As information security professionals, we spend much of our time identifying and correcting technical vulnerabilities, be they missing patches or insecure system configurations. We are consistently trying to fix bad behaviours in our people and educate them on effective security practices, but the greatest vulnerability we face is not technical, it's not even to do with human error, it's trying to fight a war where we don't have enough soldiers and there just seems to be more and more bad guys that are better armed than we are. Between the increasing demands from management to do more with less and the surge in advanced threats and the increasing competence and sophistication of threat actors, how can we fight a good fight?
Finding and retaining talented and competent information security professions is another part of the infosec battle and it is impacting our ability to protect our organisations and their information. What makes matters worse is that this situation is now likely to be the new normal and may even get worse.
Recently, Intel Security worked with the Center for Strategic and International Studies (CSIS) on a global report titled "Hacking the Skills Shortage". The study surveyed IT decision makers in Australia, France, Germany, Israel, Japan, Mexico, the United Kingdom and the United States to identify IT security skills gaps and their perceived impact. 82% of respondents reported a shortage of cybersecurity skills and 71% said that this skills shortage makes their organisation a more desirable hacking target. The (ISC)2 predicates that by 2020 there will be a shortfall of 1.5 million information security practitioners by 2020.
The Australian Government’s plan for implementing its Cyber Security Strategy intends to address the shortage of cyber security professionals in the workforce through targeted actions at all levels of the Australian education system, starting with academic centres of cyber security excellence in universities and encouraging more women into information security. Industry has also stepped up through public/private initiatives. Last year the Commonwealth Bank joined forces with the University of NSW in a five-year, $1.6M partnership to develop a centre of expertise in cyber security education aimed at boosting the pool of security professionals and similarly Optus Business and Macquarie University have joined forces to establish a $10M multi-disciplinary Cyber Security Hub that will provide research, professional courses and consultancy services to the private and public sectors. These are all great initiatives, but it will take some time to see results.
Any number of survey results and news articles all point to the same very real challenge, there is a lack of skilled information security professionals and the question is, what can we do about it? The initiatives outlined above will boost supply eventually, but in the meantime what options do we have?
Keep the people you already have
This is obvious! Hold on to the good people you already have and don't lose them, however, this is easier said than done. Given that good people are in short supply and at the moment (and probably for a long time into the future) info sec jobs aren't, ask yourself what you're doing to keep your people. A commonly quoted phrase is, "People don't leave organisations, they leave managers", and this is very true but an entirely avoidable outcome. A great resource in leadership is James Robbins' book, "Nine Minutes on Monday" . James' simple system to help raise productivity, boost morale and increase engagement is built on 9 different facets of leadership, the main ones being care, recognition, master and purpose. It's not all about money, but you will need to keep track of what the market is paying and make sure that your top performers are adequately renumerated. Also consider training, interesting and challenging projects and flexible work practices to help make your workplace more attractive.
The use of manual practices to manage information security is becoming harder, the ever increasing amount of security related data that must be analysed and the number of alerts generated that require investigation is growing exponentially. Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed. Machine learning focuses on the development of computer programs that can teach themselves and to learn from data in a similar way to humans. A formal branch of AI, machine learning focuses on building systems that learn directly from the data they are fed, so they effectively program themselves in order to make predictions. Dealing with the increasing number of alerts can be become more frustrating for your SOC analysts as they all too often chase false positives. The sheer number of incidents can place a strain on your already over worked people, and the small number of real positives remain unchecked and this can lead to disastrous consequences. The lack of adequate security professionals exacerbates the issue, resulting in overworked security analysts and undetected threats lurking in your environment. Advances in machine learning may reduce the need for SOC analysts or allow you to redeploy them to other tasks.
Managed Security Services
A Managed Security Services Providers (MSSP) can cover the operation and maintenance of many of your security systems such as firewalls, intrusion detection and intrusion prevention solutions, security event and incident management and your vulnerability and identity management solutions. A growing number of organisations are looking to MSSP's to manage all or elements of their information security program as part of an outsourced or in some cases co-sourced arrangement. This allows you to spend your budget on more value adding functions such governance, strategy, architecture, active threat hunting and business engagement. Introducing a MSSP can result in other issues if you pick the wrong one or sign up to a bad contract with the added costs associated with managing the evitable, “that’s going to be a change request” process, monitoring vendor performance and ongoing contractual disputes can quickly erode any value the arrangement provides.
Upskilling Existing Team Members
Infosec professionals are created and developed through on the job training, certifications are great but only go so far and nothing is better than experience and the act of doing and learning from a good teacher. Another approach to addressing the shortage of infosec professionals is to find capable and interested people already in your organisation and train them. Security is now part of everyone’s job anyway, so why not formalise it by rotating people through your security team. Great candidates can probably be found in your desktop support, network, server and database administration teams. Start with capable people and train them. The down side of this approach is, yes, they will become more marketable as a result of learning new skills. The benefit when they return to their team is their increased security knowledge and awareness that they will apply to their jobs.
More women should be encouraged to consider careers in infosec and this was discussed at the recent Oceania CACs Conference . Suggestions for increasing diversity include the option of more flexible working arrangements and ensuring that existing members of the profession become mentors to provide support and guidance to the people coming through. Increasing the number of female role models in science, technology, engineering and mathematics (STEM) related careers will also help. Australia's Cyber Security Strategy acknowledges that the infosec profession “suffers from low participation from women – which means we are not harnessing the full potential of our talent pool”. In order to fix this imbalance, the government proposes to implement a “range of integrated actions developed with the private sector and research community.” These actions will complement an increased focus on cyber security for all students across every level of education. In 2015 the government's Innovation Statement outlined a plan to boost the number of women in studying STEM subjects and provide $13M worth of funding to support the initiative.
All in all, the current shortage of talented information security professionals adds yet one more interesting challenge to overcome when running and managing an information security program.