Want to Keep Security Talent? Offer Something More.
For years, chief information security officers (CISOs) have viewed talent retention as one of their biggest concerns. It's not only about finding the right people with the right skills who can spot a malicious anomaly in the data, but also holding onto those InfoSec pros when another company is willing to offer more money. But what if there's a better way? Instead of chasing specific security talent, it's time for CISOs to look within the company. Maybe the key to good cybersecurity is the person sitting in sales, marketing or HR. And while money is important, security leaders can offer other incentives such as work-from-home, part-time employment, and the promise of transition after a few years on the front lines of today's cyber-landscape. The idea of this type of diverse cybersecurity workforce is detailed in a report entitled Building Tomorrow’s Security Workforce that was released earlier this month by the Information Security Forum, a non-profit organization that provides training, advice and tools to its membership. The study is based on responses from "several hundred" of the organization's members, as well as outside commentary from academics and experts. Part of the problem with attracting and keeping talent is how the security industry has evolved over the past several years, said Steve Durbin, the managing director of ISF. In too many cases, would-be InfoSec pros believe their whole careers will be spent analyzing data or putting out fires. "It's still seen as being a fairly staid kind of industry," Durbin said. "We haven't done a good job of convincing [employee talent] of some of the dynamism, some of the excitement, some of the speed of change that exists in it. So that was one of the big things that came out, that probably needs to change. We need to present the opportunity in a much more attractive fashion that reflects the needs of organizations going forward." That's not to say CISOs should throw technical skills and certification overboard. However, when Durbin and his team look at some of the bigger data breaches of late—the attack against the Singapore government's health database that affected 1.5 million citizens, or the ongoing fallout from the Equifax breach of 2017—it wasn't a failure of technology that drove these incidents. "If you look at some of the reasons why more recent breaches have occurred, they tend to have fallen more into things like lack of awareness, lack of leadership, lack of convincing [the rest of the business] of the need for effective cyber hygiene across an organization," Durbin said. "While those are not necessarily technically focused-skill sets, they are required," he added. "We're talking about much softer skills, and so one of the lights at the end of the tunnel of this challenge around how do we close the gap that we face … we need to as an industry take a much more out-of-the- box approach to it," he added. Then there's the people. Both the ISF report and Durbin are urging enterprises to adopt more progressive work policies to help not only attract talent, but to hold onto it, especially when larger firms can offer better salaries. This means providing flexibility when it comes to work, or offering talented employees the ability to work part-time since some security functions don't require full-time positions. "If you've got the right infrastructure in place, there's no reason why someone working in security has to come into an office," Durbin said. "So, they can work remotely. There's no reason why they have to work full-time, potentially. Now that opens up a whole range of possibilities for parents with young children, for instance." As always, cybersecurity is a balancing act: The risks the enterprise is willing to take, and the need to protect the infrastructure, assets, and data. Nathan Wenzler, senior director of Cybersecurity at Moss Adams, a Seattle-based accounting, consulting and wealth management firm, noted in an email that, at the end of the day, CISOs need to manage risk, and that means all decisions are made through that lens, whether it's hiring or buying security tools. "CISOs who approach leading their teams from that standpoint are better positioned to understand the risks being faced by sales, finance, HR and all of the other non-technical areas of a company," Wenzler wrote. "Once those risks are better understood, it provides the security team the opportunity to find ways to mitigate those risks and empower those teams to do what they do more safely and efficiently, even if those solutions are not technical in nature." So what can be done to balance all this out? Durbin recommends that some security jobs can be outsourced, probably to a third-party vendor that offers some specialty. Other parts, such as compliance and governance, can be turned over to the legal department or chief legal officer. Technology, specifically machine learning and artificial intelligence, can handle some tasks, such as automating the patching process or inspecting network traffic for malicious code. "So, the environment will change very significantly from the one that we look at today," Durbin said. "And that's the attraction, I think, from a securities standpoint. It's how do you get the right people involved? … Because it's still a very young industry, and CISOs need to take it forward and meet the needs of an organization." This also means the CISO needs to change, too. "The role that the CISO has to play is changing to one that is providing much more strategic guidance to an organization about how they can deliver their business strategy in as safe a manner as is possible given the risk posture that the organization has decided to adopt," Durbin added.