Cybersecurity pros pushed into sales roles

An employee with a security background is a hot commodity these days. And one who is a jack of all trades is even hotter in a market where there is a shortage in cybersecurity-skilled employees.

It has gotten to the point that besides trying to secure the product, companies are asking their security pros to explain and sell the product to prospective clients.

"I guess you could say we've come full circle when the analysts who were in need of the product are now helping to sell the product," said Chris Camacho, chief strategy officer at Flashpoint. He said while the shortage of cybersecurity staff continues, many enterprises are now looking for less volume and for more specialization. 

He added on the flip side of all this are the companies working to develop security products. "They know that the threat is evolving, security departments are often under-staffed, and understanding their product is the key to a sale. So they've begun to hire the traditional threat intelligence analyst and to put them to work as a sales engineer or solutions architect," Camacho said.

Their role is to help prospects understand their security product and how best to use the product to have an impact on their company, he said.

In addition, multiple product companies are taking this approach as well. Instead of hiring traditional analysts, they are demanding specialization of analysts on specific threat actors, regions, and languages, as this service offering is resonating with the enterprises that they sell too, he said.

"With so many different product companies out there, they are looking for ways to stand out in the crowd, and the leaders in this space are adopting this strategy as a way to reach new customers and retain existing ones," Camacho said. "Enterprises that have an existing generalists will use these vendors as an add on to augment what they have currently if they decide to not make the move towards specialization themselves." 

James Stanger, senior director of products at CompTIA, said good companies - especially security software companies - use technical sales folks all of the time. "It's a time-honored practice. Adding a threat intelligence analyst to the sales process can make a lot of sense," he said.

One reason is that threat hunting has become so important, he added. Also, the job role of security analyst has grown tremendously over the past two years, and it will continue to grow.

Traditionally, security workers are focused on either vulnerability management or penetration testing. But those roles have morphed into the security analyst job role, he said.

That has occurred because traditional vulnerability management alone doesn't really find where the attacks are going to occur. "There are too many vulnerabilities to address, so it's difficult to apply resources logically to resolve them. Penetration testing doesn't help as much as we thought, unless it's in the service of proper security analytics," Stanger said.

"Lately, folks are feeling that an analyst can help find the most likely risks more efficiently. Once you've found those risks, it's easier to apply resources (e.g., time, effort, energy, software) to address those risks," he said.

"It does make sense that an analyst is now being brought into the software sales dance. Whether or not that's really going to resolve our security issues is another question," Stanger said. "One could argue that more software sales won't help resolve our security issues until business get their business issues in order first."

Seth Robinson, senior director, technology analysis, CompTIA, and the author of the study “The Evolution of Security Skills”, said in general, companies are finding a need to create security specializations since the topic is so broad and complex.

"In the past, security tasks were typically done by an infrastructure team, but today's triple focus on technology, process, and education drives demand for specialized security skills. The downside to this approach is budget--a number of specialists cost more than a single generalist," Robinson said. "But businesses will have to assess the appropriate security budgets in an era where security breaches can take down entire companies."

Other companies haven't caught up to the times

Trying to shoehorn an employee into a sales role can be difficult, especially when the market is not churning out enough qualified candidates.

CompTIA said in its report that new training is needed to close skill gaps. Some companies are in a position to hire or partner in order to meet security needs, but the most common approach is to improve the existing workforce. For technical workers, 60 percent of companies use training to build security expertise, and 48 percent pursue certifications. Many companies are also extending training to the general workforce. Ongoing programs that measure knowledge can improve security literacy for employees that are increasingly using and procuring technology.

Most companies are left with skill gaps, areas where the in-house workforce or partner network lacks expertise. CompTIA said only 33 percent of companies feel that they have a very high level of security understanding within the organization. While this is primarily driven by the security knowledge of the overall workforce, skill gaps among those responsible for security also factors in.

The top two skills in need of improvement, according to CompTIA, are general infrastructure security and knowledge of various threats. Infrastructure security has expanded from basic firewalls and data encryption into application-aware firewalls, intrusion detection/prevention, and network monitoring. Similarly, the variety of attacks continues to grow, with Kaspersky Lab reporting that it discovers 323,000 new malware samples each day and other attacks such as denial of service and SQL injection adding to the complexity.

According to CompTIA's report, on the technical side, cloud computing drives a need for security directly attached to applications and data. As these components move from on-premises systems into cloud providers, safeguards are needed on top of the security provided at the layer of the cloud offering.

Across the board, small businesses trail their larger counterparts in reporting a need for skill improvement. Small companies will need to realize that new skills are needed as new attacks may target the lowest defenses rather than the most profitable victims, CompTIA wrote.

"Organizations must shift to proactive measures, including external audits, penetration testing, and security training. Strong defenses will always play a role, but they must be coupled with ongoing offensive activity," CompTIA wrote in its report.

In its survey, although 14 percent of companies do not have dedicated security roles, many firms are searching for security specialists. The top role in demand is cybersecurity analyst, an employee who proactively monitors networks and uses analytics to assess threats and provide remediation.

CompTIA reports that many companies remain on the defensive, fighting cyber threats with dated tactics and training. "Building an impenetrable defense is no longer practical and the mentality of preventing all breaches is outdated," Robinson said. "But a new, proactive approach combining technologies, procedures and education can help find problem areas before attackers discover them."

One of the challenges for organizations is that they tend to place the greatest emphasis on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyberattacks, typically get the most attention.

"While we certainly need to remain vigilant about these threats, many other forms of attack have emerged that can carry disastrous consequences," Robinson said.

Companies are gradually shifting their focus from defense to offense. In CompTIA's survey of business and technology executives at 350 U.S. companies, 29 percent of firms said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures.