Talk given at the 2019 Cyber Security Summit
It’s a fact, there aren’t enough of us to go around. The unemployment rate is already at 0%, and the future looks bleak for people in need of information security talent. Luckily, the industry is filled with people and organizations willing and able to do something about it. In this session, Evan Francen, CEO and founder of FRSecure gives a look at what it takes to build a good security analyst from the ground up: the foundational skills necessary for someone to break into the security industry, how technical-focused employees and non-technical employees develop successfully within the security industry, and what roles and skills should a CISO have in all of this.
100%Safe delivery(+971558539980)Abortion pills for sale..dubai sharjah, abu d...
Tackling the Talent Shortage Problem: An Honest Look at Challenges Related to Finding and Retaining Information Security Talent.
1. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
2. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
An honest look at challenges related to finding
and retaining information security talent
Evan Francen, CEO
FRSecure and SecurityStudio
3. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Introduction
• So,I’m told thatwe haveatalentshortageproblemin ourindustry.
• I don’ttrusteverything I hear, andneither shouldyou.
• Dowe actuallyhavea talentshortageproblem?
• Regardless,whatarewe going to doaboutit?
Beforewedivein,letme introducemyselfandwho Iworkfor.Don’tworry,there’snosalespitch.
4. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Idoa lotof security stuff…
• Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy
buttons don’t exist).
• 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was
cleaning bootsector viruses from Windows 3.1 systems)
• Worked as CISOandvCISOfor hundreds of companies.
• Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
5. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Idoa lotof security stuff…
• Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy
buttons don’t exist).
• 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was
cleaning bootsector viruses from Windows 3.1 systems)
• Worked as CISOandvCISOfor hundreds of companies.
• Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
Me. I look better
as a cartoon.
6. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
UNSECURITY:Information SecurityIs Failing. Breaches Are Epidemic. How Can We Fix This Broken
Industry?
Chapter10:Too ManyFewExperts – Theinformationsecurityindustryisbrokenbecausewehavetoomany“experts”butnotenoughexperts.
7. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Just prepping you…
• I’m a binarythinker.
• Things Iappreciate:
– Logic.
– Simplicity.
– Truth.
If you like these things too,we’ll have fun here (andmaybe we should dosome worktogether too).
8. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Who I work for
FRSecure & Security Studio
This is best explained in adiagram…
9. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Who I work for
10. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Who I work for
I work here!
11. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
OK, nowlet’sdivein.
12. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Thesubtitle for this presentation is “An honest look at challenges related to finding
and retaining information security talent”.
• Thekeyword is “honest”, I think
• Otherimportant words are “finding”
and “retaining”.
13. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Honesty
• If youreadthenews, you’dthinkthatwe havenobodytodo securitywork,but is this true?
• Toanswerthe question,“Dowehaveatalentshortageproblem?”weneed toexaminefrom(at
least)threedifferentperspectives:
– Theindustryitself -We need talent.
– Thosewho are hiring -You need talent.
– Thosewho are seeking -You aretalent.
Who are you?
14. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• Security Magazine– TheCybersecurityTalent Gap = an IndustryCrisis
– Byone estimate,therewill be3.5million unfilledcybersecurityjobsby2021.
– Lackofqualifiedstaff.
– Using underskilled practitioners.
– Securitytool sprawl.
15. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• Security Boulevard – TheGreat CyberSecurityTalent Shortage Continues
• According toaNovember,2018ISACA study,more than1,500cybersecurityprofessionals:
– 69%cybersecurityteamsareunderstaffed.
– 58%haveunfilledcybersecuritypositions.
– 60%cybersecuritybudgetis underfunded
16. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• CSOonline –Thecybersecurityskills shortageis getting worse
• Morethan1/2oforganizationsreporta “problematicshortage”ofsecurityskills
17. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
18. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
It’snowonderourbusiness leaderswanttodothis.
19. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.
How badis it really?
• It’s bad, but youhavesome options (coming later).
• Everyoneinthis industryhas a motive, usually to sell yousomething.
– The3.5millionnumberwasfromCybersecurityVentures,theygetmorecoverageandmoreclicks fromsensationalnumbers.This was
apredictionONLY.
– TheISACAstudywasasurveyof“cybersecurityprofessionals”.
– Thescarytitle“The CybersecuritySkillShortageEpidemic” came fromDeepInstinctandtheysellstuff(endpointprotection, mobile
security,etc.)
20. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
• It’s hard tochangea whole industry.
• Focus on you and your area of influence.
