Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12:30 PM
Carric Dooley
Carric Dooley
Partner Perspectives
Connect Directly

Recruit, Reward & Retain Cybersecurity Experts

How to create a better working environment for security professionals.

January is a good time to get strategic and think about the bigger picture. The glut of security breaches in 2014 has increased the pressure to hire and retain cybersecurity experts, in a market that was already experiencing an acute shortage. Ranging from 50,000 to 500,000 or more depending on whom you ask, the gap between supply and demand is large and growing.

At the same time, I still hear from many clients who perceive security as an annoyance and a sunk cost, not a proactive and positive force for their company. This opinion varies by role – our research shows CISOs and senior IT managers are less prone to this mindset than the teams with more operational roles.

Greenberg Survey sponsored by Intel Security, November 2014, N=700.

Perception is important because it translates into attitude to the team, communicated in body language, nicknames, and reluctance to comply with rules. Security staff may play along and participate in the jokes, but internally being treated this way in your job is slowly soul-destroying.

When asked about what keeps them enthusiastic about their jobs, security professionals will often mention meaningful and challenging work, opportunities for professional development, and a belief that their skills are being put to good use. When asked about the challenges in their jobs, top of mind are lack of understanding from senior management and lack of adequate investment.

Here are three ideas for creating a better work environment for your security team:

1) Reaffirm that the threat is real. People are trying to get into your network to steal your data. This is not meant to be a scare tactic, but an awareness campaign. Show the company why your security team matters and that it’s not just a necessary evil. Talk about public breaches or internal incidents. Demo how to hack an online account. How did it happen and what can you do about it? Communicate that your team does more than make security rules, they are also the people who work long hours in the event of a breach.

2) Make it personal. What aspects of the job does your staff dislike? Try to reduce or eliminate those tasks through automation, education, or managing up. Then give them challenging tasks and more of what they like doing. Use words that indicate support and positive reinforcement. Make each member feel respected and rewarded, that they are making a difference, and are an important part of the Security Battleground.

3) Have fun. Send them to conferences and give them time to learn new things and participate in local security events and hackerspaces. Invite consultants or experts that have experienced a breach to share war stories. Interacting with smart, like-minded people in similar situations helps to build team spirit and a sense of value beyond the cubicle.

Banks do not view vaults, cameras, or safety deposit boxes as an annoyance, but as an important part of minimizing their risks. Customers would not deal with a bank that reduced expenses by keeping cash in cardboard boxes in a back room with only a simple door lock for security. Your enterprise information security should not be viewed as an impediment to the business, but as a critical part of making the Internet a valuable and secure business tool.

Carric Dooley has extensive experience leading comprehensive security assessments as well as network and application penetration tests in a wide range of industries across North America, Europe, and Asia. As the Worldwide VP of Foundstone Services at McAfee, part of Intel ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/22/2015 | 7:30:51 PM
Re: I have a fourth idea!

I would argue that the CISO often DOES pay - with his job. (A friend of mine once told me CISO actually stands for "career is so over"). 

As to the "cost benefit analysis of security", business is all about cost/benefit analysis. Should we get into building personal submarines? What will that require in terms of capex/opex? What are the risks? How do we keep them off Minnesota highways?

So, Infosec is hard to get right and largely misunderstood. It's also viewed as a "necessary evil", so yeah, most companies want to get away with spending as little as possible on it, and to most non-security geeks, it's "just another cost". The world is a fabric of compromise - nothing is ever ideal. A penny saved...

I had a fascinating chat with one of our clients recently that his efforts to improve his Secure SDLC process have netted savings in reduced bugs and better quality code due to how they addressed it. They educated their devs, and it has resulted in better apps as a bi-product of an effort to secure the environment.  Huzzah! 

I have seen cases where we presented a cleaning procedure for 23 infected servers, that rapidly became 17 servers when 6 were suddenly deemed non-critical and could just be turned off. While thoughtfully stroking my beard, I asked the secops lead the following: "You have like 30k servers, right? What if you could turn off 7k of them tomorrow?"  It's an unrealistic extrapolation, but illustrated my point.  Sometimes, doing things more securely could have long term savings ramifications (reduced power, cooling, rack space... Oh yeah! And attack surface).

