The cybersecurity community is weighted down by a talent shortage. A recent study by ISACA quantified the problem: it found that 69% of respondents said their cybersecurity teams are understaffed and it can take six months or longer to fill vacancies.
This has forced the industry to find creative ways to solve the problem. For example, some organizations have opted to hire individuals with an aptitude to acquire the necessary skills on-the-job, rather than with demonstrated experience.
Today, it is not unheard of to find people with degrees in epidemiology, linguistics or music – and an eagerness to learn cybersecurity – getting hired. Some senior leaders have pointed to the similarities between music composition and cybersecurity. Both technology and music involve learning a new language like words, phrases, musical notes, and software code, into meaning.
While this talent acquisition strategy has been successful for some organizations, it has also introduced complications for others. After its high-profile breach, the criticism leveled at Equifax when it was discovered a key employee had a music degree was sharp.
Indeed, the optics look bad to the casual observer, but there’s more to it than that. A skills shortage isn’t just a human resources problem, it also has implications for policy and products too. When things go catastrophically wrong, it could well be that policy and products that are out of alignment with the people and talent.
Policies Taxing an Already Short-Staffed Security Team
Cybersecurity policy is a balancing act between security and efficacy. Yet the talent acquisition strategy should also be a factor in the formation of policy.
The traditional wisdom around passwords is a classic example. It was once considered a best practice to make users create unique and long passwords – and then force them to change it regularly. The concept sounds logical, but such a policy adversely affects security in two ways.
First, it’s hard for users to remember complex passwords, so they simply write them down. This was often rendered in the form of yellow sticky notes placed casually under a mouse pad, or worse, visibly taped in plain sight to a monitor.
Second, those that didn’t write passwords down, were prone to be significant contributors to the high volume of password reset calls to the IT department. This systemic taxation on resources introduces a new way for adversaries to gain access through social engineering.
Aptitude and enthusiasm cannot hold their own against experience if the policy is working against them.
Cybersecurity Tools Should Match the Talent
Many of us learned to ride a bike that was matched to our skill level. If you had a bike, chances are your first one came with training wheels. In this context, it’s easy to see potential pitfalls if we had we been encouraged to learn how to ride on a bike designed for competitive racing.
Technology clearly has an impact on talent and policy and vice versa. If you accept the premise that people, policies and products in cybersecurity are interdependent, then the security technology choices must complement the policies and personnel strategies amid the skills constraints in the market today.
To be sure, vendors are not immune from criticism. In fact, more than ever, they have an obligation to reduce complexity, rally around standards, and support interoperability. Similarly, cybersecurity tools should be easy enough for the novice, yet with the breadth and depth of capabilities, the experts need too.
Aligning People, Policy and Products
For the CISO, recruiting, staffing and professional development will be a primary security leadership challenge for the foreseeable future. Whether an organization chooses to pursue alternative sources of talent or not, the dependent relationship between people, policy and products should not be overlooked.
Note: A version of this post was originally published by a Bricata employee as part of the CSO Online contributor network
If you enjoyed this post, you might also like:
The Growing Surface of Attack and What Cybercrime has in Common with Street Crime [Q&A with Steve Morgan of Cybersecurity Ventures]