Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

Survival Tips For The Security Skills Shortage

No matter how you slice it, creating a security professional with 10 years of experience takes, well, 10 years. Here are six suggestions for doing more with less.

Your organization’s greatest security resources are people. They see the trouble spots and can intelligently investigate incidents and raise red flags (often at a higher level than the green-yellow-red lights on system dashboards). They keep the lights on, the employees working, the customers satisfied, the bad guys at bay.

But organizations aren’t hiring as many security professionals as they need, and very often, it’s not because of budgetary pressures. It’s because they can’t find skilled people. No matter how you slice it, creating a security professional with 10 years of experience takes … well, 10 years. All of this makes it imperative to use your security professionals in the most effective way possible to make your organization as secure as possible and make their jobs interesting and rewarding so that you retain top talent.

Tip #1: Take humans away from the daily techno-drudgery
Start by freeing up your security professionals from mundane, repetitive tasks. That often means automation. I don’t mean automation to replace staff, but automation to elevate your most skilled professionals to focus on security initiatives that increasingly support the competitiveness of the business.

Work with your team to identify the tasks that are most ripe for automation, including those where security policies are followed in a straightforward manner, where it might be hard to spot an admin’s mistakes and where mistakes can threaten security and increase risk. If many “things” have to be touched in order to accomplish a task, that’s where automation can save precious human resources, a tremendous amount of time and significantly reduce errors.

Tip #2: Let software do the heavy, repetitive lifting
Validating security is a related area where automation can deliver huge efficiencies by eliminating human labor. Humans find this kind of work slow and laborious, and might take weeks to perform a routine audit. Automation can do that job in minutes. Not only that, but automation is far more likely to do an accurate job. Humans do not excel at repetitive, detail-oriented tasks such as updating a hundred firewall devices with a new policy, or validating that their settings conform to policies. Humans make mistakes, possibly miss a setting or forget to save a change. Automation will get it done not only faster, but more accurately — and can log everything it does, without complaining about the paperwork.

Tip #3: Automate audit preparation
Preparing for audits remains an incredibly time-consuming and potentially error-prone activity that takes precious times from strategic security initiatives. Audit preparation can vary from the mundane to the insane – like documenting backups, checking firewall configurations, validating that files are properly encrypted, making sure patches have been applied, and so-on. Audits can be all-consuming, and require significant human intervention but this time and effort can be saved through automation.

Tip #4: Offload security operational tasks to the IT operations teams
In many organizations, security teams often handle operational tasks that touch on security. Consider offloading these tasks to IT operations so that security staff can focus purely on security-related tasks. Since the general IT market has not witnessed the same growth in demand for skilled employees as security, hiring IT Ops personnel is often less of a challenge.

Tip #5: Make “tribal knowledge” available to all
In too many organizations, critical knowledge is not hoarded in notebooks or SQL databases, but in human memory. Think about the veteran network architects who know the system inside and out, including where the “official” plans don’t represent the physical reality. We call that information “tribal knowledge.” While those individuals (who I like to call Network Ned) are corporate treasures, it’s simply not good policy to silo tribal knowledge within cranial wetware. Not only are you going to have a bad day when these people leave the company, it also makes ramping up new and lesser-skilled engineers a lot slower and more difficult. If you can use software tools to document the reality of the network and its security configurations, Network Ned won’t have to be a corporate Wikipedia of critical data. Instead, Network Ned can apply his/her talents to driving innovation and adding value to the business.

Tip #6: Use scarce, hard-to-find security professionals smarter
We are all under pressure to improve the efficiency of our security teams. But we are also under pressure to strengthen the business by increasing competiveness and agility -- without increasing risk. Security professionals can play an important role in this through big-picture thinking, problem solving, and finding better ways to manage risk. My suggestion is to take repetitive tasks off their plates. This will free them to execute many of those tasks more efficiently and more accurately. That’s how we do more with less in today’s security-intensive world.

Originally a software engineer and then a product manager for security products, Nimrod (Nimmy) Reichenberg now heads global strategy for AlgoSec. Nimmy is a frequent speaker at information security events and a regular contributor to industry publications including Security ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
John S.J547
John S.J547,
User Rank: Apprentice
6/18/2015 | 2:09:52 PM
Computer security legal hazards
Within the last well, 10 years there were issues with computer security professionals getting prosecuted for doing their jobs, often due to political conflicts and kinks in the system, such as reporting of problems that made some executives look bad, or that they didn't want fixed. Hazardous-duty pay seemed appropriate.

I've heard much less of this recently. Have the problems been corrected (for example by clear guidelines and standards of professional organizations)? If so, maybe we need more effort to let people know, to avoid deterring future security professionals.

We will need their services for a long time.
Andre Gironda
Andre Gironda,
User Rank: Apprentice
6/14/2015 | 3:50:07 AM
Re: Budget Constraints
Free, open-source software can provide automation just the same as commercial or SaaS offerings can. 

For incident response, try Google Rapid Response. For network and app penetration testing and vulnerability assessment, try sixdub-Minions and Arachni, plus metasploitHelper. DLP, use OpenDLP. Firewall and IPS, try Untangle firewall or Suricata IPS. SIEM, use OSSIM. Log management with file integrity monitoring -- easy peasy with OSSEC. Access controls needed, then U2F is a must-have. smicallef-spiderfoot or the Collective Intelligence Framework for threat intelligence information and Soltra Edge to share it with your industry ISAC.

Yes, you will need people and processes. Tools should support people and proceses. The NIST CSF is a great framework and PASTA is a good process-oriented approach to security risk management. None of these documents are locked up by Gartner paywalls. It's time to say goodbye to the old-school methods and pick up an open-source project or ten to drive results.
User Rank: Apprentice
6/13/2015 | 12:56:13 PM
Tip #4
While agree with you that there is a shortage, I think that security ops tasks can be beneficial for up and coming professionals. I am not talking about autmoated tasks but lower level analsys that the sec ops person has to perform. It is a good area to get your feet wet.
User Rank: Apprentice
6/12/2015 | 3:00:15 PM
Re: Budget Constraints
HI Ryan,

Thanks for your comment. What I have noticed is that the recent publicized breaches have made budgets to be less of an issue than they used to be. The problem is twofold -  when there are not enough skilled security professionals, more budget does not help as much. Additionaly, executives are used to the idea that every problem can be solved if you just spend enough money on it, and unfortunately that is not the case with security.



User Rank: Ninja
6/12/2015 | 1:17:31 PM
Budget Constraints
Unfortunately, there are budget constraints with many of the points that are made in the article, especially around automation. I agree with these points whole-heartedly, but I've seen first hand security professionals performing the work that could be automated due to these budgetary constraints. Yes automating the laborious work is ideal but its costly in both dollars and man hours.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions...
PUBLISHED: 2020-11-24
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
PUBLISHED: 2020-11-24
Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
PUBLISHED: 2020-11-24
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
PUBLISHED: 2020-11-24
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.