The Security Skills Shortage No One Talks About - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Enterprise Agility

The Security Skills Shortage No One Talks About

Lack of soft skills in information security is an even bigger problem than the shortage of technical expertise.

Geek's Guide To NYC Travel: Interop Preview
Geek's Guide To NYC Travel: Interop Preview
(Click image for larger view and slideshow.)

Seventy-five percent of chief information security officers (CISOs) say that someone on their team is asked to speak in front of the board of directors or CEO at least once a year, a CEB survey finds.

Sixty-seven percent of information security professionals across all roles say they interact with a business partner outside security at least daily, a similar survey finds.

What these findings show is that information security's rise in prominence within companies is amplifying the need for soft skills alongside technical security depth. Even employees with deep technical security backgrounds must be able to explain advanced threats to a senior audience and drive investments in security.

"Anyone can do security -- just unplug the computer," the CISO at a Fortune 500 food services company put it during our research. "The real question is, 'Can we develop people who can communicate with, engage, and understand the business?' "

[If perception is reality, you'd better start worrying. What The Business Really Thinks Of IT: 3 Hard Truths.]

CEB interviewed CISOs across the globe about their most pressing concerns, and this soft skills shortage came up repeatedly.

"I need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line. But it's very hard to find information security professionals who have that mindset," a CISO at a leading technology company told us.

The global shortage of technical skills in information security is by now well documented, but an equally concerning shortage of soft skills, or competencies, has gone largely unmentioned in the public discussion. Leaders in information security are beginning to take notice, and our research lends empirical support for increasing investments in growing the prevalence of soft skills in security.

(Source: Areyn)
(Source: Areyn)

Soft skills are a powerful predictor of performance in security
Using methodology from CEB SHL Talent Measurement, we have built a scientific behavioral assessment for IT staff that measures their proficiency at 12 competencies, including soft skills such as influence and organizational awareness. Using this assessment tool, we measured competencies of more than 350 information security professionals at more than 45 organizations.

We found soft-skill competencies to be more important to performance in security than technical expertise, but significantly less prevalent. Technical certification, higher education in information security, and past experience in IT -- even when combined -- are less predictive of a security professional's performance than proficiency in competencies such as business-results orientation, decision-making, influence, and organizational awareness. Startlingly, fewer than 40% of today's information security workforce is proficient in any of these four soft skills.

Although it may seem counterintuitive, soft skills' dominant impact on security professionals' effectiveness is consistent with an evolution in information security's mandate over the past several years.

In the past, security was most often a small, back-office function that interacted infrequently with the organization outside of IT. The security team made decisions about how to mitigate information risks in isolation, typically emphasizing the reduction of risk, regardless of its impact on business outcomes. The ability to identify threats and build effective technical controls was singularly important to a security professional's effectiveness. Soft skills were considered, at best, inessential.

Much has changed. Business unit leaders saw that the security team's risk aversion was detrimental to business goals, so they started circumventing security entirely. To avoid such end-runs, most CISOs shifted their teams to a more consultative model. Today, instead of working to reduce information risk in isolation, security professionals are expected to help business leaders understand risk, balance it against business goals, and choose appropriate courses of action themselves. Technical acumen remains table stakes for the security team, but if not coupled with an understanding of business context and ability to effectively influence others, this expertise is insufficient.

CEB's analysis of the most progressive CISOs' talent-management practices reveals a common set of tactics most effective at promoting staff development of soft competencies: 

Invest in coaching. Contrary to conventional wisdom, soft skills are not "innate" but can be taught -- especially through effective coaching. Managers in security should look for opportunities to show their employees how they can use soft-skill competencies to more effectively execute tasks.

Create opportunities for on-the-job learning. Formal training for soft skills is rarely effective. Instead, managers in security should look for opportunities to provide staff "stretch" opportunities that will compel them to think about business realities or communicate with a non-security audience.

Make it a team effort. CISOs saw some of the most dramatic changes in staff performance when they began discussing business and organizational context during team meetings. Creating a group discussion around how security's work impacts the business is a powerful way to change the security team's mindset.

Information security executives who invest in developing staff able to understand, communicate with, and influence the many components of their organizations will see their teams brought into key projects and decisions earlier, more often, and with better outcomes. It is this embedding of security into organizations' processes that will be key to protecting information in an increasingly volatile and crowded threat environment.

Need to broaden your security team's business-tech acumen? Send them to the one-day InformationWeek Leadership Summit, Sept. 30 in New York City, at Interop New York. Use the half-off promotion code BLSUMMIT.

Jeremy Bergsman is practice manager and Emma Kinnucan is a senior research analyst at CEB. View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
IW Pick
User Rank: Strategist
9/17/2014 | 9:55:12 AM
The Security Skills Shortage No One Talks About
@aws0513  I found myself nodding each time you made a point in your post. In over 20 years of IT experience, I have been there and done that so many times. Some very important points you made:

"Often, it took a C-level decision to resolve the issue." This is precisely why IT and Security leaders have to be separate entities in the discussion with the business leaders. When the business requirements pressure IT into delivering a solution, security must be an integral part of that solution. A huge risk occurs when IT overlooks or bypasses security in the attempt to bring the solution to fruition in order to satisfy the business need. Those are cases when the risk assessment has to be presented to someone over the business, IT, and security leaders, in order to make a final decision, and that person is usually a C-level. After all, the C-levels are assumed to have the best interest of the organization in mind.

