The Security Skills Shortage No One Talks About - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Security Skills Shortage No One Talks About
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
IW Pick
User Rank: Strategist
9/17/2014 | 9:55:12 AM
The Security Skills Shortage No One Talks About
@aws0513  I found myself nodding each time you made a point in your post. In over 20 years of IT experience, I have been there and done that so many times. Some very important points you made:

"Often, it took a C-level decision to resolve the issue." This is precisely why IT and Security leaders have to be separate entities in the discussion with the business leaders. When the business requirements pressure IT into delivering a solution, security must be an integral part of that solution. A huge risk occurs when IT overlooks or bypasses security in the attempt to bring the solution to fruition in order to satisfy the business need. Those are cases when the risk assessment has to be presented to someone over the business, IT, and security leaders, in order to make a final decision, and that person is usually a C-level. After all, the C-levels are assumed to have the best interest of the organization in mind.

"The trick is to bring every compensating control possible to the table that is both feasible and reasonable, and then work with the business owners to determine what is palatable in regards to those controls." Everything is negotiable, as the old saying goes, and this is especially true in risk management. The art of compromise is sometimes lost in the security discussion, as all three parties have their priorities, and this is where soft skills play the most important part. Security professionals must have the communication and cooperative skills in order to present their case in a reasonable way, so that everyone wins. When you think about it in the large scale of things, there are very few vulnerabilities for which there are no compensating controls (the times when security MUST say NO). It should be noted that sometimes a compensating control is not the best solution, and is often a temporary workaround. The search for a permanent solution must be noted in the discussion, so that no workaround is orphaned and taken for granted.

"In all cases, good risk management practices become part of the negotiation equation." I have seen large organizations that do not have a formal risk management program. Nothing is scarier than that scenario in a large organization. How can we possibly instill a disciplined approach to incorporate security into a project when the culture of the organization does not even recognize the need for risk based security?

"There have been times where "NO" was the only answer."  I have experienced this in person, and have had the feeling that all the eyes around the table were shooting poisoned darts with barbs at me. The C-level must be the tie-breaker.

@zerox203  You made this point about schools:

"The truth is, though, that goes against some of what aspiring security pros are taught in school - they're taught that their data is like their children, and they have stewardship of it over everyone else." This is true. I teach security classes in a Bachelor's program, and I do teach them that, but with a caveat. Although they must protect the data, I stress that they do not own that data, and that the decision maker regarding that data is the owner. We, as security professionals, simply enforce what the data owner decides. We provide advice and consent appropriately, but when we believe that what they propose exceeds the bounds of security, we must engage upper management in the decision making process.

One of the things my students dislike is that when it comes to group projects, I alone pick the group members. Here is how I present that: "When you are hired for a position, do you get to tell the hiring manager to fire everyone else on the team so that you can bring your own team in?" I also make it a point to separate those who have close ties into separate groups. This allows a better development of cooperation and teamwork, soft skills that will be essential in their careers. Another thing I do is use grammar and effective writing as grading criteria. I remind them that their output must be fit for executive consumption, and will often determine their effectiveness in the organization. Lastly, I remind them that although organizations love to hire geeks, they absolutely hate to hire a geek with the personality of a doorknob.
User Rank: Ninja
9/16/2014 | 4:53:44 PM
Re: The Security Skill Shortage
Wow, thanks for that, aws0513! It's easy to see the forest for the trees reading Jeremy and Emma's article, but sometimes it's important to look at the trees too! It's much appreciated to have a detailed perspective on the challenges and best practices from someone who's on the ground in Info Security (as I'm not in security myself). As you say, it seems a little self-evident that you ought to develop these soft skills gradually as you build your career. Many people simply don't, though, and it's worth getting into the specifics of where to start, and what kind of goals to set, as they vary from department to department.

I think you're right about security being regarded as 'the department of 'no''. In fact, we hear that about IT all the time, but it goes double when we're talking about security. To be honest, I don't think there's anything wrong with that in itself - security is justified in starting with 'no' just as management is going to start at 'yes'. You just can't stick at 'no' - you have to meet somewhere in the middle. The truth is, though, that goes against some of what aspiring security pros are taught in school - they're taught that their data is like their children, and they have stewardship of it over everyone else. That's not true, though - it's the business' data. You're right to encourage them to learn to 'let go' in baby steps - and over the course of your career, you'll find middle grounds, methods, and strategies you're comfortable with.
User Rank: Strategist
9/16/2014 | 2:41:24 PM
The Art of How do we get to YES.
Early in my long IT career, the IT security guy was commonly considered the "King of NO".
That was not far off because that was the most common response to questions regarding changes or additions to the IT environment.
I recall many heated battles between business managers with legitimate business needs and IT security managers with legitimate security concerns.  Neither side willing to negotiate on the requirements.  Very little discussion took place with a comprehensive risk management approach or understanding.  Everything was about authority and power base.  Often, it took a C-level decision to resolve the issue.

As I began to roll into my career as an IT security officer, I was mentored by a very seasoned physical security professional who instructed me on how important it is to try everything possible to say "YES".
Often, this is still not very easy to do in the face of fast paced changes in the business landscape.  The trick is to bring every compensating control possible to the table that is both feasible and reasonable, and then work with the business owners to determine what is palatable in regards to those controls.  At the same time, keep the IT management in the loop so they also can bring options to the table to assist in the effort.

Now I often find myself sitting next to the project managers as they negotiate the challenges involved with a specific project.  As I attend these meetings, I am constantly reiterating in my head "How do we get to yes?"  I do this as SOP for every situation where negotiation is necessary to find that secure solution that fits the situation.  In all cases, good risk management practices become part of the negotiation equation.  Always trying to find how we can achieve the goal of the project, while mitigating the risks involved, that is feasible and secure enough to reach a reasonable risk acceptance point that management can swallow.

Again...  this isn't always easy to do.  There have been times where "NO" was the only answer...  for now.
But keeping an open mind to new ideas with an ever present attention to the security of the data involved has served me well in recent years when I help organizations find a secure solution for a business requirement that everyone can say "YES" to.

BTW...  people skills are something that can be learned. 
But...  just like cooking or writing...  the only way to get good at people skills is to practice people skills.
<<   <   Page 2 / 2

2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll