The Security Skills Shortage No One Talks About
@aws0513 I found myself nodding each time you made a point in your post. In over 20 years of IT experience, I have been there and done that so many times. Some very important points you made:
"Often, it took a C-level decision to resolve the issue." This is precisely why IT and Security leaders have to be separate entities in the discussion with the business leaders. When the business requirements pressure IT into delivering a solution, security must be an integral part of that solution. A huge risk occurs when IT overlooks or bypasses security in the attempt to bring the solution to fruition in order to satisfy the business need. Those are cases when the risk assessment has to be presented to someone over the business, IT, and security leaders, in order to make a final decision, and that person is usually a C-level. After all, the C-levels are assumed to have the best interest of the organization in mind.
"The trick is to bring every compensating control possible to the table that is both feasible and reasonable, and then work with the business owners to determine what is palatable in regards to those controls." Everything is negotiable, as the old saying goes, and this is especially true in risk management. The art of compromise is sometimes lost in the security discussion, as all three parties have their priorities, and this is where soft skills play the most important part. Security professionals must have the communication and cooperative skills in order to present their case in a reasonable way, so that everyone wins. When you think about it in the large scale of things, there are very few vulnerabilities for which there are no compensating controls (the times when security MUST say NO). It should be noted that sometimes a compensating control is not the best solution, and is often a temporary workaround. The search for a permanent solution must be noted in the discussion, so that no workaround is orphaned and taken for granted.
"In all cases, good risk management practices become part of the negotiation equation." I have seen large organizations that do not have a formal risk management program. Nothing is scarier than that scenario in a large organization. How can we possibly instill a disciplined approach to incorporate security into a project when the culture of the organization does not even recognize the need for risk based security?
"There have been times where "NO" was the only answer." I have experienced this in person, and have had the feeling that all the eyes around the table were shooting poisoned darts with barbs at me. The C-level must be the tie-breaker.
@zerox203 You made this point about schools:
"The truth is, though, that goes against some of what aspiring security pros are taught in school - they're taught that their data is like their children, and they have stewardship of it over everyone else." This is true. I teach security classes in a Bachelor's program, and I do teach them that, but with a caveat. Although they must protect the data, I stress that they do not own that data, and that the decision maker regarding that data is the owner. We, as security professionals, simply enforce what the data owner decides. We provide advice and consent appropriately, but when we believe that what they propose exceeds the bounds of security, we must engage upper management in the decision making process.
One of the things my students dislike is that when it comes to group projects, I alone pick the group members. Here is how I present that: "When you are hired for a position, do you get to tell the hiring manager to fire everyone else on the team so that you can bring your own team in?" I also make it a point to separate those who have close ties into separate groups. This allows a better development of cooperation and teamwork, soft skills that will be essential in their careers. Another thing I do is use grammar and effective writing as grading criteria. I remind them that their output must be fit for executive consumption, and will often determine their effectiveness in the organization. Lastly, I remind them that although organizations love to hire geeks, they absolutely hate to hire a geek with the personality of a doorknob.