At the Black Hat USA Conference in July, Tripwire surveyed 167 attendees to find out the one thing they would change to improve security:\t\t\t\u00a044% would increase the number of highly skilled security professionals\t\t\t\u00a032% would increase their budget\t\t\t\u00a024% wished for executive buy-in to security goals and objectives (note the wording)\tThe desire for additional professionals matches other reports and claims for the last few years. It seems like the largest challenge to the industry and companies working to improve their security posture is a stunning lack of competent professionals able to do the work.\t\t\tBe kind, for everyone you meet is fighting a hard battle. -- John Watson\tWhen in the trenches, overwhelmed, and burning out, the mountain looks insurmountable. The majority of the teams I work with start early, end late, and put time in on weekends. Most days are spent reacting and bouncing between meetings.\tWith that daily experience, the conclusion seeking more people seems reasonable. If only we had more skilled professionals, more budget, or more buy-in, everything would be okay.\tWould it?\tUncovering the underlying challenge\tWhile it seems like we're climbing a mountain that demands more professionals, additional people working in the same fashion under the same conditions only breeds more of the same.\tThe real challenge is the underlying and ongoing struggle for security and technology leadership to demonstrate value, measure what matters, and communicate what counts.\tWe find ourselves unable to clearly and consistently articulate the value of our work. How does each person, program, and policy work to increase the value of the organization? How is it aligned to the business, advancing the mission?\tAs a result, our teams take on work that we shouldn't. Our days, weeks, and months are spent with too much time reacting and not enough time stepping back to find and implement efficiencies. We're missing the chance to communicate the value of security to get the budget, buy-in, and help from others.\tExecutives care about security\tDespite the notion that executives aren't buying-in to security, my experience working with CIOs and leadership across industries reveals they care deeply.\tCaring doesn't mean understanding.\tI recently sat with the CFO of a large organization responsible for security. New to the position, I asked him if security was important. When he replied it was, I pressed further and asked if he wanted to learn, or just wanted the answers.\tI was polite, but the question was admittedly pointed.\tHe sat back in his chair, silently, for about 30 seconds. Maybe longer. Long enough that I wondered if perhaps I crossed a line.\tHe looked me in the eye and explained that he did care, but that he didn't understand.\tHe asked for us to teach him, to make it make sense. He explained that by teaching him, he could carry the message to his peers. He shared his desire to lead by example. His success, then, was dependent on us to explain security to him so he could share it with others.\tThe solution: distributing the workload\tWe have technology solutions. A lot of technology solutions. The broad challenge we face in security is shifting our focus to value, measurement and communication.\tIn the Tripwire survey, I found the wording "for executive buy-in to security goals and objectives" curious. We support the business, not the other way around. Security must understand the goals and objectives of the business and align to those.\tMy conversation with the CFO revealed a pathway for success. A way for security to understand and support the business.\tHis vision was to have the security team serve as the center of expertise -- to build understandable approaches and teach them to everyone in the company. To distribute the effort in a way that improves security and reduces costs for everyone.\u00a0\tThat's the way to fix the looming "shortage."\tWe don't need more security professionals. We need to distribute the workload, shifting responsibility to others to free up resources to tackle new challenges. Ultimately, those new solutions get pushed out to others, too, in a natural, healthy cycle.\u00a0\tAdopting an approach like this means the security team can prioritize and focus on more challenging (and interesting) issues, increasing the value provided to the organization.\tThis is a step in the right direction.\tThis will take time. The sooner we start, the better.\tInstead of focusing on a demand for more people or a wish for executive buy-in, we need to focus on systematically changing behaviors by making security make sense.\tThis is a shift in strategy that dictates a change in tactics.\tIt puts the responsibility on security to prioritize and communicate the value of these efforts effectively. It's a dramatic change from the practices of the past. Which means it will take some time and effort to make the switch.\u00a0\tIn the process, we can demonstrate the value necessary for buy-in, and budget. If we focus on building and operating better systems, our role shifts to finding more efficient ways to manage it.\tWhat do you think?\tThis is intended to start a dialog about addressing a potential (perceived) shortfall by using what we have better, enlisting the help of others, and focusing on where we provide the most value.\tThis is only the start.\tWhat do you think? What else should we do?