The Security Skills Shortage No One Talks About - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
The Security Skills Shortage No One Talks About
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
aws0513
100%
0%
aws0513,
User Rank: Strategist
9/16/2014 | 2:41:24 PM
The Art of How do we get to YES.
Early in my long IT career, the IT security guy was commonly considered the "King of NO".
That was not far off because that was the most common response to questions regarding changes or additions to the IT environment.
I recall many heated battles between business managers with legitimate business needs and IT security managers with legitimate security concerns.  Neither side willing to negotiate on the requirements.  Very little discussion took place with a comprehensive risk management approach or understanding.  Everything was about authority and power base.  Often, it took a C-level decision to resolve the issue.

As I began to roll into my career as an IT security officer, I was mentored by a very seasoned physical security professional who instructed me on how important it is to try everything possible to say "YES".
Often, this is still not very easy to do in the face of fast paced changes in the business landscape.  The trick is to bring every compensating control possible to the table that is both feasible and reasonable, and then work with the business owners to determine what is palatable in regards to those controls.  At the same time, keep the IT management in the loop so they also can bring options to the table to assist in the effort.


Now I often find myself sitting next to the project managers as they negotiate the challenges involved with a specific project.  As I attend these meetings, I am constantly reiterating in my head "How do we get to yes?"  I do this as SOP for every situation where negotiation is necessary to find that secure solution that fits the situation.  In all cases, good risk management practices become part of the negotiation equation.  Always trying to find how we can achieve the goal of the project, while mitigating the risks involved, that is feasible and secure enough to reach a reasonable risk acceptance point that management can swallow.


Again...  this isn't always easy to do.  There have been times where "NO" was the only answer...  for now.
But keeping an open mind to new ideas with an ever present attention to the security of the data involved has served me well in recent years when I help organizations find a secure solution for a business requirement that everyone can say "YES" to.

BTW...  people skills are something that can be learned. 
But...  just like cooking or writing...  the only way to get good at people skills is to practice people skills.
zerox203
100%
0%
zerox203,
User Rank: Ninja
9/16/2014 | 4:53:44 PM
Re: The Security Skill Shortage
Wow, thanks for that, aws0513! It's easy to see the forest for the trees reading Jeremy and Emma's article, but sometimes it's important to look at the trees too! It's much appreciated to have a detailed perspective on the challenges and best practices from someone who's on the ground in Info Security (as I'm not in security myself). As you say, it seems a little self-evident that you ought to develop these soft skills gradually as you build your career. Many people simply don't, though, and it's worth getting into the specifics of where to start, and what kind of goals to set, as they vary from department to department.

I think you're right about security being regarded as 'the department of 'no''. In fact, we hear that about IT all the time, but it goes double when we're talking about security. To be honest, I don't think there's anything wrong with that in itself - security is justified in starting with 'no' just as management is going to start at 'yes'. You just can't stick at 'no' - you have to meet somewhere in the middle. The truth is, though, that goes against some of what aspiring security pros are taught in school - they're taught that their data is like their children, and they have stewardship of it over everyone else. That's not true, though - it's the business' data. You're right to encourage them to learn to 'let go' in baby steps - and over the course of your career, you'll find middle grounds, methods, and strategies you're comfortable with.
GonzSTL
IW Pick
100%
0%
GonzSTL,
User Rank: Strategist
9/17/2014 | 9:55:12 AM
The Security Skills Shortage No One Talks About
@aws0513  I found myself nodding each time you made a point in your post. In over 20 years of IT experience, I have been there and done that so many times. Some very important points you made:

"Often, it took a C-level decision to resolve the issue." This is precisely why IT and Security leaders have to be separate entities in the discussion with the business leaders. When the business requirements pressure IT into delivering a solution, security must be an integral part of that solution. A huge risk occurs when IT overlooks or bypasses security in the attempt to bring the solution to fruition in order to satisfy the business need. Those are cases when the risk assessment has to be presented to someone over the business, IT, and security leaders, in order to make a final decision, and that person is usually a C-level. After all, the C-levels are assumed to have the best interest of the organization in mind.

"The trick is to bring every compensating control possible to the table that is both feasible and reasonable, and then work with the business owners to determine what is palatable in regards to those controls." Everything is negotiable, as the old saying goes, and this is especially true in risk management. The art of compromise is sometimes lost in the security discussion, as all three parties have their priorities, and this is where soft skills play the most important part. Security professionals must have the communication and cooperative skills in order to present their case in a reasonable way, so that everyone wins. When you think about it in the large scale of things, there are very few vulnerabilities for which there are no compensating controls (the times when security MUST say NO). It should be noted that sometimes a compensating control is not the best solution, and is often a temporary workaround. The search for a permanent solution must be noted in the discussion, so that no workaround is orphaned and taken for granted.

"In all cases, good risk management practices become part of the negotiation equation." I have seen large organizations that do not have a formal risk management program. Nothing is scarier than that scenario in a large organization. How can we possibly instill a disciplined approach to incorporate security into a project when the culture of the organization does not even recognize the need for risk based security?

