One of the greatest threats in the world of cybersecurity comes not from a mysterious, godlike adversary magically compromising high security systems but from something much less glamorous; the defender deficit.
We don’t have enough security people.
There exists a massive deficit of security personnel with estimates of open positions ranging from hundreds of thousands to millions. These estimates do not include organizations who have no dedicated security staff and/or no security job openings but sorely need them.
In my previous life as a Chief Information Security Officer (CISO), I constantly dealt with the difficulties involved in hiring and retaining top security personnel. The timespan between when a security job was posted to a new employee’s first day was well over a year at one point.
Another very difficult issue for employers is retaining security personnel. Human resources departments do not have the real time data, skills or motivation to keep up with the rapidly increasing security salaries. The large corporate structure is ill-equipped to deal with rapid salary increases so security professionals jump from job to job to pump up their salaries rather than endure the 2% annual corporate cost of living salary increase.
The How To Manual
I led the security team at one of the largest stock exchanges in the world with security professionals working in London, New York and our headquarters in Kansas City. I only lost two employees in 12 years in a small and very competitive talent market. Of the two we lost, only one was a resignation.
This is one part of the strategy I used to effectively retain a large number of security people:
Tools, Toys and Training
Provide your people with the tools they need to be successful. “They” is the key word.
When you hire the right people, they find the right tools and have the ability to discern between shiny marketing slides and effective tools. You, as the CISO, director or manager are not on the front lines every day. Pushing a tool you read about in an article or heard about from another CISO is a sure way to add to the thousand cuts security professionals suffer each and every day. Ultimately the final cut leads to their departure or worse, their conversion into an insider threat actor.
Work with your team to empower them to thoughtfully select the right tools.
Many of the top security professionals on both sides of the hat (black hat, white hat, pick a color hat) are tinkerers. These are the people who destroyed their toys and electronics as kids to figure out how they worked. They have an undying curiosity and a dislike for rules. Tinkerers experiment and break things with little fear.
Give your people a small “free-range” budget they can use to buy toys they can test and break. My people found security flaws in phones, drones, IoT devices and automobiles. They all enjoyed their toys and many received free conference passes as presenters due to their discoveries. Our company received free marketing and training simply by encouraging our people to play with their toys.
Henry Ford purportedly said “The only thing worse than training your employees and having them leave is not training them and having them stay!”
I budgeted $20,000 per employee per year for training and successfully navigated the corporate nonsense to fund this budget. I set three expectations/constraints around the personal training budget.
- All security employees were required to attend one conference, one training class and one educational opportunity of their choice every year.
- The training had to relate to their current position or one they aspired to (security related)
- Following the completion of training, employees were required to provide an internal training session to members of the security team demonstrating what they learned. If you can’t teach it, you don’t know it.
With a well trained security staff who thrived on challenges and growth, we established a consistency of excellence that protected one of the largest financial exchanges for
Tools – Toys – Training