The subject of the cyber security talent shortage has been over-reported to the extent that no one wants to talk about it anymore. Even more than that, the only solution that really ever gets mentioned is developing more university cyber programs. But that solution is dead wrong—or at least it misses the crux of the issue completely. Before I go any further, let’s set the record straight on just how acute the problem really is. According to results from a recent CSO Magazine survey, the majority of respondents have open headcount which, as the respondents describe it, has led to dismal outcomes. Namely, their companies’ security teams either cannot meet the demand of their existing responsibilities, or they purchase new security tools that become shelfware. Or both. Let’s switch gears now. If you’re curious about which skills appear to be in the most demand, I’ve got the latest and greatest (albeit based on anecdotal evidence because job titles vary so much):
- Incident Detection and Response
- Penetration Testers and Red Teamers
- Cloud Security
- Application Security and DevOps
Looking at the types of people whom companies want to hire (i.e. the list above), these are senior people—and here’s the issue with that. Even when you can hire senior people in these four roles (and it’s really hard to find them), you’re just poaching them from another company. Then what happens? Well, one thing we’re seeing is senior cyber talent having shorter tenures in their current roles. (Again, this is anecdotal, but I’ve heard several other colleagues say the same thing.) Why? Because some other company with a better offer or better benefits poaches them again. At this point, you would probably agree with me that you can’t hire your way out of this problem—at least not today—because there just aren’t enough people to hire. But I would go so far as to say that even if we had one million more senior cyber people who were looking for jobs, our problem still wouldn’t be solved. Why not? Because there is a much larger issue here which no one is talking about.
There are actually two major issues at play within the security and technology groups in most companies: 1) They have too much WIP (Work in Process), and 2) They have too much technical debt.
These issues just exacerbate the talent shortage. But here’s the clincher: hiring more people won’t solve either of these two problems! Instead, the problems persist, and hiring managers just spin their wheels while nothing actually changes. Most people understand the problem of technical debt (although that problem never seems to go away). But WIP? No one talks about this anymore, yet it’s the sole reason that DevOps was born–to reduce Work in Process. The authors of The Phoenix Project applied the concepts of lean manufacturing and reducing WIP outlined in The Goal to the business of technology and the Agile development style. And as we all know, the DevOps methodology has forever changed how software is developed. But here we are in 2019 with more WIP in our security processes than vulnerabilities in the National Vulnerability Database. Why do I say that? Try this exercise: ask a colleague who’s not in the security department how they would file a security exception at your company. I’d bet two dozen long johns that they wouldn’t even know how to start the process. And if you show them the form, I’d bet another dozen fraparapa coffee drinks they couldn’t figure out how to fill out the form without having to ask a bunch of questions and chase down someone from security who can help answer questions. So, what happens instead? Product teams just wait until the last minute (i.e. right before go-live) and then file the exception form. And now security is in a bind. I mean they can’t say “No, you didn’t follow the rules” and risk missing the go-live date. Not to mention security ends up looking like it’s just an impediment to the business. Instead, the security team scrambles to get the paperwork in place which no one thinks about afterwards and probably isn’t even being tracked or monitored on the business side. This is but one example (and one that most of us can identify with). But multiply that by the number of products and version launches at larger companies. How many security folks get pulled into these quagmires every week and spend the better part of their time dealing with something that should be automated in an online form? The other problem, technical debt, is a close cousin to WIP. There aren’t enough resources to replace legacy infrastructure. So, instead, the security team has to be vigilant and monitor it, as well as report on it annually and kick and scream. But it’s a never-ending problem. Technical debt used to be synonymous with XP or Windows 2000. Now it means Windows 2003—next, it’ll be Windows 2008 and so on. Of these two issues, WIP is in the hands of security (with the help of IT) to solve. There are two types of processes which security teams need to build and streamline: internal processes to the security team and processes that other parties outside of security need to follow. WIP can be reduced in both by identifying constraints and working with them. Just like in lean manufacturing, reduce batch sizes by reducing process steps into granular chunks and finding ways of bypassing the constraints. It’s really not hard, and doing so provides tangible results and measurable productivity increases. Better yet, more efficient processes mean that your senior staff can get more real work done, which should lead to longer tenures. It will allow your team to get more done without needing to hire a lot more people.
About the Author: Jeffrey Groman, CISSP, is the founder of Groman Consulting Group, dedicated to helping organizations identify and resolve their highest cybersecurity risks. Groman has worked in the security field for more than 20 years. As a cybersecurity consultant, he has guided major corporations, including banks, insurance companies, and software providers through risk prevention and rapid response to incidents and breaches. Groman is passionate about the field of cybersecurity and partnering with clients to find solutions to complex issues. His book “Avoid These 11 Pitfalls and Minimize the Pain of Your Next Data Breach” is designed to help organizations learn from his years of real-world experience. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
