How to staff a next-gen IT security team

To be successful, enterprises will need to roll their own security expertise.

Enterprise digital assets are more susceptible to attack than ever before. Companies need seasoned leaders to lead their digital defense. But the shortage of experienced security technologists demands new approaches to filling open positions. Enterprises that wish to survive will need to take the long-term approach and create their own pools of experts.

Cybersecurity professionals are under the gun given the proliferation of cyberattacks and the responsibility they bear for protecting their organizations. The number of qualified applicants for top-level chief information security officer positions is too small for companies to be able to make choices from a large field of resumes, and those who do apply are often woefully underqualified for even rank and file IT security positions.

Part of the problem is that the CISO is often seen as what David Strom termed the chief impending sacrifice officer, meaning someone who will take the blame when the company experiences a breach. The applicant pool is so small that according to employment site Indeed, “When we compare clicks from job seekers to openings for cybersecurity roles posted by employers, we can see just how serious the talent shortage gets and the scale of the risk it represents for organizations.… Suddenly the language of 'crisis' seems quite justified.”

Get the latest on HPE's strategy: HPE Locks Down Server Security

Historically, shortages of IT professionals are common. When new technologies appear on the landscape, there is an initial void of experience that usually gets filled as workers with experience in related fields come up to speed on the new technologies. But individuals may be less enthusiastic about stepping into the ring for jobs as cybersecurity professionals in general and CISOs in particular because the list of cyberattacks is staggering and growing, and their chance of thwarting every one of them is slim.

According to Privacy Rights Clearinghouse, there were 807 identified security breaches where data was compromised in 2016, compared with 531 in 2015. IT pros who understand these risks may be loath to pursue a line of work that poses so many potential career-ending possibilities. Top management needs a long-term plan to create the next generation of IT security experts it needs from the ground up, and then set them up to succeed even when the odds are stacked against them.

Develop a culture of security

Encryption, endpoint security, and password maintenance are all part of a complete IT security plan. Yet, even the best and most rigorous security plans often fail because individual employees don’t understand how cyberattacks happen. When every technological precaution has been considered and implemented, and every operating system and application updated with current patches, a single click on a malicious URL can start a chain reaction leading to exposure and attack.

While CISOs need to lead the charge for security, they also need to position themselves as the guide rather than the single point of responsibility so they don’t see their career threatened every day. Social engineering attacks happen much more quickly than the positive social engineering—starting with education and training—needed to minimize this point of entry.

For example, the McAfee Labs Threat Report for 2016 reported more than 157 million phishing attempts. Despite all the high-profile warnings about bogus emails, 55 million users fell for these scams and clicked through. Noted computer hacker turned cybersecurity expert Kevin Mitnick agrees, noting that companies "spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.”

The best defense against this kind of intrusion is the education of every individual who interacts with a computer. The widespread phenomenon of spear phishing, where higher level executives are hit using targeted fraudulent emails, shows why this training and education needs to extend all the way to the top.

However, while education is important, it's not the entire answer. Just as society defines certain acts as morally reprehensible, employees need to be aware of their own responsibility to avoid activities that can endanger their workplace.  

Cybersecurity 101

The supply of qualified candidates for CISO and IT security team positions is unlikely to meet demand for some time, and attracting the candidates that do exist will remain a difficult task. Enterprises need more qualified security professionals, and these individuals must have confidence that their jobs are secure. Companies need to approach these issues by creating a supportive and knowledgeable culture like the one described above, and developing a personalized career path for security professionals.

Internal training and development programs have worked well for Marriott International, Schneider Electric, and other companies that face staffing shortages in specialty fields. To be sure, this is not a quick fix, but protecting the enterprise against cyberattacks is a long-term responsibility.

Sponsored education

Cybersecurity career training is available from a variety of companies that offer certifications in cybersecurity and related fields. These courses cover a wide range of topics and provide an easy entry point for companies wanting to educate their existing technically proficient staff in these specialty areas.

Classroom-based and online courses allow employees to boost their knowledge by attending according to their work schedules, and companies can offer tuition reimbursement plans to encourage their employees to participate. A cybersecurity certificate should have a defined course requirement that matches the company’s overall needs for both short- and long-term career goals. This is not a place where skimping on expenditure is a viable choice for long-term company survival.

At educational institutions

Technical colleges provide local career education to both employed individuals and those hoping to find positions in their desired fields, but the currency and depth of training can vary among institutions. Find a local technical college that has a reputation of offering the best education in the area and form an alliance with the institution to develop courses that meet your criteria, and then sponsor employees who are interested in the career opportunity. You can also improve the hiring pool by offering real-world internships.

In addition, offer your own qualified experts as either professors or adjunct professors for specific courses. A long-term relationship with the right institution can provide a stream of qualified applicants who are already familiar with your staff. And the teachers’ direct contact with students provides a prequalification screen on the path to employment.

Within the organization

External programs are easy to get off the ground because the courses are already available. The subject matter is likely to be pertinent to entry-level and intermediate subjects and a great way to get employees started on a long-term career goal. The educational needs of senior analysts who deal with current and emerging threats may be better served by establishing internal education centers.

Specialty education requires high-level educators with current active knowledge. Depending on the size of your organization, this position might be a senior-level IT security employee serving a dual role—IT security and training director—or have a dedicated mission as head of the education effort with a continuing but lower hourly commitment to the practical security work. In either case, a significant amount of their time should be devoted to security topic research and coursework development to keep the training fresh and relevant to current threats.

Look outside

Enterprises looking to build out their IT security staff on a larger scale may need to enlist external cybersecurity consultants. Some tasks, such as penetration testing, are well suited to contract relationships because they are short-term or periodic tasks. Organizations that face a long-term shortage of high-level expertise may want to establish an ongoing relationship with a cybersecurity services company.

There are plenty of choices in the managed security service provider (MSSP) category that can fill in the gaps as you develop your own team. And bringing in experienced staff, even if temporarily, can create a buffer period during which your existing staff can put its long-term staffing plan in place.

Build relationships at the top corporate levels

Professional networking can bring rewards for business relationships and for job seekers. They can also provide insights into trends and opportunities across nearly every facet of business. Current CISOs should prioritize making direct connections with top-level management within security service provider companies. Companies searching for top-level security staff should seek out their peers in security companies to learn about the business and stay in the loop regarding not only security issues, but also broader trends affecting privacy and security.

Make it your business

The lack of qualified IT security professionals has led to growth in MSSP startups with new entries of all sizes. TechRepublic estimates the cloud security market will be worth $12 billion by 2022. New entrants see opportunities to ride the wave and fill the employee shortage as outsourcing providers.

This growth opens opportunities for companies that confront multiple empty seats in their IT security section to take the approach of horizontally diversifying their operations by considering an acquisition of one of the MSSP startups. This can deliver a fully staffed security division with the added benefit of being a viable or promising business. In a best-case scenario, the newly acquired division could be profitable on its own with its own stable of customers. 

Take the long view

The need for robust and experienced cybersecurity professionals is critical and will not go away. It’s up to enterprises to devise their own plans and develop their own security expertise, starting from the ground up if necessary. 

How to fill your CISO and cybersecurity seats: Lessons for leaders

  • Build a security outlook that goes beyond the CISO’s responsibility.
  • Create educational opportunities that look to the future.
  • Find existing candidates through non-traditional approaches.

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.