Betwixt a security rock and personnel hard place
4 November 2016 | 0
We carried an interesting story this week, regarding the increasingly difficult struggle for enterprises in recruiting and retaining the right security personnel.
The story goes that getting the people with the right skills is difficult because they are in short supply and usually gainfully employed when you do find them. This means that they often need to be tempted out and so even when found, these rare creatures are expensive to retain.
“The infosec professional of tomorrow would have a much broader range of skills and experience than the current, or previous ones”
The answer for many is managed security services, but of course, this is no panacea, and this market, despite growth, is becoming commoditised with the services that suit the model. The consequence is that the security services that do not suit the MSSP model go back to being managed by professionals, who are in increasingly short supply, and did we mention expensive?
While I would not necessarily argue with the central point there, I would also refer to the report we carried on the (ISC)2 conference in Dublin recently, where a panel discussion tackled the issue of what the next generation of information security professional would look like. Despite a fairly diverse make up on the panel, there seemed to be broad agreement — the infosec professional of tomorrow would have a much broader range of skills and experience than the current, or previous ones.
Without recounting the entire story, two key points were made. The first was that the range of challenges faced by infosec pros is greater than ever. These challenges include not only keeping the enterprise safe from an increasingly diverse range of threat actors and vectors, but also increasingly diverse strategies to do so, from coordinated point solutions, to managed services and specialist tools for specific industries and functions. Added to this are managerial skills for when a crisis occurs, and marketing and communication skills for user awareness programmes and selling key projects and initiatives to the board.
Last 20 years
However, it was another point made by one contributor that put a fine point on a coalescing set of criteria. Dr Jessica Barker, herself a security consultant who has a background in sociology and civic design and focuses on the human aspects of cybersecurity, made the point that the current range of challenges faced by the infosec pros were not solved in the last 20 years. In fact, while acknowledging that experience is invaluable, she said that most of the current challenges were not around in the last five years, let alone two decades ago.
The general thrust of all of this was that the blended nature of current threats, combined with the blended nature of the required responses, has meant that security professionals will come from increasingly diverse backgrounds, with eclectic skills that will not conform to the old template of an information security professional.
As a side note, Dr Barker said that when she is asked personally how to get into the IT security industry, she has little to advise from her own experience and says “be lucky”.
The combination of the two discussion paths has an ominous air for those enterprises looking to the future with the hope of hiring now to protect themselves for the foreseeable.
Going by the old template, the individuals are in high demand and short supply. Going by the new way of thinking, the individuals are hard to identify, non-conformist, and may have little in the way of obvious experience by which to pick them out.
It may well be that the next generation of infosec pros will require a leap of faith by those currently in power to recognise the diverse skills needed for the fight tomorrow and beyond. And, the current generation may well need to look beyond the usual round of certifications for the skills they will need to not only remain relevant but to succeed in the new reality.