The information security skills gap may have become a huge issue for Chief Security Offices (CSOs) and Chief Information Security Officers (CISOs), but there are a number of ways InfoSec teams can work around the shortage so to protect their networks and stay ahead of the attackers.
When people think of outsourcing, they often think of outsourcing services. A company may, for example, choose to outsource its accounting, customer management, or recruitment.
However, it’s worth noting that you can also outsource talent and this is a poignant note for an understaffed and under-skilled security industry.
Most security teams are increasingly working with penetration testers, consultants and incident response (IR) experts, but this writer knows of at least one CISO, working at a major transportation company, whose own team are formed almost entirely of experienced contractors.
This may sound extreme but there are numerous benefits to outsourcing your team. For starters, these personnel are usually heavily-experienced with years in the industry, perhaps even within specific sectors, while they can hit the ground running from day one. As a result, there’s no need to train them up and they earn lucrative salaries, so there’s little chance of them jumping ship.
Push work to other teams
Information security is a broad field which encompasses various other parts of the business. Brian Honan, managing director at BH Consulting and a cyber-security adviser at Europol, believes that CISOs should take advantage of this by pushing work elsewhere.
“Thefirst thing CISOs should do is look at what alternatives there may be to alleviate the pressures on their areas,” Honan tells CSO Online.
“For example, some routine security take could be operationalized and given to other areas including the business, such as IT, compliance, or risk functions. Those tasks that can't be given to another team could be outsourced to external providers.”
Use automated technologies
One of the falls-out from the lack of skilled personnel, and thus resources, is that companies often don’t see the threat from attackers until it’s too late. Data breaches are classic examples of security teams having little idea of what’s happening on their own networks, with reports suggesting that average breach detection times run into weeks rather than days.
A lot of this failure to detect and respond comes down to resources, poorly practiced incident response (IR) plans and weak log management.
However, all is not lost thanks to the rise of automated technology which simplifies the process of detecting and removing threats, whilst protecting key business assets.
Richard Starnes, CISO at the Kentucky Health Cooperative, believes that relying on SIEMs from vendors is a positive first step for automating security.
Sign up for Computerworld eNewsletters.