301.519.9237 exdirector@nesaus.org

5.15.20 – SIW – For more info

Hiring alone isn’t the only option to fill the skills gap.
Courtesy of BigStock.com — Stock Photo ID: 191791396, Copyright: gnepphoto

Experts warn that hiring more people is not one of them

By this point, every organization that needs a skilled team of cybersecurity professionals knows about the skills gap. Companies in all industries are fishing for the freshest cybersecurity talent in a shrinking pond of potential candidates: The latest (ISC)2 Cybersecurity Workforce Study found that the U.S. alone faces a shortage of 500,000 positions. Meeting that demand would mean a 62 percent increase in available cybersecurity professionals. When looking at the global workforce, that number is a staggering 145 percent.

The skills gap creates problems for those responsible for managing security teams (security managers, directors and CISOs). While out-of-the-box approaches—like hiring talent with non-security backgrounds to learn security skills on the job—open up more possibilities for solving this problem, companies can find additional ways to boost their teams without adding headcount.

Hiring alone isn’t the only option to fill the skills gap. Sure, you want to find top talent with the best experience, but there are three other methods for closing the skills gap that you can implement in the meantime.

1.   Let Managed Services Pick Up the Slack

Outsourcing some of your core security tasks to a well-established managed services provider instantly augments your security team’s capabilities. You can do this by selecting one pillar of your cybersecurity strategies—such as vulnerability management, compliance framework alignment, or configuration management—and apply managed services to just that pillar. For broader coverage, choose a service that gives you a well-rounded combination of multiple areas that need to be covered.

A key benefit of this approach is that you don’t need to purchase additional servers, databases, or OS licenses, each of which also requires maintenance and administration. Another option is a hybrid approach—taking on a residential engineer. A RE from your chosen managed service provider gives you on-the-ground help running your cybersecurity program for a specified amount of time.            

2.    Get Better Company-Wide Security Education

Everyone in your company uses email, which is still a leading attack vector year after year. Your overall security posture is harmed by thinking of the security team as the only people responsible for your organization’s security. In NIST’s Cybersecurity is Everyone’s Joba report by the National Initiative for Cybersecurity Education Working Group says, “Unfortunately, many organizations limit security responsibilities to designated security personnel that perform specialized security functions. Effective security must be enterprise-wide, involving everyone in fulfilling security responsibilities. Each member of the group, from the newest employee to the chief executive, holds the power to harm or to help, to weaken or strengthen, the organization’s security posture.”

System administrators and IT staff are just as responsible for keeping threats at bay as security-focused personnel. The same goes for the HR department, marketing professionals, and anyone else who handles company data. A truly mature organization will begin to self-enforce and monitor, and this is a cultural shift that comes from building security into the organization. Without good company-wide security education, filling the skills gap will only take an organization so far.

3.    Automate Basic Cybersecurity Controls

How much of your security process can be automated? Automating is a third way to manage operational shortages arising from the skills gap. For example, you cannot manually audit logs every day—there is just too much data.  Security information and event management (SIEM) can do much of that work for you. Vulnerability assessments are another arduous process if performed manually. Ideally, you can write rules so that when your tools pick up a vulnerability it can fix it without human involvement or integrate with an ITSM tool to automate the workflows. We will never be able to react as quickly as computers, but an agent or sensor can act upon what it finds right away.

As more workloads are moved to the public cloud, companies are looking for solutions that automatically remediate configuration and security weaknesses. Automation makes a security team more efficient and any process that is predictable and repeatable is a good target.

About the Author: Anthony ‘Ant’ Israel-Davis has been with Tripwire for over two decades and is a Sr. Manager, part of the team delivering Tripwire’s from-the-cloud solutions. During his tenure he’s worked as a web developer, managed the Business Applications team, helped develop the security awareness program, and led IT compliance initiatives including SOX, PCI DSS, and SOC2. When his head isn’t in the cloud, you’ll find him playing his fiddle, socializing around a board game, or rooting for the local soccer teams.