​Fighting the Good Fight

As information security professionals, we spend much of our time identifying and correcting technical vulnerabilities, be they missing patches or insecure system configurations. We are consistently trying to fix bad behaviours in our people and educate them on effective security practices, but the greatest vulnerability we face is not technical, it's not even to do with human error, it's trying to fight a war where we don't have enough soldiers and there just seems to be more and more bad guys that are better armed than we are. Between the increasing demands from management to do more with less and the surge in advanced threats and the increasing competence and sophistication of threat actors, how can we fight a good fight?

Finding and retaining talented and competent information security professions is another part of the infosec battle and it is impacting our ability to protect our organisations and their information. What makes matters worse is that this situation is now likely to be the new normal and may even get worse.

Recently, Intel Security worked with the Center for Strategic and International Studies (CSIS) on a global report titled "Hacking the Skills Shortage". The study surveyed IT decision makers in Australia, France, Germany, Israel, Japan, Mexico, the United Kingdom and the United States to identify IT security skills gaps and their perceived impact. 82% of respondents reported a shortage of cybersecurity skills and 71% said that this skills shortage makes their organisation a more desirable hacking target. The (ISC)2 predicates that by 2020 there will be a shortfall of 1.5 million information security practitioners by 2020.

The Australian Government’s plan for implementing its Cyber Security Strategy intends to address the shortage of cyber security professionals in the workforce through targeted actions at all levels of the Australian education system, starting with academic centres of cyber security excellence in universities and encouraging more women into information security. Industry has also stepped up through public/private initiatives. Last year the Commonwealth Bank joined forces with the University of NSW in a five-year, $1.6M partnership to develop a centre of expertise in cyber security education aimed at boosting the pool of security professionals and similarly Optus Business and Macquarie University have joined forces to establish a $10M multi-disciplinary Cyber Security Hub that will provide research, professional courses and consultancy services to the private and public sectors. These are all great initiatives, but it will take some time to see results.

Any number of survey results and news articles all point to the same very real challenge, there is a lack of skilled information security professionals and the question is, what can we do about it? The initiatives outlined above will boost supply eventually, but in the meantime what options do we have?

Keep the people you already have

This is obvious! Hold on to the good people you already have and don't lose them, however, this is easier said than done. Given that good people are in short supply and at the moment (and probably for a long time into the future) info sec jobs aren't, ask yourself what you're doing to keep your people. A commonly quoted phrase is, "People don't leave organisations, they leave managers", and this is very true but an entirely avoidable outcome. A great resource in leadership is James Robbins' book, "Nine Minutes on Monday" . James' simple system to help raise productivity, boost morale and increase engagement is built on 9 different facets of leadership, the main ones being care, recognition, master and purpose. It's not all about money, but you will need to keep track of what the market is paying and make sure that your top performers are adequately renumerated. Also consider training, interesting and challenging projects and flexible work practices to help make your workplace more attractive.

Security automation

The use of manual practices to manage information security is becoming harder, the ever increasing amount of security related data that must be analysed and the number of alerts generated that require investigation is growing exponentially. Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed. Machine learning focuses on the development of computer programs that can teach themselves and to learn from data in a similar way to humans. A formal branch of AI, machine learning focuses on building systems that learn directly from the data they are fed, so they effectively program themselves in order to make predictions. Dealing with the increasing number of alerts can be become more frustrating for your SOC analysts as they all too often chase false positives. The sheer number of incidents can place a strain on your already over worked people, and the small number of real positives remain unchecked and this can lead to disastrous consequences. The lack of adequate security professionals exacerbates the issue, resulting in overworked security analysts and undetected threats lurking in your environment. Advances in machine learning may reduce the need for SOC analysts or allow you to redeploy them to other tasks.

Managed Security Services

A Managed Security Services Providers (MSSP) can cover the operation and maintenance of many of your security systems such as firewalls, intrusion detection and intrusion prevention solutions, security event and incident management and your vulnerability and identity management solutions. A growing number of organisations are looking to MSSP's to manage all or elements of their information security program as part of an outsourced or in some cases co-sourced arrangement. This allows you to spend your budget on more value adding functions such governance, strategy, architecture, active threat hunting and business engagement. Introducing a MSSP can result in other issues if you pick the wrong one or sign up to a bad contract with the added costs associated with managing the evitable, “that’s going to be a change request” process, monitoring vendor performance and ongoing contractual disputes can quickly erode any value the arrangement provides.

Upskilling Existing Team Members

Infosec professionals are created and developed through on the job training, certifications are great but only go so far and nothing is better than experience and the act of doing and learning from a good teacher. Another approach to addressing the shortage of infosec professionals is to find capable and interested people already in your organisation and train them. Security is now part of everyone’s job anyway, so why not formalise it by rotating people through your security team. Great candidates can probably be found in your desktop support, network, server and database administration teams. Start with capable people and train them. The down side of this approach is, yes, they will become more marketable as a result of learning new skills. The benefit when they return to their team is their increased security knowledge and awareness that they will apply to their jobs.

Encouraging Diversity

More women should be encouraged to consider careers in infosec and this was discussed at the recent Oceania CACs Conference . Suggestions for increasing diversity include the option of more flexible working arrangements and ensuring that existing members of the profession become mentors to provide support and guidance to the people coming through. Increasing the number of female role models in science, technology, engineering and mathematics (STEM) related careers will also help. Australia's Cyber Security Strategy acknowledges that the infosec profession “suffers from low participation from women – which means we are not harnessing the full potential of our talent pool”. In order to fix this imbalance, the government proposes to implement a “range of integrated actions developed with the private sector and research community.” These actions will complement an increased focus on cyber security for all students across every level of education. In 2015 the government's Innovation Statement outlined a plan to boost the number of women in studying STEM subjects and provide $13M worth of funding to support the initiative.

All in all, the current shortage of talented information security professionals adds yet one more interesting challenge to overcome when running and managing an information security program.

Join the CSO newsletter!

Error: Please check your email address.

Tags Vulnerabilities​Fightinginformation security professionalshuman errorsecurity practicescyber security educationcyber security

More about Commonwealth BankIntelIntel SecurityMacquarie UniversityOptusPMCUniversity of NSW

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Wayne Tufek

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place