At the Black Hat USA Conference in July, Tripwire surveyed 167 attendees to find out the one thing they would change to improve security:
- 44% would increase the number of highly skilled security professionals
- 32% would increase their budget
- 24% wished for executive buy-in to security goals and objectives (note the wording)
The desire for additional professionals matches other reports and claims for the last few years. It seems like the largest challenge to the industry and companies working to improve their security posture is a stunning lack of competent professionals able to do the work.
Be kind, for everyone you meet is fighting a hard battle. -- John Watson
When in the trenches, overwhelmed, and burning out, the mountain looks insurmountable. The majority of the teams I work with start early, end late, and put time in on weekends. Most days are spent reacting and bouncing between meetings.
With that daily experience, the conclusion seeking more people seems reasonable. If only we had more skilled professionals, more budget, or more buy-in, everything would be okay.
Uncovering the underlying challenge
While it seems like we're climbing a mountain that demands more professionals, additional people working in the same fashion under the same conditions only breeds more of the same.
The real challenge is the underlying and ongoing struggle for security and technology leadership to demonstrate value, measure what matters, and communicate what counts.
We find ourselves unable to clearly and consistently articulate the value of our work. How does each person, program, and policy work to increase the value of the organization? How is it aligned to the business, advancing the mission?
As a result, our teams take on work that we shouldn't. Our days, weeks, and months are spent with too much time reacting and not enough time stepping back to find and implement efficiencies. We're missing the chance to communicate the value of security to get the budget, buy-in, and help from others.
Executives care about security
Despite the notion that executives aren't buying-in to security, my experience working with CIOs and leadership across industries reveals they care deeply.
Caring doesn't mean understanding.
I recently sat with the CFO of a large organization responsible for security. New to the position, I asked him if security was important. When he replied it was, I pressed further and asked if he wanted to learn, or just wanted the answers.
I was polite, but the question was admittedly pointed.
He sat back in his chair, silently, for about 30 seconds. Maybe longer. Long enough that I wondered if perhaps I crossed a line.
He looked me in the eye and explained that he did care, but that he didn't understand.
He asked for us to teach him, to make it make sense. He explained that by teaching him, he could carry the message to his peers. He shared his desire to lead by example. His success, then, was dependent on us to explain security to him so he could share it with others.
The solution: distributing the workload
We have technology solutions. A lot of technology solutions. The broad challenge we face in security is shifting our focus to value, measurement and communication.
In the Tripwire survey, I found the wording "for executive buy-in to security goals and objectives" curious. We support the business, not the other way around. Security must understand the goals and objectives of the business and align to those.
My conversation with the CFO revealed a pathway for success. A way for security to understand and support the business.
His vision was to have the security team serve as the center of expertise -- to build understandable approaches and teach them to everyone in the company. To distribute the effort in a way that improves security and reduces costs for everyone.
That's the way to fix the looming "shortage."
We don't need more security professionals. We need to distribute the workload, shifting responsibility to others to free up resources to tackle new challenges. Ultimately, those new solutions get pushed out to others, too, in a natural, healthy cycle.
Adopting an approach like this means the security team can prioritize and focus on more challenging (and interesting) issues, increasing the value provided to the organization.
This is a step in the right direction.
This will take time. The sooner we start, the better.
Instead of focusing on a demand for more people or a wish for executive buy-in, we need to focus on systematically changing behaviors by making security make sense.
This is a shift in strategy that dictates a change in tactics.
It puts the responsibility on security to prioritize and communicate the value of these efforts effectively. It's a dramatic change from the practices of the past. Which means it will take some time and effort to make the switch.
In the process, we can demonstrate the value necessary for buy-in, and budget. If we focus on building and operating better systems, our role shifts to finding more efficient ways to manage it.
What do you think?
This is intended to start a dialog about addressing a potential (perceived) shortfall by using what we have better, enlisting the help of others, and focusing on where we provide the most value.
This is only the start.
What do you think? What else should we do?