"The trick is to bring every compensating control possible to the table that is both feasible and reasonable, and then work with the business owners to determine what is palatable in regards to those controls." Everything is negotiable, as the old saying goes, and this is especially true in risk management. The art of compromise is sometimes lost in the security discussion, as all three parties have their priorities, and this is where soft skills play the most important part. Security professionals must have the communication and cooperative skills in order to present their case in a reasonable way, so that everyone wins. When you think about it in the large scale of things, there are very few vulnerabilities for which there are no compensating controls (the times when security MUST say NO). It should be noted that sometimes a compensating control is not the best solution, and is often a temporary workaround. The search for a permanent solution must be noted in the discussion, so that no workaround is orphaned and taken for granted.

"In all cases, good risk management practices become part of the negotiation equation." I have seen large organizations that do not have a formal risk management program. Nothing is scarier than that scenario in a large organization. How can we possibly instill a disciplined approach to incorporate security into a project when the culture of the organization does not even recognize the need for risk based security?

"There have been times where "NO" was the only answer."  I have experienced this in person, and have had the feeling that all the eyes around the table were shooting poisoned darts with barbs at me. The C-level must be the tie-breaker.

@zerox203  You made this point about schools:

"The truth is, though, that goes against some of what aspiring security pros are taught in school - they're taught that their data is like their children, and they have stewardship of it over everyone else." This is true. I teach security classes in a Bachelor's program, and I do teach them that, but with a caveat. Although they must protect the data, I stress that they do not own that data, and that the decision maker regarding that data is the owner. We, as security professionals, simply enforce what the data owner decides. We provide advice and consent appropriately, but when we believe that what they propose exceeds the bounds of security, we must engage upper management in the decision making process.

One of the things my students dislike is that when it comes to group projects, I alone pick the group members. Here is how I present that: "When you are hired for a position, do you get to tell the hiring manager to fire everyone else on the team so that you can bring your own team in?" I also make it a point to separate those who have close ties into separate groups. This allows a better development of cooperation and teamwork, soft skills that will be essential in their careers. Another thing I do is use grammar and effective writing as grading criteria. I remind them that their output must be fit for executive consumption, and will often determine their effectiveness in the organization. Lastly, I remind them that although organizations love to hire geeks, they absolutely hate to hire a geek with the personality of a doorknob.
User Rank: Ninja
9/16/2014 | 4:53:44 PM
Re: The Security Skill Shortage
Wow, thanks for that, aws0513! It's easy to see the forest for the trees reading Jeremy and Emma's article, but sometimes it's important to look at the trees too! It's much appreciated to have a detailed perspective on the challenges and best practices from someone who's on the ground in Info Security (as I'm not in security myself). As you say, it seems a little self-evident that you ought to develop these soft skills gradually as you build your career. Many people simply don't, though, and it's worth getting into the specifics of where to start, and what kind of goals to set, as they vary from department to department.

I think you're right about security being regarded as 'the department of 'no''. In fact, we hear that about IT all the time, but it goes double when we're talking about security. To be honest, I don't think there's anything wrong with that in itself - security is justified in starting with 'no' just as management is going to start at 'yes'. You just can't stick at 'no' - you have to meet somewhere in the middle. The truth is, though, that goes against some of what aspiring security pros are taught in school - they're taught that their data is like their children, and they have stewardship of it over everyone else. That's not true, though - it's the business' data. You're right to encourage them to learn to 'let go' in baby steps - and over the course of your career, you'll find middle grounds, methods, and strategies you're comfortable with.
User Rank: Strategist
9/16/2014 | 2:41:24 PM
The Art of How do we get to YES.
Early in my long IT career, the IT security guy was commonly considered the "King of NO".
That was not far off because that was the most common response to questions regarding changes or additions to the IT environment.
I recall many heated battles between business managers with legitimate business needs and IT security managers with legitimate security concerns.  Neither side willing to negotiate on the requirements.  Very little discussion took place with a comprehensive risk management approach or understanding.  Everything was about authority and power base.  Often, it took a C-level decision to resolve the issue.

As I began to roll into my career as an IT security officer, I was mentored by a very seasoned physical security professional who instructed me on how important it is to try everything possible to say "YES".
Often, this is still not very easy to do in the face of fast paced changes in the business landscape.  The trick is to bring every compensating control possible to the table that is both feasible and reasonable, and then work with the business owners to determine what is palatable in regards to those controls.  At the same time, keep the IT management in the loop so they also can bring options to the table to assist in the effort.

Now I often find myself sitting next to the project managers as they negotiate the challenges involved with a specific project.  As I attend these meetings, I am constantly reiterating in my head "How do we get to yes?"  I do this as SOP for every situation where negotiation is necessary to find that secure solution that fits the situation.  In all cases, good risk management practices become part of the negotiation equation.  Always trying to find how we can achieve the goal of the project, while mitigating the risks involved, that is feasible and secure enough to reach a reasonable risk acceptance point that management can swallow.

Again...  this isn't always easy to do.  There have been times where "NO" was the only answer...  for now.
But keeping an open mind to new ideas with an ever present attention to the security of the data involved has served me well in recent years when I help organizations find a secure solution for a business requirement that everyone can say "YES" to.

BTW...  people skills are something that can be learned. 
But...  just like cooking or writing...  the only way to get good at people skills is to practice people skills.
<<   <   Page 2 / 2
Gartner Forecast Sees 7.3% Shrinkage in IT Spending for 2020
Joao-Pierre S. Ruth, Senior Writer,  7/15/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
Flash Poll