"There have been times where "NO" was the only answer."  I have experienced this in person, and have had the feeling that all the eyes around the table were shooting poisoned darts with barbs at me. The C-level must be the tie-breaker.

@zerox203  You made this point about schools:

"The truth is, though, that goes against some of what aspiring security pros are taught in school - they're taught that their data is like their children, and they have stewardship of it over everyone else." This is true. I teach security classes in a Bachelor's program, and I do teach them that, but with a caveat. Although they must protect the data, I stress that they do not own that data, and that the decision maker regarding that data is the owner. We, as security professionals, simply enforce what the data owner decides. We provide advice and consent appropriately, but when we believe that what they propose exceeds the bounds of security, we must engage upper management in the decision making process.

One of the things my students dislike is that when it comes to group projects, I alone pick the group members. Here is how I present that: "When you are hired for a position, do you get to tell the hiring manager to fire everyone else on the team so that you can bring your own team in?" I also make it a point to separate those who have close ties into separate groups. This allows a better development of cooperation and teamwork, soft skills that will be essential in their careers. Another thing I do is use grammar and effective writing as grading criteria. I remind them that their output must be fit for executive consumption, and will often determine their effectiveness in the organization. Lastly, I remind them that although organizations love to hire geeks, they absolutely hate to hire a geek with the personality of a doorknob.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
9/19/2014 | 6:40:10 PM
Security requires a conversation among peers
Knowing the business and being able to talk technology to business people are soft skills that have always been in style, if short supply on the IT staff. It's the meshing of goals that requires a conversation among peers, and too often, someone in the conversation gets degraded from peer level, by one side or the other, before an agreement can be reached.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:00:21 PM
The Writers Deserve an award for Stating Things so clearly.
Dear Writers,

You both Deserve a Massive-Massive Thank You and Award just for sharing these lines with the wider IT Audience

"I need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line. But it's very hard to find information security professionals who have that mindset," a CISO at a leading technology company told us

 

Its something which sounds so basic and Simple but its so so true and so ignored today!

As a Security Pro myself I get the Idea that Security can be a mega-Complex ,Mega-Engrossing and Messy affair which requires us to be tuned into Latest Trends and what not(which are often changing on a weekly and sometimes daily basis as well) because That's what Got us into this Profession (and keeps us there) today.

However,Not everyone cares or understands this about Security.Its important to Balance our Personal Passion for the Job with what the needs of the Business are which are always paramount .

After all,if there is no Business what's the point of IT and Security for that matter.

Getting the Right Balance in place is Mega-Critical.

 

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:07:45 PM
Re: The Art of How do we get to YES.
Aws0513,

Super Post!

Just wanted to add something else here ;Its important for Organizations to add a Dollar Value(as close as possible) on the Data they would Like IT-Security to Secure.

When you get Dollar Values for everything on the Table ;it becomes so much easier to decide when to Say Yes and When to Say No to whom and over which issue.

Does it make sense to spend 10000 Dollars for Security Products,Software,Processes,etc to Protect Data which is maybe at best worth 100 Dollars?

I don't think so.

This is very much an emerging area of IT Administration and Management that sooner IT Organizations get on top of it the better it is for everyone concerned.

 

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:10:52 PM
Re: Security requires a conversation among peers
Charlie,

Very True!

Its this degrading of Peers which needs to be prevented(and the resultant Ego Clashes to boot as well).

We all can save enormous Time,Money and Resources in the Process if we just stay disciplined and organized about and around this Principle.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:16:44 PM
Re: The Security Skills Shortage No One Talks About
GonzSTL,

Brilliant Points Them all!

I am very sure that you make a Brilliant Teacher at University(and your students are really-really lucky to Have you on board).

Basically what you are saying is that Security should have a seat at the Executive Decision-making Board.

But that happens only in Companies where they have a CSO or CISO.

In other firms its usually the CIO/CTO who handles and looks at Security.

When you have Security Meshed amongst many other priorities,Security usually tends to take  a backseat.

Sad But True Experience.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Strategist
9/22/2014 | 1:06:09 PM
Re: The Security Skills Shortage No One Talks About
@Ashu001 It is not necessary for Security to have a seat on the Executive board - some small companies do not have many on the board itself. What is really important is that the lines of reporting and accountability should be different. If there is no CSO/CISO, then have security report to some executive other than the CIO/CTO if they exist. IT and Security, although rooted on the same foundations, should eventually diverge to enforce a separation of duties and avoid the negative consequences of any conflict of interest.

On another note, I am sure that some of my students do not appreciate the amount of work they have to do, or the effort they must put into the communication criteria I like to impose, but I am not there to win a popularity contest. I simply want to prepare them for something they will surely face in their future work environments. It is gratifying to see how their work has radically changed for the better, though.
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
9/22/2014 | 3:53:53 PM
Re: The Security Skills Shortage No One Talks About
I have discussed that separate reporting for security and IT functions with a few companies, specifically a mutual fund company comes to mind, but I don't have a good sense of how common that is. Do you have a sense if it's the exception or the rule? I would think as more companies see the fallout from security breaches, that boards and CEOs will push for this indepdent security function.   
Page 1 / 2   >   >>


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll