As the shortage of skilled security staff widens, the effects on policy and products in overall security organization must be factored into the choice to pursue alternative sources of talent. Credit: Thinkstock Several CISOs I’ve spoken recently have lamented, while cybersecurity assurance stands on three legs – people, policy and products – the industry is weighted down by one overarching problem: a shortage of talent with the right skills.It’s true of course, but it’s also a little more involved because a decision about any one of the three legs has a relational effect on the others. A skills shortage isn’t just a human resources problem, it also has implications for policy and products too. Navigating alternative sources of talentFew sectors in the economy can claim zero or near-zero, unemployment. That security does has forced the industry to find creative ways to navigate the talent shortage. Consequently, many organizations have opted to hire individuals with an aptitude to acquire the necessary skills on the job rather than demonstrated experience. Today, it is not uncommon to find people hired with little more than a degree in epidemiology, linguistics or music – and an eagerness to learn cybersecurity. For example, there are many senior leaders that have pointed to the similarities between music composition and cybersecurity. Both technology and music involve learning a new language and understanding how to manipulate new concepts, like words, phrases, musical notes, and software code, into meaning.While this talent acquisition strategy has proven successful in some organizations, it also introduces complications when things go horribly wrong. We all remember the criticism leveled at Equifax when it was discovered a key employee had a music degree. Indeed, the optics look bad to the casual observer, but my thesis is such that when things go wrong in this way, it’s because the pillars of policy and products are out of alignment with the people strategy.Effects of policy in a skill shortageSecurity policy is one of the most difficult challenges for CISOs. It is often considered a balancing act between security and business efficacy. Yet the talent acquisition strategy should also be a factor in the policy consideration.The traditional password policy is a simple but solid example. It was once considered best practice to make users create unique and long passwords – and then force a change regularly. The concept sounds logical, but such policy adversely affects security for two important reasons.First, the inability to remember complex passwords spurs users to simply write them down. This was often rendered in the form of brightly colored sticky notes placed un-surreptitiously under a mouse pad. Second, those that didn’t write passwords down, were prone to contribute to the volume of reset calls to the IT department. This is a systemic taxation on resources that also introduces a new way for adversaries to gain access through social engineering. Aptitude and enthusiasm cannot hold their own against experience if the policy is working against them. Impact of products on talentMany of us learned to ride a bike that was matched to our skill level. If you had a bike, chances are your first one was modest in size and came with training wheels. In this context, it’s easy to see potential pitfalls had we been invited to learn on a bike designed for competitive or professional races.Technology clearly has an impact on talent and policy – and vice versa. If you accept the premise that people, policies and products in cybersecurity are interdependent, then the security technology choices must complement the policies and personnel strategies amid the skills constraints in the market today.To be clear, vendors are not immune from criticism. In fact, more than ever, they have an obligation to reduce complexity, rally around standards, and support interoperability. Aligning people, policy and productsFor most CISOs, recruiting, staffing and professional development will be a primary leadership challenge for the foreseeable future. Whether an organization chooses to pursue alternative sources of talent or not, the dependent relationship between people, policy and products should not be overlooked. Related content opinion Threat detection: it’s about ‘time’ Incident response is a slave to time. From time-to-detection through time-to-containment, time is the crucial factor when responding to any threat. By Druce MacFarlane Sep 10, 2018 6 mins Intrusion Detection Software Endpoint Protection Network Security opinion Are network-based security detection tools going dark? For years, network security and detection solutions have been able to rapidly identify threats entering your network, before they hit your infrastructure or end users. The increased adoption of network encryption technologies like TLS 1.3 risk the cr By Druce MacFarlane Jul 18, 2018 6 mins Technology Industry Network Security opinion The Three Mile Island event and cybersecurity incident response Managing the deluge of data and alerts in a SOC can be challenging for any size organization. Observing the lessons learned from the Three Mile Island nuclear facility can help drive home some best practices for how to avoid common pitfalls. By Druce MacFarlane Jun 18, 2018 4 mins Technology Industry Data and Information Security IT Leadership opinion The 3 hidden costs of incident response Every business function seeks to apply finite resources to maximum benefit, and to do that effectively in security, like threats, requires a keen understanding of those costs that are known and those that are hiding. By Druce MacFarlane May 10, 2018 5 mins Data Breach Investigation and Forensics Disaster Recovery Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe