“There is a great deal to be said for the automation of information security, such as in GRC or even outsourcing, particularly in areas like SIEMs,” Starnes told CSO Online.
“This reduces the need for staff, particularly in large organizations where a 24/7/365 capability may be required. Also, with the outsourcing of SIEMs, you can utilize the cross skills, experience and the intelligence capabilities of the vendor. That must be weighed against the obvious downsides of outsourcing security capabilities.”
Quentyn Taylor, head of information security at Canon Europe, adds: “In the security space automation is the key, from the operational sphere to the investigative sphere, automation is what is needed to ensure that the response and action is timely enough to be effective. The key point is that for automation to be effective the staff themselves should be part of the design and implementation.”
Up-skill existing staff
Given both the skills shortage, and the fact that most computer science students would likely rather build the next Facebook than, say, a next-gen firewall, CISOs and CSOs are limited in where their next InfoSec professional is coming from.
One suggestion is to up-skill existing employees that show a passion or aptitude for security.
“Develop and promote your internal staff,” says Starnes. “Create a work environment where they are happy and fulfilled. Keep their remuneration at a sustainable level. This will reduce your staff churn significantly. Recruit as you would normally and bring your new staff into this environment. You will always lose a few, but you will keep many of them and people will want to come work for you on their own.”
Honan adds: “I think this is an area often overlooked by many CISOs, to their own detriment. Too often the focus in security is on technical skills, yet security needs those with people skills, report writing, communication skills, and analysis skills. People with these skills can be a great asset for the security team and enables the CISO to extend their recruiting net into other industries.”
Taylor says: “We have all known that network and server ops staff can make superb InfoSec staff, however there are also other areas I suspect can be useful.
“If you think what security awareness is at its core it is communications, I believe staff from these areas would bring a totally new perspective to InfoSec. Many other areas also have relevant transferable skills that can add to InfoSec teams.”
Hire from other sectors
Security experts have long-since argued that information security is not just about the technology, and that the nitty gritty technical details could be taught if personnel had the appropriate other skills and experiences.
Sign up for Computerworld eNewsletters.