A growing skills shortage in IT has created both problems and opportunities, the result of which will mean that the security team of tomorrow is going to be much more diverse. With that in mind, EMC's Security for Business Innovation Council has published seven recommendations to make the transition easier.
In a new report from EMC's Security for Business Innovation Council (SBIC), the notion of building the security team of tomorrow is examined, as are the reasons for it. Last year, business leaders had their eyes opened to the fact that 25 percent of mid-market and enterprise organizations reported a "problematic shortage" of IT skills, along with the fact that 83 percent of enterprise organizations reporting that it was difficult to recruit and hire information security specialists.
According to the SBIC report, information security is no longer just about implementing and operating security controls, but the mission has evolved to "include advanced technical and business-centric activities such as: business risk analysis, asset valuation, IT supply chain integrity, cyber intelligence, security data analytics, data warehousing, and process optimization."
This mission growth translates into a need for specific skill sets, but the shortage of such talent makes building an effective team a monumental task. However, with this problem comes an opportunity.
"In many organizations, personnel outside of security are starting to realize that they — not security — own the risks to their information assets and they need to actively partner with security to manage those risks," the SBIC report states.
"To be successful, the information security function is a cross-organizational endeavor, with security processes deeply embedded into business processes."
In the not so distant future, the security team of tomorrow will include personnel within IT, business units, and departments throughout the organization including legal, procurement, and marketing. The core security team, which is what exists today, will work with the others to coordinate the overall efforts, while focusing their energies on tasks that require specialized knowledge or centralization.
"The core security team's expertise should be primarily focused on delivering consulting, providing direction, driving strategy, identifying and explaining risks to the business, understanding threats, and moving the organization forward — not be encumbered by the day-today routine operational activities," said Bob Rodger, Group Head of Information Security for HSBC Holdings.
The SBIC has offered seven recommendations designed to help organizations build their extended security team over time. CSO has included a brief overview of those suggestions below. Additional details can be found in the full SBIC report.
Redefine and Strengthen Core Competencies: Focus the core team on increasing proficiencies in four main areas: cyber risk intelligence and security data analytics, security data management, risk consultancy, and controls design and assurance.
Delegate Routine Operations: Allocate repeatable, well-established security processes to IT, business units, and/or external service providers.
Borrow or Rent Experts: For particular specializations, augment the core team with experts from within and outside of the organization.
Lead Risk Owners in Risk Management: Partner with the business in managing cybersecurity risks and coordinate a consistent approach. Make it easy for the business and make them accountable.
Hire Process Optimization Specialists: Have people on the team with experience and/or certifications in quality, project or program management, process optimization, and service delivery.
Build Key Relationships Be well positioned to have influence with key players such as owners of the "crown jewels," middle management, and outsourced service providers.
Think Out-of-the-Box for Future Talent: Given the lack of readily available expertise, developing talent is the only true long-term solution for most organizations. Valuable backgrounds can include database administration, software development, business analysis, military intelligence, legal or privacy officers, data science, mathematics, or history.