That is what most people do not realize because they have never seen it (nor will they if they don't measure what they do). And who measures the positive impact of the security program on the business? We buy stuff - we deploy it. We MUST be more secure, right?

I get the outrage of having someone make bad  decisions that affect innocent customers and investors (the company also suffers for poor business decisions, btw, and I have seen the suffering of the IT team first-hand during a post-breach panicked recovery. But I would also say: "it depends on the circumstances", and I think the law does step in when its egregious negligence. But I'm not sure doing a blanket "go to jail for doing a bad job" is wise either. That has a high potential to get out of control. 

User Rank: Ninja
1/22/2015 | 1:27:35 PM
Re: I have a fourth idea!
@CarricDooley... It would sure suck to be Biff, and maybe someone should have to explain to his family how he got hit by a submarine while on the highway, heck, living here in Minnesota I can tell that I have seen some weird stuff on the highway, no subs, at least not yet.

But my problem with how the decisions are made is the actual "HOW" part, Risk Analysis and Cost Benefit Analysis and while they both have their valid uses I believe they are being misused in the attempt to save money and or time. Too often these large corporations are worried about the bottom line and who might or who can sue them, but while they can and ofte do win most of their cases or settle out of court, what happens to their reputation?

When you look at some of the data breaches that happened last year, true enoughwe really do not know the true cause and we probably never will unless insiders tell the story, but when you hear about HOW Target was hacked or J.P. Morgan Chase, NOAA, Public School systems, NVIDIA, SONY, hospitals and other health related organizations, carwashes and other companies that use PCAnywhere for remote access with the default passwords hard coded, Jimmy Johns' because their were using POS equipment that should not have been used and their QSA was on a blacklist... some of them happened because of bad administrative\technical management, warnings that were ignored. Somebody made those decisions that cost real people money, but those real people and their money are not figured into those Risk Analysis and Cost Benefit Analysis.

So yeah, I'd like to see the responsibility placed at the feet of whoever that person is, if it's the CISO because he's not trying hard enough or the higher level folks who took that decision away from the CISO, or like Target (even though what they did was a cop out) did, they fired the top IT person, who when you look at her qualifications it can be argued she probably shouldn't have that job in the first place.

But in the end when that Risk Analysis or Cost Benefit Analysis is done, and the number work a certain way... is it worth the reputation of your company to to save the money versus doing what's right? If it's a publicaly traded company I already know the answer to that.
User Rank: Apprentice
1/22/2015 | 11:32:55 AM
Re: I have a fourth idea!

I'll use a Risk Mgt analogy I like to share with clients:

At 42, 350 lbs, and 15+ years of a sedentary lifestyle, Biff has a big fat heart attack.  Realizing that his life choices have created this situation, and he doesn't want to leave his wife and kids behind, he gets on a program to get back down to 210. His lipids and blood pressure are AWESOME, and Biff looks like $1m! On his way from the CrossFit gym one day, Biff is tragically hit and killed by speeding submarine. 

Who's at fault, and who do we send to jail?  The submariner may have even had malicious intent, but he's Syrian, and was driving remote control (hence how the submarine got on the highway in the first place).

Biff, in this case, was doing everything he could to improve his odds, but his luck ran out.  Should we pin this on him?

And honestly – yes, most of us aren't like Biff.  We are still ordering the "4x4 animal style" at the local In & Out, and rushing back home with chocolate shake in-tow, ignoring the potential consequences, but I don't think "poor dietary choice/security" should necessarily be illegal.  How often does the CISO even get to call the shots?  He's a little like Spiderman, except he gets the responsibility with very little power...

User Rank: Ninja
1/21/2015 | 3:53:55 PM
Re: I have a fourth idea!
Idea 5. If the breach is a direct result of a bad decision, make that decision maker pay $$$. Although this is highly unlikely, just like ODA155, I would love to see that happen once.
User Rank: Ninja
1/20/2015 | 1:01:30 PM
I have a fourth idea!
Idea 4. Send somebody to jail. SOMEBODY is responsible for the decisions that ultimatly led to what we saw in 2014... and before. Speaking as a 13 year security proffesional, I would love to see that happen if only once.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.