Security
Shortage? Look Internal.
There
has been an increasing amount of commentary about the growing shortage of
Information Security folks. While the reasons for this shortage are manifold and
easily explained, that doesn’t change the fact that it exists. Nor the fact that
natural sources may well be causing it to worsen.
Here’s
why we’re where we are:
Information
Security is a thankless job. Literally thankless. If you do enough
to protect the organization, everyone hates you. If you don’t do enough to
protect the organization, everyone hates you. Information Security is hard.
Attacks are constantly evolving, and often sprung out of the blue. While
protecting against three threats that the InfoSec professionals have ferreted
out, a fourth blindsides them.
Information
Security is complex. Different point, but similar to the one above. You can’t
just get by in InfoSec. You have to know some seriously deep things, and be
constantly learning.
Information
Security is demanding. When the attackers come on a global clock, defenders have
to be ready to respond on one. That means there are limits to “time off”,
counting both a good nights’ sleep and vacations as casualties.
The
shrinking pool has made the last point worse. With fewer people to share the
load, there is more loads for each person to carry – more call,
more midnight response, more everything.
Making
do with the best security staff you can find may well be killing the rest of
your InfoSec team. If “the best you can find” isn’t good enough, others must
pick up the slack.
And
those last two points are the introduction to today’s thought. Stop looking for
the best InfoSec people you can find. Start training good internal employees in
InfoSec. You all know this is the correct approach. No matter how good you are
at Information Security, familiarity with the network or systems, or
applications of your specific organization is at least as important. Those who
manage the organizations’ IT assets know where the weaknesses are and can
quickly identify new threats that pose a real risk to your data. The InfoSec
needs of a bank, for example, are far better served by someone familiar with
both banking and this bank than by someone who knows Information Security but
learned all that they know at a dog pound. The InfoSec needs of the two entities
are entirely different.
And
there’s sense to this idea. You have a long history of finding good systems
admins or network admins and training them in your organizations’ needs, but few
organizations have a long history in hiring security folks and doing the same.
With a solid training history and a deeper available talent pool, it just makes
sense to find interested individuals within the organization and get them
security training, backfilling their positions with the readily available talent
out there.
Will
it take time to properly vet and train those interested? Of course it will. Will
it take longer than it would take to inform an InfoSec specialist in the
intricacies of your environment? Probably not. SharePoint is SharePoint, and how
to lock it down is well documented, but that app you had custom developed by a
coding house that is now gone? That’s got a way different set of
parameters.
Of
course this option isn’t for everyone, but combined with automating what is safe
to automate (which is certainly not everything, or even the proverbial lion’s
share), you’ll have a stronger security posture in the long run, and these are
people who already know your network – and perhaps more importantly your work
environment - but have an interest in InfoSec. Give them a shot,
you might be pleased with the results.
As
to the bullet points above? You’ll have to address those long-term too. They’re
why you’re struggling to find InfoSec people in the first place. Though some of
them are out of your control, you can offer training and places like DefCon to
minimize them.
For
further information visit: http://cloudcomputing.sys-con.
No comments:
Post a Comment