Addressing the Cyber Security Resource Shortage
There is a lot of talk about a cyber security resource shortage in our discipline. I get this may seem like the case, and maybe it even is, however what I don’t understand is if the time of our cyber security resources is so valuable then why are all of us wasting so darn much of it.
Here are the top 6 time-wasters that are crushing the hearts and minds of our discipline.
The Swiss-army Knife Job Description
Even today, if you cruise the job boards for cyber security positions the majority of them will say something like “CISO Wanted, responsibilities include leading the program, policy design, performance of vulnerability management, interface with customers, compliance audits, performance of risk assessments, charged with security architecture, GDPR and physical security.”
This is like building a soccer team that normally takes 11 players in unique positions, but in this bizarre world we live in you can field one player titled “Player Extraordinaire, or CISO”, who is supposed to play the whole field.
Further, the team this person is playing are the bad guy and girl hackers and they are fielding 11, with an organized strategy and led by a coach that has advanced data and automation information to guide informed decisions. No wonder the average organization is getting their ass kicked. Shocker.
Foundation Development versus Process Performance
The difference between building a program and performing tasks are often blurred. No, the CISO will not build the policy and process documentation and then perform them once built. If they’re smart, they will bring in consultants to do it (get ready for that financial request Mrs. CEO about a week after they join), and if they are new to the discipline and try to build them on their own; guess what they are probably not going to be very good. All along the way there is a ton of wasted time.
Crappy Security Processes
Most organizations do have security policies and processes now that are documented and probably even can pass audits (more on this audit comment for another article), but often these processes are not accurate or reflect what the team is doing.
This is like having a car manufacturing line without process design. We say that the security discipline is very exact, then we don’t document with accuracy what we are supposed to be doing. Henry Ford just turned over in his grave.
This leads to exactly what you would expect — a whole ton of wasted time. Also, good luck getting that orchestration security technology working when you do not have consistent and accurate process design. You won’t.
The “One” Cyber Security Ticket Queue
In most organizations, whether using any of the leading service desks the average security program uses one queue, often titled “Security Queue.” This queue is often a collection of rants, customer requests, incidents, IT tasks, all mixed together in a “soup of confusion” often all assigned to the lowest ranking security person in the program.
Which by the way, if you just have one “Player Extraordinaire or CISO” as your program, all this stuff goes to you. Good luck with that.
If you want any chance of using your “valuable” security resources you need to add order to this queue, it needs to be assigned to processes your program actually performs, then uniquely assigned based on that to the unique resources that will perform these tasks in those processes.
Unified Compliance Framework, HITRUST, and ISO27001
These are all compliance frameworks and certification mechanisms for cyber security. They are good for compliance, but they have no focus at all on efficiency and/or process performance. In my opinion, after building lots of programs and serving in leadership positions at multiple large organizations over the last 20 years, if you are using any of these items you will never build a program that uses resources efficiently… Yep, never, and I understand the finality of “never.”
Further, if it was up to me, if you are using these you should be banned from every saying “there is a cyber security resource shortage,” and fined if you do. I am dead serious too.
One last funny point on this as well, or perhaps the most troubling. One of the leading help desk solutions — which is a great product by the way — and probably providing your one service queue for security at your organization, is now moving to using Unified Compliance Framework as its core security integration into its solutions. What a force multiplier of inefficiency and a disaster for our discipline.
If you are planning or implementing UCF on a service desk solution as an active project right now, do our discipline a solid and please stop…
Cyber Security Certifications
Many very smart people put together the original leading certifications for our discipline such as CISSP. We owe them a lot. However, we now live in a new and more complex security landscape.
In my travels I have never seen a correlation between being CISSP certified and being an efficient and/or valuable cyber security resource. I am also not saying that they don’t help either, and they can’t hurt if a person has the time. Of course, a big problem is that nobody has that time.
Further, I do think these certifications help young entrants to cyber security connect the dots with some previous foundational learning. Where I think we waste a bunch of time though is using these certifications as a requirement for employment or as the end-game in security learning.
Instead, they should be a step in a balanced learning and teaching program for someone that wants to become more valuable in cyber security. When we don’t do this, we waste a bunch of time in both getting these certifications, or in the true ability of people performing their work with faulty expectations after they get them.
If any of these items resonate, do not despair, I have seen all of them over and over in most programs we visit. Further, I am as guilty as anyone as these situations have also happened where I was the leader and it was on my watch. So, I get it, but we must do better.
At CISOSHARE, we have put together a facilitated security program development tool that walks through some of the process design and execution considerations I talk about above. If you believe your organization can use some help with solving cyber security resource confusion, or the overall cyber security resource shortage, please check it out.
Disclaimer: While we normally tone down the opinions on the blog, we wanted to talk frankly about addressing the perceived resource shortage.