Information security breaches are the new normal. Each day our news feeds are littered with announcements of yet another company disclosing they are the victims of cyber criminals. The current environment suggests a company (at some point in time) will fall prey to hackers. The scope of the breach, damage, and resulting liability will largely depend on how you mitigated risk within your organization. Custom information security strategies help us survive the post-breach fallout.
The single greatest threat to creating a sound strategy remains a shortage of skilled technicians. Technology is certainly able to help us leverage our human resources more efficiently, but it is not meant to replace them. Skilled technicians offer a wealth of knowledge, wisdom, and experience that increases situational awareness, strengthens our ability to respond and thwart cyber miscreants and properly manage post-breach stakeholder expectations.
To maximize the success of your strategy, you need to understand the gaps and start filling in the holes.
1. Effective communication
-Maj. Gen. Charles Flynn, commander of the 25th Infantry Division
As I discussed in a previous article, 42 percent of security professionals believe communications skills represent one of the "biggest" skills gaps among security professionals. Unintelligible "dolphin speak" might sound sexy and exciting when you're watching CSI Cyber or Mr. Robot but it has no place in the boardroom, on the battlefield, or just about in any other real life situation. Commanders, business leaders, and other stakeholders want to know how cyber crime could impact their organization.
Your team must be able to communicate regarding risk, return on investment, and specific examples relevant to your business.
During the hiring process, you should not only assess technical skills but soft skills as well. Hiring the most technically competent person is not always the best choice. Not everyone is created the same regarding skills, abilities, and talents. Often it requires multiple tools (each with a particular purpose) to fix a problem. Resist the urge to lump everyone together and assume they can communicate effectively.
2. Stop stove piping and integrate
Popular culture often portrays cyber professionals sprinkling their pixey dust from clean work spaces filled with the latest technology in air-tight vaults far away from everyone else. It is the wrong approach because it encourages the "us versus them" mentality. Security professionals exist to support the critical business processes of the enterprise. Our teams need to be integrated among the various business units. Doing so strengthens accountability across functional areas and fosters teamwork.
Building security teams that are technically competent and understand business is imperative. Seventy-two percent of security professionals identified the "ability to understand business" as the largest skills gap in a recent survey by Cyber Security Nexus. Integrate business stakeholders with technical staff to build a robust and efficient security team.
3. Talent management
In light of the global talent shortage, cross training, partnering with academia, and considering candidates with non-traditional backgrounds are all viable strategies. According to Raytheon, many Millennials aren't unaware of cyber job opportunities but they're interested. In the same study Raytheon reports 64 percent of U.S students said “No teacher or guidance or career counselor ever mentioned the idea of a career in cybersecurity.” Additionally, 43 percent of students surveyed report no cyber security programs or activities were available to them.
Consider administering a cyber talent assessment to current employees or potential hires within your target hiring demographic. Such exams help identify people with attributes necessary to be successful within the information security field. Considering 24 percent of students (Millennials) felt they were unqualified to enter the information security field. Organizations should consider creating an active recruiting effort that exposes potential recruits to industry professionals. Currently, 79 percent of Millennials have never met a practicing cyber security professional.
In light of the significant shortage, retaining talent is another issue that must be addressed sooner rather than later. After all who wants to invest so much time and money to lose someone 12 months down the road. While Millennials represent a long-term solution to the talent shortage, we cannot forget those currently within our organization. Leaders need to work with human resource professionals to create flexible and competitive compensation packages.
If you're serious about attracting and retaining top talent dispense with one size fits all compensation structures. Offer candidates the flexibility to choose what matters most to them. For example, Millennials typically value autonomy and want to work flexible hours as opposed to greater monetary compensation.
For the foreseeable future, demand will continue to outpace supply. The organization that creates a successful security strategy understands the skills gap and looks for innovative ways to attract, develop, and retain professionals. It will also require public-private partnerships that are dedicated to furthering national security.
This article is published as part of the IDG Contributor Network. Want to Join?