Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
4/4/2016
11:14 AM
Jonathan Anderson
Jonathan Anderson
Partner Perspectives
50%
50%

Knowledge Gap Series: 3 Steps To Deal With The High Turnover In Your Security Department

Follow these suggestions to significantly decrease the probability that your organization is a future security headline.

Let’s start with two numbers:

60,000: The number of security professionals in the United States with a CISSP (Certified Information Systems Security Professional) certification.

50,000: The current demand for additional CISSP professionals.

Everyone talks about the industry shortage of security professionals as an inhibitor to providing competent resources to deploy security technology and services. In reality, even with well-trained security professionals available, the turnover and hot job market expose companies to incomplete deployments that are not being properly funded or commissioned.

It is common, with the demand for security professionals, to see job tenures averaging about six months for a security engineer and one year for a security architect or mid-level manager. One of the biggest issues with this turnover rate is that the people who start projects are rarely around to see them implemented. In other words, the people who are currently accountable for your security system did not create the original scope, requirements, budget, or design. Was the original budget too low, specifications inaccurate, or the promises too ambitious? This is tough for the new person, who is now accountable to someone else’s earlier promises. But it is also a risk if you have people scoping or budgeting projects that they know they will not be around to implement or operate.

Not only does this turnover jeopardize your security posture, it discourages people from working in the field because it increases the pressure, making them accountable for someone else’s work and commitment. Also, there is little opportunity for project handoff or knowledge transfer as security professionals are typically walked out once they announce their intent to leave, due to their privileged access.

Less Dependence On Individuals

With many years of experience over a wide variety of security projects, I have not seen a single project have the same people working on it from start to finish. To address this, we learned to put in place a number of processes to reduce the dependence on individuals and ensure that projects are delivered on-time, within scope, and with measurable results.

First, make sure that at the outset, your project scope, budget, and implementation plan are reviewed and approved by multiple stakeholders, architects, and engineers. If you do not have enough staff or expertise for this in-house, an alternative is to ask one of your security vendors to participate. They will bring in their knowledge of best practices, as well as their experience with similar projects. Leveraging the professional service arm of your chosen vendor will also reduce the chance of having an unsupportable or inferior implementation.

Second, as the project moves from implementation to production, make the time to continue to document operating details, new best practices, and other significant events. Yes, this takes personnel time in a department that typically runs pretty thin, but it will save you time in the long run. Moving security functions to the cloud is a good mechanism to alleviate some of the problems inherent with project turnover because you have to clearly document the functions and operations in order for the service transition to be successful and measurable.

Finally, when turnover happens, as it will, this detailed documentation becomes your knowledge transfer process to new personnel. As the team deals with incidents and new threats, your documented practices and technologies can be readily reviewed and adjusted, with less chance of breaking existing deployments or accidentally weakening your security posture.

Some security experts have proposed a correlation between major breaches and attrition of security personnel. These three steps will help you significantly reduce the probability that your organization is a future security headline.

Jonathan Anderson is responsible for technical strategy and integrating security into future IoT solutions at Intel Security. Prior to joining Intel, he served 14 years across both Cisco and HP where he continuously interlocked with customers, sales force, and product teams ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.