There has been an increasing amount of commentary about the growing shortage of Information Security folks. While the reasons for this shortage are manifold and easily explained, that doesn’t change the fact that it exists. Nor the fact that natural sources may well be causing it to worsen.
Here’s why we’re where we are:
Information Security is a thankless job. Literally thankless. If you do enough to protect the organization, everyone hates you. If you don’t do enough to protect the organization, everyone hates you.
Information Security is hard. Attacks are constantly evolving, and often sprung out of the blue. While protecting against three threats that the InfoSec professionals have ferreted out, a fourth blindsides them.
Information Security is complex. Different point, but similar to the one above. You can’t just get by in InfoSec. You have to know some seriously deep things, and be constantly learning.
Information Security is demanding. When the attackers come on a global clock, defenders have to be ready to respond on one. That means there are limits to “time off”, counting both a good nights’ sleep and vacations as casualties.
The shrinking pool has made the last point worse. With fewer people to share the load, there is more load for each person to carry – more call, more midnight response, more everything.
Making do with the best security staff you can find may well be killing the rest of your InfoSec team. If “the best you can find” isn’t good enough, others must pick up the slack.
And those last two points are the introduction to today’s thought. Stop looking for the best InfoSec people you can find. Start training good internal employees in InfoSec. You all know this is the correct approach. No matter how good you are at Information Security, familiarity with the network or systems, or applications of your specific organization is at least as important. Those who manage the organizations’ IT assets know where the weaknesses are and can quickly identify new threats that pose a real risk to your data. The InfoSec needs of a bank, for example, are far better served by someone familiar with both banking and this bank than by someone who knows Information Security but learned all that they know at a dog pound. The InfoSec needs of the two entities are entirely different.
And there’s sense to this idea. You have a long history of finding good systems admins or network admins and training them in your organizations’ needs, but few organizations have a long history in hiring security folks and doing the same. With a solid training history and a deeper available talent pool, it just makes sense to find interested individuals within the organization and get them security training, backfilling their positions with the readily available talent out there.
Will it take time to properly vet and train those interested? Of course it will. Will it take longer than it would take to inform an InfoSec specialist in the intricacies of your environment? Probably not. SharePoint is SharePoint, and how to lock it down is well documented, but that app you had custom developed by a coding house that is now gone? That’s got a way different set of parameters.
Of course this option isn’t for everyone, but combined with automating what is safe to automate (which is certainly not everything, or even the proverbial lion’s share), you’ll have a stronger security posture in the long run, and these are people who already know your network – and perhaps more importantly your work environment - but have an interest in InfoSec. Give them a shot, you might be pleased with the results.
As to the bullet points above? You’ll have to address those long-term too. They’re why you’re struggling to find InfoSec people in the first place. Though some of them are out of your control, you can offer training and places like DefCon to minimize them.