How to build a thriving information security function despite the talent shortage

It seems that the industry has reached a nearly unanimous conclusion about a key essential for tight information security — people.

You don’t have to look at online job postings for long to recognize that most of the posted IT jobs relate to information security, with employers attempting to fill many such positions to shore up their cybersecurity posture. As an example, following a  major security breach at the U.S. Office of Personnel Management, the agency announced that it would fill 1,000 information security positions.

Much of the business world now recognizes the challenge in hiring enough qualified information security professionals. As evidence of this, it was reported as part of the 2015 Global Cybersecurity Status Report that 92% of companies surveyed that planned to hire information security professionals, expected to have trouble doing so.

As I mentioned in “Good information security is fun-damental,” many organizations have sought to solve the staffing shortage by spending large amounts of capital on products designed to shore up security. Unfortunately, virtually all of these expensive new products require significant care and feeding. It would be a wonderful world if we could buy automation products that would provide great protection, and with only an on/off switch, but alas, the industry is not there yet. As such, companies are discovering that once they buy that $250,000 security product, they need to immediately hire three people to manage it.

This somewhat defeats the purpose.

There is some hope on the horizon for resolving the talent shortage, with many colleges and technical schools expanding their programs to include security-specific curriculum. Many college students, recognizing the career potential, are taking advantage of those programs. Sadly, this won’t really help for at least a few years.

If you manage information security in an organization faced with this talent shortage, you have likely already discovered that there is no easy button. Fortunately, there are some things you can do to help in the immediate future, including the following: 

Don’t throw money at tools

As I said above, the expensive tools generally require a good bit of care and feeding. While they may be useful in augmenting your security effort, they will in most cases make your staffing issues more acute. Buy tools when they are really needed, but take into account the related staffing requirements. Consider paying the vendor to perform installation and maintenance. 

Do automate and set up procedures

There are many tools and approaches available for automating routine monitoring. My favorite class of tools in this area is log monitoring (Splunk, Greylog, Sumo Logic, etc). These tools require some setup, but once done, you have one place to look for log entries from all of your systems, with some analytics functions that shortcut the monitoring effort.

When dealing with a staff shortage and high turnover rates, it is also critical to have good, tested, written procedures in place for all common functions. Such procedures facilitate cross training, and allow a relatively new employee to come up to speed faster. 

Consider using managers with no security background

I began my career as a systems programmer with IBM working on a complex product. My first manager had come up through the sales ranks. He could talk technology, since he had to sell it. He had never written a line of code and could not have booted the system we maintained. He was, however, a great manager that helped make the product and team successful.

This same technique can be used today when staffing for information security management positions. You can hire proven managers with technical backgrounds, but without strong knowledge of information security, since they will likely be managing analysts and architects that are security subject matter experts. Paraphrasing one of my favorite security podcasts this week, the right question is infinitely more valuable than the right answer. A good manager, regardless of specific background, generally knows how to ask the right questions. 

Use interns

There are many interns looking for some experience in information security as part of their college education. Hiring them can be an invaluable approach to augmenting your security function.

Years ago, I worked with an intern from Georgia Tech, and hired him for a full time position. I proceeded to hire him again at two subsequent companies. He is now one of the top healthcare information security professionals in the country. Do not underestimate the abilities and loyalty of a well chosen intern. 

Outsource

Many information security functions can be outsourced, thus transferring your talent shortage problem to a vendor. Examples of good outsourcing candidates include security operations and monitoring, firewall management, and patch management.

Outsourcers must be chosen with care, however, because you are turning over a critical part of your operation to them. Make sure you understand the limits of the services the provide, so you don’t end up paying for extras after the sale.  A good outsourcer can significantly reduce your stress level. A bad one can push that stress level off the chart.

Bottom line: Staff shortages in information technology are not a new problem. The specific discipline in short supply may change, but the problem will likely always be with us. By being innovative and using sound management practices, you can thrive despite the lack of talent.