Security Minor Leagues

I spend a decent amount of time with CISO-types, and inevitably there are a few topics of conversation that bubble to the top. Advanced attacks is on the list. Most organizations of scale are dealing with some type of advanced attacker and have lots of great stories about being compromised. Many struggle with mobility given that executives want everything on their iPads yesterday. And they all seem to struggle with staffing.

Yes, you read that correctly: Staffing is one of the top three issues that senior security professionals struggle with. To be fair, quite a few also struggle with getting adequate funding and resources, but even if they have budget and open headcount, they can't find the people. Since I don't know much, I ask folks where they get their best candidates. The answers are pretty consistent: internal, military, and IROCs.

The first place you should look is internally. You have great people who could very well be interested in moving over to security. Maybe they are sysadmins, help-desk staffers, or network engineers. They know technology, they've had some experience with security, and they know your organization. Don't minimize the importance of organizational IQ, since they won't have to figure out how to do expense reports or how to get something funded.

The military is also a great place to find security skills. Every first-world nation has both offensive and defensive capabilities. These folks have skills funded by your government. You have to love that. These folks are diligent, understand chain of command, are usually pretty bright, and don't wilt when you are under attack. The problem is, there aren't enough of them, and it's pretty competitive to hire them.

Finally, we have IROCs. That was the term we used back at META Group for new college grads (Idiots Right Out of College). With the increasing number of security programs at universities, we'll continue to see more graduates with security knowledge. But don't mistake knowledge for skills. These are still kids, and they don't have real-world experience. They are projects, so treat them as such. Some will make it, others won't.

But it's still not enough. So you'll need to grow your own. Basically you need to build a security farm team to provide the increasing number of skilled security folks over the next few years. That means internal training, it means taking on a bunch of interns and participating in engineering co-op programs, and it means taking a bunch of your time to grow and nurture the skills you need. And always remember, there is no crying in security.

If there is a way to support your local universities as they ramp up their security curriculum, then do that. I guest lecture at Kennesaw State every semester, and am happy to work with the professors there to refine the program with some real-world perspective. It's all in the name of making the students more useful when they get their first jobs.

But that doesn't solve your problem today, now does it? Depending on your location and wage scale, your job may be even harder. I remember getting out of school, and I took a job in a metropolitan area for less money. Obviously some security roles require on-site presence, so you may not have a choice. But you'd be much better off trying to design your workflows, teams, and job responsibilities within a remote context. With the collaboration technologies available, it's possible and a lot easier than getting a person to move to the middle of nowhere.

I guess there is another option. You could buddy up with security headhunters and have them drop a bunch of paper on your desk every time you have an open position. To be candid, you may have to do some of that for your very specialized position. But this isn't an answer either.

I'll leave you with one last bit of perspective. The top-performing CISOs I talk to take the human resources aspect of their jobs very seriously -- to the point of spending 10 to 15 percent of their time, if not more, to ensure they have adequate skills and resources to meet the commitments they make to the senior team and board of directors. That's another thing they don't tell you before you take the CISO job, now is it?

Mike Rothman is president of Securosis and author of The Pragmatic CSO