Enterprise Security

ANALYSIS

Surviving the Security ‘Skills Desert’

If you’ve ever spent time in a desert, it may seem inconceivable to you that creatures actually can live there. The fact that animals not only survive, but also thrive in those conditions seems counterintuitive. In fact, a number of animals do so — in many cases, they are aided by an array of specialized adaptations that allow them to leverage the environment to their advantage.

For example, the thorny dragon lizard (Moloch horridus) literally absorbs water through its skin, and the fennec fox (Vulpes zerda) has oversized ears that it uses as natural “radiators” to modulate its internal temperature in the heat. Because of these adaptations, these animals have an advantage. Specifically, they can exist in harsh conditions, and thereby inhabit an area (making the most of the resources in that area) without competition. By adapting to the conditions, they are successful where others can’t be.

There is a lesson here for security professionals. Specifically, data suggests that we’re in the middle of a “security skills gap” — very much like a “desert of skills.” For example, 37 percent of respondents to ISACA’s State of Cybersecurity 2017 survey said that only one in four job candidates had the necessary skills to be effective, while more than 25 percent said it took six months or longer to fill positions. The implication is that companies are struggling to find the right personnel. Positions are staying open longer, the few candidates there are lack critical skills and qualifications, and overall it is a challenge to align personnel with areas of need.

Organizations then have a choice: They either adapt — consciously and systematically building in the adaptations that help them to be successful in this environment — or struggle along with the status quo. Fortunately, there are a few strategies that organizations can employ to help adapt to these conditions. These aren’t exactly rocket science, but using them does require some planning — and more important a shift in mentality.

Protect the Skills You Have

In a literal desert, water is almost always the limiting resource. There, adaptations help animals retain, absorb and otherwise make the most efficient use of what little water is available. This is analogous to the staff we already have in the “skills desert.” For us, personnel and the skills they embody are the limiting resources. Desirable adaptations protect those resources — that is, they help us make the most efficient use of them.

First and foremost, maximizing our recruitment efforts — and minimizing attrition — are paramount. One opportunity to accomplish this at little additional direct cost is to embrace varied work expectations and to be flexible about how people do their jobs. This can mean strategically leveraging remote staff, of course, but also can make us more efficient in the process. For example, younger professionals often expect technical agility, mobility and flexibility in how they work: They might desire the ability to work from their mobile device or otherwise be more agile.

The degree that we can support them in this has a two-fold impact: It makes recruitment easier, and it helps retain those already on board. Moreover, that agility and flexibility can help our existing staff be more efficient to boot.

Likewise, job rotation (cross-training) can help too. What’s meant by that is rotating jobs and cross-pollinating skills throughout the team. This has a few beneficial effects. It helps with skill-building generally — it’s intellectually stimulating to personnel, and it represents an investment in employees’ overall skillsets.

It also can help minimize the impact of any attrition that does occur by ensuring that critical skills are shared among multiple staff members. Moreover, it helps to keep staff interested, engaged, and — most importantly — in-house. Staff that focus solely on repetitive tasks and aren’t challenged are more likely to be a flight risk. Sure, they might be good at a particularly unsexy task, but an opportunity to try something else can go a long way toward keeping them plugged in.

Leverage Automation and Enlist Agents

As you might expect, in an environment where there aren’t enough resources to do the tasks already pending, anything that can be automated has value in increasing the efficiency of staff resources.

Specifically, automation of existing work can free staff time, allowing them to focus on the bigger picture — to accomplish more in the same time frame. Each area that we can automate relieves some of the burden on personnel and gives them time to do the things they otherwise couldn’t get to. Granted, automation might take some investment, but it can have a larger return than it might appear when resource considerations are taken into account.

In addition to the increase in resource efficiency, implementation of a tool to automate certain security tasks can itself be an investment in staff skill building and engagement. As staff plan, implement, and learn to use the new tool, they gain experience and skills that are valuable to them and thereby make them more valuable.

The best-case scenario is when automation can help remove repetitive, onerous, or non-stimulating tasks that undermine staff satisfaction, and thereby increase attrition, while at the same time providing valuable skills and increasing engagement.

Keep in mind that there is more to automation than implementing tools. There could be useful tools in other areas, or staff outside of our organization that does work that could be valuable to us.

Partnering with other teams can help staff be more efficient in much the same way that automation does. Organizations with similar focus, such as internal audit, business continuity planning, purchasing, etc., can be a useful information source and potentially may have investments in tools that can be leveraged for utility against security goals.

Streamline Recruitment

The last adaptive strategy we’ll discuss here is an optimization of the onboarding process when it comes to bringing in skilled staff and vetting out the unskilled applicants — specifically, by minimizing the false starts and being as efficient as we can be in recruiting staff in the first place.

As a starting point, make an effort to understand the recruitment process that your organization uses. Where are candidates coming from, and what is driving new additions to the staffing funnel? What happens to the candidates that aren’t quite a fit for a position open today?

Is a relationship maintained with them, or are you starting the recruiting process from ground zero with every new open position? It behooves us to understand this, because our ability to be efficient in sourcing ties directly to our being able to operate in the current conditions.

Consider maintaining a team talent portfolio and supplementing it with a personal one. An applicant who is skilled may be a good lead to approach when a new position opens up. Also, individuals you personally know can be tapped to provide backchannel information on qualified candidates who might not yet be on the open market.

Lastly, put some thought into how you’re interviewing candidates. How disruptive are existing hiring processes to the already-overloaded staff? If the answer is “a lot,” consider alternative mechanisms, such as accreditation or hands-on testing, to ensure that a skill level can be assessed objectively without a lot of overhead from existing staff.

The degree to which you can streamline this not only can help you to be more efficient and faster in hiring, but also reduce the impact on existing staff.

Just as there are hundreds of different adaptations that enable desert creatures to thrive, so too there are hundreds of potential approaches to meeting the skills challenge. What matters most is the change in thinking required to approach it in an innovative way.

Ed Moyle

Ed Moyle is Director of Thought Leadership and Research for ISACA. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Ed Moyle
More in Enterprise Security

E-Commerce Times Channels