Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
4/4/2016
11:14 AM
Jonathan Anderson
Jonathan Anderson
Partner Perspectives
50%
50%

Knowledge Gap Series: 3 Steps To Deal With The High Turnover In Your Security Department

Follow these suggestions to significantly decrease the probability that your organization is a future security headline.

Let’s start with two numbers:

60,000: The number of security professionals in the United States with a CISSP (Certified Information Systems Security Professional) certification.

50,000: The current demand for additional CISSP professionals.

Everyone talks about the industry shortage of security professionals as an inhibitor to providing competent resources to deploy security technology and services. In reality, even with well-trained security professionals available, the turnover and hot job market expose companies to incomplete deployments that are not being properly funded or commissioned.

It is common, with the demand for security professionals, to see job tenures averaging about six months for a security engineer and one year for a security architect or mid-level manager. One of the biggest issues with this turnover rate is that the people who start projects are rarely around to see them implemented. In other words, the people who are currently accountable for your security system did not create the original scope, requirements, budget, or design. Was the original budget too low, specifications inaccurate, or the promises too ambitious? This is tough for the new person, who is now accountable to someone else’s earlier promises. But it is also a risk if you have people scoping or budgeting projects that they know they will not be around to implement or operate.

Not only does this turnover jeopardize your security posture, it discourages people from working in the field because it increases the pressure, making them accountable for someone else’s work and commitment. Also, there is little opportunity for project handoff or knowledge transfer as security professionals are typically walked out once they announce their intent to leave, due to their privileged access.

Less Dependence On Individuals

With many years of experience over a wide variety of security projects, I have not seen a single project have the same people working on it from start to finish. To address this, we learned to put in place a number of processes to reduce the dependence on individuals and ensure that projects are delivered on-time, within scope, and with measurable results.

First, make sure that at the outset, your project scope, budget, and implementation plan are reviewed and approved by multiple stakeholders, architects, and engineers. If you do not have enough staff or expertise for this in-house, an alternative is to ask one of your security vendors to participate. They will bring in their knowledge of best practices, as well as their experience with similar projects. Leveraging the professional service arm of your chosen vendor will also reduce the chance of having an unsupportable or inferior implementation.

Second, as the project moves from implementation to production, make the time to continue to document operating details, new best practices, and other significant events. Yes, this takes personnel time in a department that typically runs pretty thin, but it will save you time in the long run. Moving security functions to the cloud is a good mechanism to alleviate some of the problems inherent with project turnover because you have to clearly document the functions and operations in order for the service transition to be successful and measurable.

Finally, when turnover happens, as it will, this detailed documentation becomes your knowledge transfer process to new personnel. As the team deals with incidents and new threats, your documented practices and technologies can be readily reviewed and adjusted, with less chance of breaking existing deployments or accidentally weakening your security posture.

Some security experts have proposed a correlation between major breaches and attrition of security personnel. These three steps will help you significantly reduce the probability that your organization is a future security headline.

Jonathan Anderson is responsible for technical strategy and integrating security into future IoT solutions at Intel Security. Prior to joining Intel, he served 14 years across both Cisco and HP where he continuously interlocked with customers, sales force, and product teams ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...