February 25, 2013 by
Infosec Management Is The Problem
This was originally posted on blogger here.
I regularly hear keynotes, presentations, and press releases from industry and, in particular, the government, about how there are simply not enough information security professionals to do the jobs available. They seem to imply that what we need is a larger pool of information security professionals. I think this is patently untrue.The unavailability of infosec professionals is a manufactured shortage. It's controlled by many factors: specialization within information security, required certifications, fragmented compliance standards, required software qualifications, clearances, and job locations to name a few. Infosec, cybersec, or whatever you want to call it is one of the coolest yet most accessible STEM jobs available. There is a huge body of programmers, systems administrators, and technology professionals who would gladly work in infosec. No, what we have is a management problem.
Management Problem 1: Who we will hire.
If you are CYBERCOM, you want 4,000 qualified cyber security professionals. Except you want them in the Washington D.C. area with a TS/SCI clearance. If you are DHS, you still want them with a clearance as well as an arbitrary certification. If you are a business, you want them with broad infosec knowledge, experience on the tools you've bought, certification in your area of specialty, and experience in your specific compliance regimen. The frank fact is that deep experience is somewhat mutually exclusive with specialization in your business area. As anyone gains experience, they're going to have it mostly in one technical area (whether it be IDS-firewall-SEIM management, pen-testing, systems administration, etc) as well as one field of application (military, ICS, health care, payment, etc). They will know about the other areas, but not be experienced in them. They will also be older, which means they're more likely to have a family, which means they likely need to live near the business.
All of this adds up to restricting the pool of 'qualified' applications unnecessarily. The person who understands NIST compliance will pick up PCI DSS compliance fairly quickly. The person who can use Splunk will understand IBM Tivoli. If the person can do the job, they will be able to gain whatever certification is necessary.
Alternately, an organization could simply hire out of the body of skilled programmers and systems administrators and plan to train them in security. With some minor planning, this will provide much better employees anyway as you can ensure their skill set and most will enjoy the opportunity to improve their skills. Frankly, the industry moves so fast that you're going to be continuously training your infosec professionals anyway. Someone who has simply been the specialist in their area for years without continuous education is likely just as ready to take the job as a newcomer to infosec, regardless of what their resume says. What you really get with an experienced employee is maturity and acclimation to the business environment.
Management Problem 2: Getting them.
First, if you happened to have found the perfect person, they know it too. They will expect to be very well paid (regardless of how mundane the actual job is). Additionally, if the job description says you wanted an infosec deity yet your plan is to have them write firewall rules all day, they might not be amused. If you hire highly technical, highly skilled people, give them a broad, highly technical job. Give the firewall rule writing to an intern with a reference manual. Also, be mindful of your location. Do you really need the person on sight or would one week a month work? Most people either love or hate the urban environments of the coast. Finally, if you're the government, don't require clearances for everyone. There's a large portion of the infosec community who doesn't want to have a clearance. They are good, honest, professionals. They just don't want the obligations and hassle associated with a clearance. Additionally, be leaving defensive work as unclassified as possible, you make it available to industry who desperately needs it.
Management Problem 3: Keeping them.
So you gave a bunch of money to a rock star infosec professional. Or maybe you hired a young gun to become one of your infosec gurus. Like many things in life, they won't stay or be productive unless they are treated right. The very first step is to figure out what type of person they are. (Employers should have figured this out before they hired, but it can take some time.) Some people enjoy 'turning the crank'. They enjoy doing a somewhat repeatable job that has clear bounds. If that's the type of infosec professional you hired, best not to ask them to architect your infosec defense. Put them on change request review. Alternately, if they are a creative self-starter, asking them to predominantly push windows patches may not provide them a fulfilling work life. Regardless, most infosec professionals have some ideas about how things could be done better. listen and act on them! Clearly the status quo is not good enough. Implicitly that means new ideas will be required to get an acceptable infosec posture.
Second, provide a career, not just a job. Currently, infosec is about desperately needing to fill some niche in an organizations security team. This simply makes for pigeon-holed, unfulfilled, employees. The wealth of infosec training is absolutely necessary to help employees grow in their career (as well as simply maintain their proficiency). Additionally, there is a need to provide a career progression. The guy watching the SEIM at night should know where he will be promoted next if he does well. There should be tractability from his position to CISO with a list of necessary skills to move to the next level. Finally, as stated above, give your employees a chance to have their ideas assessed and supported. You hired them to solve problems. Listen to the solutions they provide. When you don't listen, people leave or simply give their ideas to someone else, (most likely github).
In Conclusion.
Any organization should be able to meet their security needs. They won't do it by hiring the perfect infosec professionals, but hiring an appropriate mix of creative thinkers and skilled crank turners, preparing them for the work the organization needs done, and then providing them rewards and career growth for accomplishing it. Until we realize infosec staffing is a management problem and not a labor force one, our information security will continue to lag.
Epilogue.
I do want to point out that most of these are not specific to infosec. Any seasoned manager will notice that these are general management concepts. They apply to almost any skilled labor force. That said, I think the mysticism behind computer security has caused us to go blind on infosec management. Organizations believe infosec is a type of voodoo that only an appropriate witch doctor can wield. Consequently, organizations forget everything they know about management and instead hand the entire operation (management and all) over to whoever their current chosen witch doctor is. Instead they should treat it as any other skilled profession. Good management will lead to good recruiting. No voodoo necessary.