How CISOs can beat the information security skills-gap

The information security skills gap may have become a huge issue for Chief Security Offices (CSOs) and Chief Information Security Officers (CISOs), but there are a number of ways InfoSec teams can work around the shortage so to protect their networks and stay ahead of the attackers.

Outsourcing staff

When people think of outsourcing, they often think of outsourcing services. A company may, for example, choose to outsource its accounting, customer management, or recruitment.

However, it’s worth noting that you can also outsource talent and this is a poignant note for an understaffed and under-skilled security industry.

Most security teams are increasingly working with penetration testers, consultants and incident response (IR) experts, but this writer knows of at least one CISO, working at a major transportation company, whose own team are formed almost entirely of experienced contractors.

This may sound extreme but there are numerous benefits to outsourcing your team. For starters, these personnel are usually heavily-experienced with years in the industry, perhaps even within specific sectors, while they can hit the ground running from day one. As a result, there’s no need to train them up and they earn lucrative salaries, so there’s little chance of them jumping ship.

Push work to other teams

Information security is a broad field which encompasses various other parts of the business. Brian Honan, managing director at BH Consulting and a cyber-security adviser at Europol, believes that CISOs should take advantage of this by pushing work elsewhere.

“Thefirst thing CISOs should do is look at what alternatives there may be to alleviate the pressures on their areas,” Honan tells CSO Online.

“For example, some routine security take could be operationalized and given to other areas including the business, such as IT, compliance, or risk functions. Those tasks that can’t be given to another team could be outsourced to external providers.”

Use automated technologies

One of the falls-out from the lack of skilled personnel, and thus resources, is that companies often don’t see the threat from attackers until it’s too late. Data breaches are classic examples of security teams having little idea of what’s happening on their own networks, with reports suggesting that average breach detection times run into weeks rather than days.

A lot of this failure to detect and respond comes down to resources, poorly practiced incident response (IR) plans and weak log management.

However, all is not lost thanks to the rise of automated technology which simplifies the process of detecting and removing threats, whilst protecting key business assets.

Richard Starnes, CISO at the Kentucky Health Cooperative, believes that relying on SIEMs from vendors is a positive first step for automating security.

“There is a great deal to be said for the automation of information security, such as in GRC or even outsourcing, particularly in areas like SIEMs,” Starnes told CSO Online.

“This reduces the need for staff, particularly in large organizations where a 24/7/365 capability may be required. Also, with the outsourcing of SIEMs, you can utilize the cross skills, experience and the intelligence capabilities of the vendor. That must be weighed against the obvious downsides of outsourcing security capabilities.”

Quentyn Taylor, head of information security at Canon Europe, adds: “In the security space automation is the key, from the operational sphere to the investigative sphere, automation is what is needed to ensure that the response and action is timely enough to be effective. The key point is that for automation to be effective the staff themselves should be part of the design and implementation.”

Up-skill existing staff

Given both the skills shortage, and the fact that most computer science students would likely rather build the next Facebook than, say, a next-gen firewall, CISOs and CSOs are limited in where their next InfoSec professional is coming from.

One suggestion is to up-skill existing employees that show a passion or aptitude for security.

“Develop and promote your internal staff,” says Starnes. “Create a work environment where they are happy and fulfilled. Keep their remuneration at a sustainable level. This will reduce your staff churn significantly. Recruit as you would normally and bring your new staff into this environment. You will always lose a few, but you will keep many of them and people will want to come work for you on their own.”

Honan adds: “I think this is an area often overlooked by many CISOs, to their own detriment. Too often the focus in security is on technical skills, yet security needs those with people skills, report writing, communication skills, and analysis skills. People with these skills can be a great asset for the security team and enables the CISO to extend their recruiting net into other industries.”

Taylor says: “We have all known that network and server ops staff can make superb InfoSec staff, however there are also other areas I suspect can be useful.

“If you think what security awareness is at its core it is communications, I believe staff from these areas would bring a totally new perspective to InfoSec. Many other areas also have relevant transferable skills that can add to InfoSec teams.”

Hire from other sectors

Security experts have long-since argued that information security is not just about the technology, and that the nitty gritty technical details could be taught if personnel had the appropriate other skills and experiences.

“Information assurance is not just a skill; it is also a mind-set, a way for thinking,” says Starnes. “That mind-set is curiosity, tenacity and a passion for information assurance. Those traits can be found in any number of professions and industries. Find the mind-set and the passion first, the skills and experience can be developed.”

Taylor agrees, adding: “The right skills can be found – what I find more challenging is finding people with the right aptitudes and experience.

“My first suggestion would be to review hiring role descriptions and cut back on the mandatory skills and qualifications and see what candidates you get. Many people believe that certification is a substitute for experience or that demanding the right certification will ensure the correct level of experience, but I find this not the case.”

Run or attend competitions

There are numerous competitions, workshops and even holiday camps for those interested in a career in security – and so it makes sense for CISOs and CSOs to attend or organize as many of these as possible.

A lot of these competitions, like CyberLympics in Europe and the Cyber Security Challenge in the UK, are interactive and role-based game and so they give a great insight into how the participants would tackle similar situations in real-life. Security pros can also be found from initiatives like SANS Institute’ Cyber Academy, or meet-up hackathons.

“Many [CISOs] are doing the above but even going a step further with initiates such as running capture the flag competitions and/or hackathons sponsored by the company,” says Honan.

“This allows the company to identify potential talent to recruit into the team. Others will offer on placements for university students ‎during the holidays, or work with the research function of universities of joint projects.”