enhanced, they found technical staff would promptly take their talents elsewhere. Once they shifted to increasing the base pay for the staff, people stayed with the company.

There is another tactic companies are rapidly adopting -- automation. If you are uncertain you can hire individuals with the right skills and you are unsure if you can close the skills gap with current staff, you can automate many of the manual and low-value workloads using technology. For example, assessing firewall rules that are outdated or underutilized is a relatively mundane task. So, many are using technology to automate such an activity, leaving their highly trained staff to manage higher valued workloads.

If you are running into the challenge of a skills gap and are stuck in the dilemma of upskilling…you can automate. This is the easiest, fastest way to get things accomplished with a skills gap that keeps growing, without the risk of upskilling staff who are vulnerable to depart.

As far as training options available to companies looking to upskill tech staff, several educational avenues are available for organizations – both on-campus and online. Online education modules such as Lynda.com are commonly used to enhance the skills in various disciplines. Secondly, learning management systems have advanced in the past decade and many organizations are codifying their ways of doing things into a learning management console and guiding staff toward further development.

Human behavior is goal-directed. If organizations provide incentives for development and a pathway toward that development, individual staff will likely pursue the goal. Give incentives for the behavior you want and remove any obstacles you can to achieve it -- that's the best way for leadership to get the outcomes they need.

What are the biggest digital skills to focus on? We live in world that is awash with data. Data science is the most likely skill set for organizations over the next 5-10 years. This will come in many forms. Data science skill will become a requirement rather than a bonus for software developers. Security engineers with knowledge of how data can be manipulated to determine policies and security protocols will be in high demand. IoT specialists who can quickly integrate data to model the outcome of a new product or support an existing one will be recruited just as fervently as a world-class CEO.

Aside from data science, virtual reality will play a large role. Virtual reality and its principles can be applied to all manner of commercial benefits. Imagine a construction company who can do an inspection virtually with the owner and architect prior to the grand opening. Imagine a physician in a virtual operating room assisting another physician who is 4,500 miles away. Technical staff who can convert science fiction into science fact will be the rock stars of an emerging discipline.

Finally, security skills for the advances in computing options (e.g., quantum computing) and changing infrastructure (e.g. SDN, virtualization, cloud), will become the norm. We simply do not know what security concerns we will face with all that is evolving.

Those with the skills to secure this new world will be the heroes of many organizations.

Related posts:

— Josh Mayfield is Platform Lead for Immediate Insight, FireMon’s security analysis platform. He works with global security leaders to improve security analysis using big data principles and automation.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3331
PUBLISHED: 2021-01-27
WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
CVE-2021-3326
PUBLISHED: 2021-01-27
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-22641
PUBLISHED: 2021-01-27
A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22653
PUBLISHED: 2021-01-27
Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22655
PUBLISHED: 2021-01-27
Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).