[BreachExchange] Hiring and Training Challenges for CISOs in 2018

Thu Apr 5 18:57:27 EDT 2018

https://www.securitymagazine.com/articles/88891-hiring-and-
training-challenges-for-cisos-in-2018

As a veteran CISO, I can tell you firsthand that the cybersecurity skills
shortage is not only real – it is one of the biggest challenges IT leaders
face today. As the threat landscape becomes more complex, it’s difficult to
find and hire trained personnel who are both cyber professionals and
affordable. To make matters worse, long-term retention of those employees
is almost impossible as they are always being poached by other companies.

There are certainly ways to help keep and attract top talent. Hiring
managers should ensure compensation and benefits packages are competitive
and be willing to give employees significant flexibility with respect to
remote working and flexible hours. A CISO isn’t successful without a good
team, and you don’t want to lose good employees and make it difficult to
find new candidates just because of a rigid workplace.

Since most CISOs recognize the skills gap is real, here are some of the
other challenges they face in trying to shore up their security posture:

Relying on cyber-training to train employees to think like hackers.

There’s still a belief that employees have instincts against clicking on a
bad link or replying to a seemingly innocuous email, or that the only
option is internet security awareness training. But training was never
meant to be more than a stopgap measure until appropriate technical tools
could be created.

Placing a bet they are too small to be targeted.

Always assume criminals want what you have, even if it's just access to
your big partners or customers. They’re fast, they know it's a numbers
game, and they view every organization they breach as potentially valuable.
If all else fails, they monetize their foothold through a ransomware
attack. A good lesson in this was how the Target breach was made through a
tiny HVAC vendor who had nothing to steal, except the credentials that got
hackers into the Target partner portal. If you’re a small company doing
business with a larger one, it’s easy for hackers to use you as a stepping
stone, and it also puts the burden of responsibility to prove compliance in
case of a breach to prove your business wasn’t involved or at fault.

Fighting for security budget separate from the general IT budget.

>From many a CIO’s perspective, security is just one small part of the
overall organization they are responsible for running, so they believe it
makes sense that the security budget should be a small percentage of their
overall IT budget. The reality is an organization’s security budget should
be based on what it will cost the organization to effectively manage their
security risk. While there’s a correlation between the size and complexity
of an IT organization and the cost to secure it, this simplistic view fails
to account for the specific threats, regulations and overall risk appetite
of the individual organization. Just like it doesn’t make sense to base
your auto insurance liability limits on the annual maintenance costs of
your car, it doesn’t make sense to base your overall security budget on the
annual operating costs of your IT organization.

With these challenges in mind, there are several important considerations
for IT leaders who must deliver the best security while still being
realistic about their hiring pool and budgets. First, you can fill staffing
gaps by leveraging a Managed Security Services Provider (MSSP) within an
enterprise. Because MSSPs are security companies, they are much better
positioned to hire and retain employees. Just make sure you have enough
internal staff to provide oversight to ensure the MSSP is doing what you’re
paying them for while outsourcing as many of the daily tasks to them as
possible.

Next, upgrade to modern technologies that offer automation of threat
correlation, etc. While MSSPs help ease some of the imbalance on the supply
side, automation can help ease some of the imbalance for demand. By
automating tasks that would normally be done by a staff member, companies
can either eliminate the need for that staff member or free them up to work
on other tasks.

Finally, ensure that the staff you have can constantly up-level their
security expertise through the vendors you work with. On-demand access to
threat intelligence gives your guys a reason to learn, and keeps them happy
at work.

With the right mix of attracting the best security talent with compensation
and work flexibility, letting employees excel at their jobs with the right
tools and level of automation, and breaking bad training habits, CISOs can
get ahead of these challenges facing organizations in 2018.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180405/694aa243/attachment.html>