As a veteran CISO, I can tell you firsthand that the cybersecurity skills shortage is not only real – it is one of the biggest challenges IT leaders face today. As the threat landscape becomes more complex, it’s difficult to find and hire trained personnel who are both cyber professionals and affordable. To make matters worse, long-term retention of those employees is almost impossible as they are always being poached by other companies.
There are certainly ways to help keep and attract top talent. Hiring managers should ensure compensation and benefits packages are competitive and be willing to give employees significant flexibility with respect to remote working and flexible hours. A CISO isn’t successful without a good team, and you don’t want to lose good employees and make it difficult to find new candidates just because of a rigid workplace.
Since most CISOs recognize the skills gap is real, here are some of the other challenges they face in trying to shore up their security posture:
Relying on cyber-training to train employees to think like hackers.
There’s still a belief that employees have instincts against clicking on a bad link or replying to a seemingly innocuous email, or that the only option is internet security awareness training. But training was never meant to be more than a stopgap measure until appropriate technical tools could be created.
Placing a bet they are too small to be targeted.
Always assume criminals want what you have, even if it's just access to your big partners or customers. They’re fast, they know it's a numbers game, and they view every organization they breach as potentially valuable. If all else fails, they monetize their foothold through a ransomware attack. A good lesson in this was how the Target breach was made through a tiny HVAC vendor who had nothing to steal, except the credentials that got hackers into the Target partner portal. If you’re a small company doing business with a larger one, it’s easy for hackers to use you as a stepping stone, and it also puts the burden of responsibility to prove compliance in case of a breach to prove your business wasn’t involved or at fault.
Fighting for security budget separate from the general IT budget.
From many a CIO’s perspective, security is just one small part of the overall organization they are responsible for running, so they believe it makes sense that the security budget should be a small percentage of their overall IT budget. The reality is an organization’s security budget should be based on what it will cost the organization to effectively manage their security risk. While there’s a correlation between the size and complexity of an IT organization and the cost to secure it, this simplistic view fails to account for the specific threats, regulations and overall risk appetite of the individual organization. Just like it doesn’t make sense to base your auto insurance liability limits on the annual maintenance costs of your car, it doesn’t make sense to base your overall security budget on the annual operating costs of your IT organization.
With these challenges in mind, there are several important considerations for IT leaders who must deliver the best security while still being realistic about their hiring pool and budgets. First, you can fill staffing gaps by leveraging a Managed Security Services Provider (MSSP) within an enterprise. Because MSSPs are security companies, they are much better positioned to hire and retain employees. Just make sure you have enough internal staff to provide oversight to ensure the MSSP is doing what you’re paying them for while outsourcing as many of the daily tasks to them as possible.
Next, upgrade to modern technologies that offer automation of threat correlation, etc. While MSSPs help ease some of the imbalance on the supply side, automation can help ease some of the imbalance for demand. By automating tasks that would normally be done by a staff member, companies can either eliminate the need for that staff member or free them up to work on other tasks.
Finally, ensure that the staff you have can constantly up-level their security expertise through the vendors you work with. On-demand access to threat intelligence gives your guys a reason to learn, and keeps them happy at work.
With the right mix of attracting the best security talent with compensation and work flexibility, letting employees excel at their jobs with the right tools and level of automation, and breaking bad training habits, CISOs can get ahead of these challenges facing organizations in 2018.