(This article originally appeared on SCMagazine.)
The talent deficit in cyber security is real. Teams are understaffed and recruiters are getting desperate. There’s simply too much work to go around. I’ve circled the globe talking with hundreds of organizations and having an open headcount is a universal topic.
Sure, when a job is posted many applicants often apply, but the disconnect between the available candidates and the requisite skill sets, hunger, and knowledge is a large one. We must figure out what can be done to help fix this situation if we want any hope in creating cyber resiliency.
The first thing to think about is retaining your existing people. Retaining your existing employees is much easier than recruiting, hiring, and training a new person to fill the slot. So, don’t forget perks, adding some fun to the job, and making sure your team feels empowered to eradicate evil. If they’re sitting in meetings all day, fighting a culture that doesn’t care about security, and have no tools then you’re going to have a hard time retaining them.
Speaking only to retainment doesn’t address how you fill your open headcount, so let’s keep going. Here are multiple ways to solidify your security program:
● Better Job Requirements
● Managed Services
● Reducing Scope
Each of those has challenges, but let’s dive in and explore what these bullets mean.
Better Job Requirements
One huge frustration among security professionals is the disconnect between HR and the actual needs of the security team. Often, the listed job skills or years of experience eliminate passionate security enthusiasts who will likely do a great job. Or, the number of tools or certifications listed aren’t aligned with someone who is versatile, can learn quickly, and who really wants to help improve security posture. Make sure you are aligned with HR on what’s truly required versus “nice to have,” and make sure you are actually describing a day in the life of. Don’t make a sexy security role sound too corporate or dry. And, of course, perks such as hunting or working with cool technology can all help entice that individual to submit their resume.
When Carbon Black started, we looked for three things: passion, capacity, and humility. We actually got this from back in our intelligence-community days where we built a team of 150 people entirely on referrals and those three qualities. If you can find passionate people with the capacity to produce, you’re likely on the right track.
There are a lot of ways where automating existing processes can free up human time. But first, take a look at your day-to-day work.ow much time is spent on email, in meetings, and in activities that aren’t actually making you safer? Reclaim that time so you can actually spend it on defense, and then look at the specific actions your analysts and engineers are doing. What actions actually require a human mind? Are your analysts receiving an alert and then checking to see if the indicators of compromise (IOCs) from that alert match any threat feeds? Are they copying and pasting domains to do a lookup on when those domains were registered?
Human minds should be doing the analytical work and critical thinking, not walking through simple actions to retrieve information. If you’re not scripting or trying to use technologies that help orchestrate and automate, you’re wasting human time. Most vendors now have APIs, and a lot of vendors provide connectors between their products and other technology partners. You need to be leveraging as much automation as possible here to free up that precious time.
Aside from automation, the talent deficit is creating an explosion of Managed Security Service Provider activity. Whether it is a provider trying to do most of the security monitoring and managing of your environment for you, or the MSSP is providing a specific function and handling only specific alert types, you have options.
I’ve seen great teams supplement with MSSPs, whether for sanity checking or covering the night shift. I’ve certainly seen those of you who have much smaller or newer teams lean heavily on MSSPs, too. You should consider whether MSSPs would help accelerate your security maturity.
There are some cautions, however, so heed wisely. First of all, no MSSP is a silver bullet. While I’ve had the pleasure of dealing with several quality ones, they won’t ever have the internal context or environmental understanding that full-time staff on your team should have. Accounts are just accounts, whereas you can know who the humans are that use those accounts and what their habits, personalities, and risky behaviors could be. Furthermore, you often don’t ship all your data and intelligence to your MSSP, so they’re only focused on part of your defense. None of these aspects are bad, but if you don’t understand the visibility that your MSSP has into your environment then that can lead to being poorly defended.
The final aspect around outsourcing is that you should be learning from your providers. If you just ship logs and alerts to a third-party and they call you to go re-image a box, your security and IT teams are not getting smarter. Make sure you are extracting some of that expertise and adversarial understanding to grow your own capabilities. Ask them for details about why you need to re-image, and about root cause, scope, and how to better mitigate that infection or attack in the future.
Often, when I talk to companies, almost everything they are trying to change, implement, or plan for is unilaterally across their environment. This doesn’t have to be the case.
Sure, getting all of your endpoints on the same protection, or getting all your servers configured and monitored in the same way would be nice from a management and consistency perspective, but you don’t have to go so big in your first attempt. Also, sometimes different business units or different portions of your environment should be dealt with and protected differently.
In fact, unless you’re tiny, there are probably dozens of different subgroups that are similar to each other but different from the rest of the organization. Can you tackle these subsections and get some quick wins, and reduce entropy such that your team is freed up to focus on the more dynamic or harder to make consistent pieces of your enterprise puzzle?
Are you trying to push down as many tasks as possible, and then automate those tasks that the entry-level members are trying to “push down?” Often, alerts, investigations, and other matters are escalated and the top becomes overwhelmed with fires to fight. The top is hard to hire for, too, so rather than trying to push up, are you trying to “educate down,” to empower newer or entry-level teammates? Can your veteran players act like force multipliers and coaches, making those with less expertise better? That’s where the entire team starts to surge — and you’ll notice a difference.
Keep trying to enable your lower rungs to do more, and when their plates are full, look to what can be moved from their plate into code, that can be automated or eliminated? Are there ways MSSPs can take some of that burden? Make your top performers strategic. Put them in the middle of the field calling plays and anticipating what’s next, versus having to always be the one rushing the quarterback or investigating that infection. Leverage is the name of the cyber game.
You should be doing more than just opening job requirements and hoping the cyber Rambos will show up at your door. There’s lots of ways to increase your team’s productivity and move your security program forward, even if you are having trouble hiring.
Where can you push on technology and where can you better empower your existing staff? Where can you improve employee behavior and reduce the likelihood of phishing or malvertising success?
If you aren’t thinking about these, even if you are fully staffed, you’re not going to get your program to where it needs to be. Good luck in 2017, and let’s all work at improving our use of security time to collectively increase cyber resiliency.
By Ben Johnson