How CISOs can beat the information security skills-gap

CISOs can beat the infosec skills shortage. Here’s how

The information security skills gap may have become a huge issue for Chief Security Offices (CSOs) and Chief Information Security Officers (CISOs), but there are a number of ways InfoSec teams can work around the shortage so to protect their networks and stay ahead of the attackers.

Outsourcing staff

When people think of outsourcing, they often think of outsourcing services. A company may, for example, choose to outsource its accounting, customer management, or recruitment.

However, it’s worth noting that you can also outsource talent and this is a poignant note for an understaffed and under-skilled security industry.

Most security teams are increasingly working with penetration testers, consultants and incident response (IR) experts, but this writer knows of at least one CISO, working at a major transportation company, whose own team are formed almost entirely of experienced contractors.

This may sound extreme but there are numerous benefits to outsourcing your team. For starters, these personnel are usually heavily-experienced with years in the industry, perhaps even within specific sectors, while they can hit the ground running from day one. As a result, there’s no need to train them up and they earn lucrative salaries, so there’s little chance of them jumping ship.

Push work to other teams

Information security is a broad field which encompasses various other parts of the business. Brian Honan, managing director at BH Consulting and a cyber-security adviser at Europol, believes that CISOs should take advantage of this by pushing work elsewhere.

Thefirst thing CISOs should do is look at what alternatives there may be to alleviate the pressures on their areas,” Honan tells CSO Online.

“For example, some routine security take could be operationalized and given to other areas including the business, such as IT, compliance, or risk functions. Those tasks that can't be given to another team could be outsourced to external providers.”

Use automated technologies

One of the falls-out from the lack of skilled personnel, and thus resources, is that companies often don’t see the threat from attackers until it’s too late. Data breaches are classic examples of security teams having little idea of what’s happening on their own networks, with reports suggesting that average breach detection times run into weeks rather than days.

A lot of this failure to detect and respond comes down to resources, poorly practiced incident response (IR) plans and weak log management.

However, all is not lost thanks to the rise of automated technology which simplifies the process of detecting and removing threats, whilst protecting key business assets.

Richard Starnes, CISO at the Kentucky Health Cooperative, believes that relying on SIEMs from vendors is a positive first step for automating security.

“There is a great deal to be said for the automation of information security, such as in GRC or even outsourcing, particularly in areas like SIEMs,” Starnes told CSO Online.

“This reduces the need for staff, particularly in large organizations where a 24/7/365 capability may be required. Also, with the outsourcing of SIEMs, you can utilize the cross skills, experience and the intelligence capabilities of the vendor. That must be weighed against the obvious downsides of outsourcing security capabilities.”

Quentyn Taylor, head of information security at Canon Europe, adds: “In the security space automation is the key, from the operational sphere to the investigative sphere, automation is what is needed to ensure that the response and action is timely enough to be effective. The key point is that for automation to be effective the staff themselves should be part of the design and implementation.”

Up-skill existing staff

Given both the skills shortage, and the fact that most computer science students would likely rather build the next Facebook than, say, a next-gen firewall, CISOs and CSOs are limited in where their next InfoSec professional is coming from.

One suggestion is to up-skill existing employees that show a passion or aptitude for security.

“Develop and promote your internal staff,” says Starnes. “Create a work environment where they are happy and fulfilled. Keep their remuneration at a sustainable level. This will reduce your staff churn significantly. Recruit as you would normally and bring your new staff into this environment. You will always lose a few, but you will keep many of them and people will want to come work for you on their own.”

Honan adds: “I think this is an area often overlooked by many CISOs, to their own detriment. Too often the focus in security is on technical skills, yet security needs those with people skills, report writing, communication skills, and analysis skills. People with these skills can be a great asset for the security team and enables the CISO to extend their recruiting net into other industries.”

Taylor says: “We have all known that network and server ops staff can make superb InfoSec staff, however there are also other areas I suspect can be useful.

“If you think what security awareness is at its core it is communications, I believe staff from these areas would bring a totally new perspective to InfoSec. Many other areas also have relevant transferable skills that can add to InfoSec teams.”

Hire from other sectors

Security experts have long-since argued that information security is not just about the technology, and that the nitty gritty technical details could be taught if personnel had the appropriate other skills and experiences.

“Information assurance is not just a skill; it is also a mind-set, a way for thinking,” says Starnes. “That mind-set is curiosity, tenacity and a passion for information assurance. Those traits can be found in any number of professions and industries. Find the mind-set and the passion first, the skills and experience can be developed.”

Taylor agrees, adding: “The right skills can be found - what I find more challenging is finding people with the right aptitudes and experience.

“My first suggestion would be to review hiring role descriptions and cut back on the mandatory skills and qualifications and see what candidates you get. Many people believe that certification is a substitute for experience or that demanding the right certification will ensure the correct level of experience, but I find this not the case.”

Run or attend competitions

There are numerous competitions, workshops and even holiday camps for those interested in a career in security – and so it makes sense for CISOs and CSOs to attend or organize as many of these as possible.

A lot of these competitions, like CyberLympics in Europe and the Cyber Security Challenge in the UK, are interactive and role-based game and so they give a great insight into how the participants would tackle similar situations in real-life. Security pros can also be found from initiatives like SANS Institute’ Cyber Academy, or meet-up hackathons.

“Many [CISOs] are doing the above but even going a step further with initiates such as running capture the flag competitions and/or hackathons sponsored by the company,” says Honan.

“This allows the company to identify potential talent to recruit into the team. Others will offer on placements for university students ‎during the holidays, or work with the research function of universities of joint projects.”

Join the CSO newsletter!

Error: Please check your email address.

More about 24/7CanonCSOEuropolFacebookIRSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Doug Drinkwater

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place