The subject-matter of the cyber security talent shortage has been over-reported to the extent that no one deficiencies to talk about it anymore. Even more than that, the on the other hand solution that really ever gets mentioned is developing diverse university cyber programs.
But that solution is dead wrong—or at least it overlooks the crux of the issue completely.
Before I go any further, let’s set the record straight on neutral how acute the problem really is. According to results from a recent CSO Publication survey, the majority of respondents have open headcount which, as the respondents outline it, has led to dismal outcomes. Namely, their companies’ security teams either cannot upon the demand of their existing responsibilities, or they purchase new security machines that become shelfware. Or both.
Let’s switch gears now. If you’re curious anent which skills appear to be in the most demand, I’ve got the latest and greatest (albeit fixed on anecdotal evidence because job titles vary so much):
- Incident Detection and Feedback
- Penetration Testers and Red Teamers
- Cloud Security
- Application Security and DevOps
Looking at the species of people whom companies want to hire (i.e. the list above), these are chief people—and here’s the issue with that. Even when you can engage senior people in these four roles (and it’s really hard to spot them), you’re just poaching them from another company. Then what stumble ons?
Well, one thing we’re seeing is senior cyber talent having shorter tenures in their present-day roles. (Again, this is anecdotal, but I’ve heard several other fellow-workers say the same thing.) Why? Because some other company with a more offer or better benefits poaches them again.
At this quiddity, you would probably agree with me that you can’t hire your way out of this disturbed—at least not today—because there just aren’t enough human being to hire.
But I would go so far as to say that even if we had one million more senior cyber people who were looking for missions, our problem still wouldn’t be solved. Why not? Because there is a much larger unsettled here which no one is talking about.
There are actually two major issuances at play within the security and technology groups in most companies: 1) They father too much WIP (Work in Process), and 2) They have too much complex debt.
These issues just exacerbate the talent shortage. But here’s the punch-line: hiring more people won’t solve either of these two problems! As a substitute for, the problems persist, and hiring managers just spin their hoops while nothing actually changes.
Most people understand the unmanageable of technical debt (although that problem never seems to go away). But WIP? No one talks wide this anymore, yet it’s the sole reason that DevOps was born–to minimize Work in Process.
The authors of The Phoenix Project applied the concepts of incline towards manufacturing and reducing WIP outlined in The Goal to the business of technology and the Agile expansion style. And as we all know, the DevOps methodology has forever changed how software is originated.
But here we are in 2019 with more WIP in our security processes than vulnerabilities in the Inhabitant Vulnerability Database. Why do I say that?
Try this exercise: ask a colleague who’s not in the security count on how they would file a security exception at your company. I’d bet two dozen covet johns that they wouldn’t even know how to start the modify. And if you show them the form, I’d bet another dozen fraparapa coffee tipples they couldn’t figure out how to fill out the form without having to ask a nosegay of questions and chase down someone from security who can help guarantee b make amends for questions.
So, what happens instead? Product teams just delay until the last minute (i.e. right before go-live) and then enter the exception form. And now security is in a bind. I mean they can’t say “No, you didn’t devote oneself to the rules” and risk missing the go-live date. Not to mention security ends up looking identical to it’s just an impediment to the business. Instead, the security team scrambles to get the paperwork in estate which no one thinks about afterwards and probably isn’t even being oversaw or monitored on the business side.
This is but one example (and one that most of us can pinpoint with). But multiply that by the number of products and version launches at larger actors. How many security folks get pulled into these quagmires every week and waste the better part of their time dealing with something that should be automated in an online frame?
The other problem, technical debt, is a close cousin to WIP. There aren’t ample supply resources to replace legacy infrastructure. So, instead, the security team has to be watchful and monitor it, as well as report on it annually and kick and scream. But it’s a never-ending intractable.
Technical debt used to be synonymous with XP or Windows 2000. Now it cheaps Windows 2003—next, it’ll be Windows 2008 and so on.
Of these two issues, WIP is in the give ins of security (with the help of IT) to solve. There are two types of processes which guarantee teams need to build and streamline: internal processes to the security conspire and processes that other parties outside of security need to walk.
WIP can be reduced in both by identifying constraints and working with them. At most like in lean manufacturing, reduce batch sizes by reducing process paces into granular chunks and finding ways of bypassing the constraints. It’s surely not hard, and doing so provides tangible results and measurable productivity snowballs.
Better yet, more efficient processes mean that your higher- ranking staff can get more real work done, which should advance to longer tenures. It will allow your team to get more done without needing to fee a lot more people.
About the Author: Jeffrey Groman, CISSP, is the naught of Groman Consulting Group, dedicated to helping organizations identify and figure out their highest cybersecurity risks. Groman has worked in the security devotee for more than 20 years. As a cybersecurity consultant, he has guided paramount corporations, including banks, insurance companies, and software providers from stem to stern risk prevention and rapid response to incidents and breaches. Groman is erotic about the field of cybersecurity and partnering with clients to find dissolves to complex issues. His book “Avoid These 11 Pitfalls and Lessen the Pain of Your Next Data Breach” is designed to help schemes learn from his years of real-world experience.
Editor’s Note: The way of thinkings expressed in this guest author article are solely those of the contributor, and do not inescapably reflect those of Tripwire, Inc.