Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

10/26/2017
12:41 PM
Josh Mayfield
Josh Mayfield
News Analysis-Security Now
50%
50%

Ways to Win the Security Skills Challenge

Finding and keeping skilled security professionals is hard. But there are ways that can work to keep your best employees on-board and happy.

It can be difficult to locate and hire staff with appropriate technical skills for many reasons. Primarily, the challenge comes from a disconnect between formal education (i.e., university) and the nature of the current environment. By the time a curriculum is established, the world changes. This leaves institutions with the only option to give a basic foundation to their students, and leave deeper skills development to the student.

Second, organizations that need more developed skills are all competing with one another in a labor market. Not only must they compete with one another, but organizations must compete with government agencies, consultancies, and vendors all pursuing the skills for their own benefits. So, we have a demand spike and a supply shortage.

Finally, skills development is generally assumed to be the responsibility of the individual rather than the organization -- and for good reason. If a company invested to build more skills into current staff, those people would have greater marketability in this high-demand environment. This is a dilemma; a prisoner's dilemma. Everyone is looking at the problem from the same vantage point. What is best for the individual organization may have a negative outcome on the market as a whole. Of course, organizations want highly skilled, highly trained staff... they just someone else to train them.

So how can companies help themselves by focusing on upskilling their current technical staff? Might this really be a viable solution to the digital skills gap? The difficulty with upskilling the current staff is that you may be sinking investment into a resource that will soon leave or be lured away to a more lucrative opportunity. This is the dilemma I mentioned earlier. So, organizations are hopeful that individual team members will cultivate their skills, without having to make investments directly in their development.

Some organizations have practiced golden handcuffs methods to secure a staff member. A law firm may pay tuition for a clerk to get a law degree, with the stipulation that the clerk remains with the law firm for several years after graduation. This is a potential option to use to with technical staff to close the skills gap we see in digital and security disciplines.

But information is highly portable. Organizations who train their own staff to improve their technical skills may find themselves losing newly minted minds to competitors or other market participants all clamoring for the same technical skill. This is a risk-return evaluation; couple that with the inherent status quo bias, and you get organizations sitting idle while the skills gap continues to grow.

Upskilling is a viable option, but an option that has to be weighed against the potential loss of the best, most developed staff members. The greatest benefit of upskilling is that it can be calibrated to the most relevant skills an organization needs or prefers. Along with that, there is a sense of gratitude that comes over the trained individual that could inhibit thoughts of taking the new skills to greener pastures. However, in a free society where individuals are competing with one another in a labor market, it is only natural to shop those skills for better individual opportunities.

It is a tricky balance, because organizations can experience stronger contentment while decreasing retention. An individual can be grateful for the skills their employer has helped develop, but still evaluate themselves as being more desirable in the broader market. Leading to both conclusions: more content, less likely to stay.

In my experience, very few organizations are investing in this type of upskilling. However, those who are accomplishing this feat doing it by following a consistent incentive structure. I know of one organization who send their cybersecurity staff to various training modules at SANS Institute. Upon completion of each security track, the employer increases their salary by 5%.

At first, this organization was paying a spot-bonus of 5% of the annual salary for each completed course. The trouble with that is once the bonus is paid and the skills are enhanced, they found technical staff would promptly take their talents elsewhere. Once they shifted to increasing the base pay for the staff, people stayed with the company.

There is another tactic companies are rapidly adopting -- automation. If you are uncertain you can hire individuals with the right skills and you are unsure if you can close the skills gap with current staff, you can automate many of the manual and low-value workloads using technology. For example, assessing firewall rules that are outdated or underutilized is a relatively mundane task. So, many are using technology to automate such an activity, leaving their highly trained staff to manage higher valued workloads.

If you are running into the challenge of a skills gap and are stuck in the dilemma of upskilling…you can automate. This is the easiest, fastest way to get things accomplished with a skills gap that keeps growing, without the risk of upskilling staff who are vulnerable to depart.

As far as training options available to companies looking to upskill tech staff, several educational avenues are available for organizations – both on-campus and online. Online education modules such as Lynda.com are commonly used to enhance the skills in various disciplines. Secondly, learning management systems have advanced in the past decade and many organizations are codifying their ways of doing things into a learning management console and guiding staff toward further development.

Human behavior is goal-directed. If organizations provide incentives for development and a pathway toward that development, individual staff will likely pursue the goal. Give incentives for the behavior you want and remove any obstacles you can to achieve it -- that's the best way for leadership to get the outcomes they need.

What are the biggest digital skills to focus on? We live in world that is awash with data. Data science is the most likely skill set for organizations over the next 5-10 years. This will come in many forms. Data science skill will become a requirement rather than a bonus for software developers. Security engineers with knowledge of how data can be manipulated to determine policies and security protocols will be in high demand. IoT specialists who can quickly integrate data to model the outcome of a new product or support an existing one will be recruited just as fervently as a world-class CEO.

Aside from data science, virtual reality will play a large role. Virtual reality and its principles can be applied to all manner of commercial benefits. Imagine a construction company who can do an inspection virtually with the owner and architect prior to the grand opening. Imagine a physician in a virtual operating room assisting another physician who is 4,500 miles away. Technical staff who can convert science fiction into science fact will be the rock stars of an emerging discipline.

Finally, security skills for the advances in computing options (e.g., quantum computing) and changing infrastructure (e.g. SDN, virtualization, cloud), will become the norm. We simply do not know what security concerns we will face with all that is evolving.

Those with the skills to secure this new world will be the heroes of many organizations.

Related posts:

— Josh Mayfield is Platform Lead for Immediate Insight, FireMon’s security analysis platform. He works with global security leaders to improve security analysis using big data principles and automation.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...