Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
4/4/2016
11:14 AM
Jonathan Anderson
Jonathan Anderson
Partner Perspectives
50%
50%

Knowledge Gap Series: 3 Steps To Deal With The High Turnover In Your Security Department

Follow these suggestions to significantly decrease the probability that your organization is a future security headline.

Let’s start with two numbers:

60,000: The number of security professionals in the United States with a CISSP (Certified Information Systems Security Professional) certification.

50,000: The current demand for additional CISSP professionals.

Everyone talks about the industry shortage of security professionals as an inhibitor to providing competent resources to deploy security technology and services. In reality, even with well-trained security professionals available, the turnover and hot job market expose companies to incomplete deployments that are not being properly funded or commissioned.

It is common, with the demand for security professionals, to see job tenures averaging about six months for a security engineer and one year for a security architect or mid-level manager. One of the biggest issues with this turnover rate is that the people who start projects are rarely around to see them implemented. In other words, the people who are currently accountable for your security system did not create the original scope, requirements, budget, or design. Was the original budget too low, specifications inaccurate, or the promises too ambitious? This is tough for the new person, who is now accountable to someone else’s earlier promises. But it is also a risk if you have people scoping or budgeting projects that they know they will not be around to implement or operate.

Not only does this turnover jeopardize your security posture, it discourages people from working in the field because it increases the pressure, making them accountable for someone else’s work and commitment. Also, there is little opportunity for project handoff or knowledge transfer as security professionals are typically walked out once they announce their intent to leave, due to their privileged access.

Less Dependence On Individuals

With many years of experience over a wide variety of security projects, I have not seen a single project have the same people working on it from start to finish. To address this, we learned to put in place a number of processes to reduce the dependence on individuals and ensure that projects are delivered on-time, within scope, and with measurable results.

First, make sure that at the outset, your project scope, budget, and implementation plan are reviewed and approved by multiple stakeholders, architects, and engineers. If you do not have enough staff or expertise for this in-house, an alternative is to ask one of your security vendors to participate. They will bring in their knowledge of best practices, as well as their experience with similar projects. Leveraging the professional service arm of your chosen vendor will also reduce the chance of having an unsupportable or inferior implementation.

Second, as the project moves from implementation to production, make the time to continue to document operating details, new best practices, and other significant events. Yes, this takes personnel time in a department that typically runs pretty thin, but it will save you time in the long run. Moving security functions to the cloud is a good mechanism to alleviate some of the problems inherent with project turnover because you have to clearly document the functions and operations in order for the service transition to be successful and measurable.

Finally, when turnover happens, as it will, this detailed documentation becomes your knowledge transfer process to new personnel. As the team deals with incidents and new threats, your documented practices and technologies can be readily reviewed and adjusted, with less chance of breaking existing deployments or accidentally weakening your security posture.

Some security experts have proposed a correlation between major breaches and attrition of security personnel. These three steps will help you significantly reduce the probability that your organization is a future security headline.

Jonathan Anderson is responsible for technical strategy and integrating security into future IoT solutions at Intel Security. Prior to joining Intel, he served 14 years across both Cisco and HP where he continuously interlocked with customers, sales force, and product teams ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .