So we were interested in the Lack of Skilled Personnel article in Infosecurity Magazine which cited the DomainTools’ 2015 Analytics and Intelligence Survey. The report has a lot of great information in it and is definitely worth reviewing and assessing how your organization views itself and what areas you need to address.
Two areas of the survey caught my eye – “Dearth of Skills” (page 13) and “Centralizing and Prioritizing” (page 14). We want to talk about the first one now and then Centralizing and Prioritizing in a future blog because it’s just as important.
Dearth of Skills – the numbers are out there. Security professionals are in high demand and job growth is through the roof. These are good things, but as the survey points out, there is an identifiable skills gap. Companies are not finding the right individuals for the jobs they need filled. This puts them in a crux. They cannot simply set job parameters at the highest skills and expect you will find that person every time. They have to take risk on some positions or risk having the position go unfilled which creates another risk in and of itself. Obviously, in some key positions we need to hold to the highest standard, but there is also a huge misunderstanding in the role of business.
When it comes to training, companies need to train and develop their personnel above and beyond the baseline training; they need to invest in your people. We can only expect our universities and technical schools to prepare our new hires for certain skills, the baseline skills. Organizations need to take them to the next step and build upon their training through on-the-job-training (OJT), additional schooling, and the all important counseling and mentorship.
The obvious fear in doing this is that companies invest in people and then those investments will walk out the door to a competitor who is paying better or offers better benefits. That is a legitimate fear, but it should not prevent you from doing the right thing. Additionally, there are ways to counter that. For example, the military is well known for adding additional years to a service contract for obtaining additional skills. Overall, the benefit from investing in your people will far exceed the fear of loss. Additionally, if you have the right climate and culture, you may wind up keeping the best and the brightest anyway. There will always be people who leave for other opportunities.
So what’s a good model to pursue? How do you invest in people? We will take for granted that a positive climate and culture is set because no matter how much training is done, it will very rarely overcome a toxic environment.
The PSG Training Model follows three simple aspects of training – Baseline, Reinforcement, and Enhancement.
Baseline Training. Your baseline training is directed to security professionals; this is training you should expect your employees to have. For each position it could be different, but ultimately they should revolve around certain key courses and credentials. Some employees will come to your organization with these courses already, but other training courses you may want them to have to do the job in accordance with your company policy. If that’s the case, you may need to make the determination to pay for a prospective employee to attend these courses. They may have all the right attributes you are looking for but not the training you need. In this case, it may make sense to provide that for the employee.
Baseline training also includes regular team training. Your organization cannot assume credentialed or trained employees are trained to your standard. You have to integrate them into your way and how you do business. During these times you may review internal processes and procedures, hold discussions on the latest threats and analysis, identify/review ways to handle remediation and reporting, or any other area that you prioritize. You may decide to bring in a guest speaker, or go to an off-site and sets team goals and objectives. This is your time but it is integral to your team and individual employee development. This needs to be dedicated training time on a schedule.
Baseline training is different than your baseline security refreshers that we have talked about in previous blogs and that are needed company wide. The purpose of that training is to increase security awareness and baseline education. Everyone in the organization needs that training. Please don’t confuse the two when planning and resourcing your baseline training.
Reinforcement Training. This builds upon your Baseline Training. Skills diminish over time even though we don’t want to admit it. And new tactics and techniques are being developed every day to counter the latest threat. It behooves everyone to review their baseline training and reinforce that training. Organizations can do this through several ways – have employees keep up with their certifications; leverage external agencies to come and train the entire security section for a certain course; or conduct a professional development seminar focused on a particular skill set.
The obstacle that comes up with reinforcement training is the idea that one knows it all already and they keep up with the latest trends on their own. Additionally, many credentialing courses do this through their own re-certification process. If they do, great. However, we want organizations to consider those courses that are outside the norm. Get a fresh approach. It’s important to stay certified, that has to happen, but it’s also important to consider other views. Ultimately, this will add to the discussion and can help guide and lead the training.
Enhancement Training. This is perhaps the most exciting element of the PSG training model. But it takes work. It takes a critical review and evaluation of your security team and organization. What does your company/team want to be and what does it need in order to become that element? What is your security policy and how do you get to achieve that? What tools and skills do you need to implement your policies? What tools do you not have but think would enhance your security posture? Identify the gaps in your current training and target ways to get trained. This is where the team can come together and do an honest 360 degree assessment of themselves and push themselves. This can not only help you protect your organization better, but push you to really achieve your full potential. Maybe you develop the missing layer of protection that your organization desperately needs.
The danger here is listing courses and opportunities that outpace and are beyond your organization’s resources. That’s OK. Through your assessment you can identify the gaps and then identify the solutions to your organization leadership. At a minimum, you alert them to issues and identify solutions. Perhaps there isn’t money now, but they may plan for it in the future. As good stewards of your organization’s finances, perhaps there are some low cost solutions. They might not be as good, but might help in the immediate time.
When a company says that they don’t have the right people for the job, our first inclination should be is to look within. What type of climate or culture are you fostering? How are you enabling your people? How are you keeping your skills fresh and how are you developing an organization that pushes itself to know and be better.