• What weneed:
– Moreeducationeverywhere(home,school,work,etc.)
– Awarenessofthe opportunities
– Makementorshipeverywhere. What you can
do to help?
21. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• FRSecure’s CISSPMentor Program -https://frsecure.com/cissp-mentor-program/
• SANSMentor -https://www.sans.org/mentor/
• Start yourown “mentor program”
• Volunteersomewhere
• https://www.safeandsecureonline.org/s/volunteers
• https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/community
22. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• Focus onyouandyourareaofinfluence.
• Gotkids? Talkto them.Talktoteachers.
• Free training& awarenessstuff:
• https://www.commonsensemedia.org/
• https://staysafeonline.org/
• https://s2me.io Start
somewhere.
23. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• Focus onyouandyourareaofinfluence.
• Gotkids? Talkto them.Talktoteachers.
• Free training& awarenessstuff:
• https://www.commonsensemedia.org/
• https://staysafeonline.org/
• https://s2me.io Start
somewhere.
So, we know we have a talent shortage
problem.
What does this mean to you if you’re in
the market for information security talent?
24. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
So, wehavea supply vs. demandissue.
• Demand is high, supply is low.
• This means you pay more,oneway oranother.
• Unless you havean unlimited budget, this means you better get it right, meaning:
– Youidentifytheright needs.
– Youget the right person (orpeople).
25. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Theright needs.
• Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense.
• If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that.
Right?
• Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get
help.
• Get yourexpectationsinline with yourneeds.
26. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Theright needs.
• Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense.
• If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that.
Right?
• Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get
help.
• Get yourexpectationsinline with yourneeds.
DO NOT:
• Hire just because you were
told you should.
• Hire just because others are.
• Copy a job description from
someone else.
27. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
OK,so you’ve decided that you need someone.
1. Why do Ineed someone in the first place?
2. What needs will the person/people serve(specifically)?
3. What are myexpectations?
Before you go there,
answer three questions
and write it down.
28. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
OK,so you’ve decided that you need someone.
1. Why do Ineed someone in the first place?
2. What needs will the person/people serve(specifically)?
3. What are myexpectations?
What you’ve written is
the start of your job
description.
29. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Nowyou sort ofknowwhat you want. How are you going togetit?
You havethree options:
1. Buy
2. Build
3. Outsource
Each option has
pros and cons.
30. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#1- Buyyourtalent
• Pros
– Verifiable experience.
– Less wasted time/effort.
• Cons
– Expensive.
– Unlearning.
– More than you need.
If you buy talent,
culture fit must
be #1.
31. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#2- Buildyourtalent
• Pros
– Customfit.
– Loyalty.
– Cheaper.
• Cons
– Patience.
– They leave.
– Hard.
If you build talent,
take your time.
Support is key.
32. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#3- Outsource
• Pros
– Customfit.
– Only buy what you need.
– Experience.
• Cons
– No in-house IP.
– Motives/bias.
– Accountability
If you outsource talent:
1. Make sure there’s mutual
accountability.
2. Measurement is important.
3. Use someone who’s product
agnostic.
33. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#3- Outsource
• Pros
– Customfit.
– Only buy what you need.
– Experience.
• Cons
– No in-house IP.
– Motives/bias.
– Accountability
If you outsource talent:
1. Make sure there’s mutual
accountability.
2. Measurement is important.
3. Use someone who’s product
agnostic.
34. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Nowyou sort ofknowwhat you want. How are you going togetit?
You havethree options:
1. Buy
2. Build
3. Outsource Whatever option you choose, choose
the option that’s best for you!
35. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.–Most commonproblems.
Do you fit oneormore of the following?
• Wrong motivations.
• Misaligned needs.
• Poorexpectations.
• Can’t afford talent.
• Good talent vs. not so good talent.
Go back to:
1. Why do I need someone in
the first place?
2. What needs will the
person/people serve
(specifically)?
3. What are my expectations?
36. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
Manyofourtalentseekersclaimthereisn'ta talentshortageproblem.
– They’re trying to get their 1st job in the industry and can’t.
– They’re very experienced and can’t get hired again.
– Expectations misalignment.
37. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
They’retryingtogettheir1st jobintheindustryandcan’t.
“YouWanttoGetintoSecurity”
Short(34 page), freee-book.
https://books.apple.com/us/book/you-want-to-get-into-security/id1457146083
38. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
They’reveryexperiencedandcan’tgethiredagain.
• My heartgoes outtothesepeople.
– Ageism.
– Stuckin yourways. Open yourmind to new approaches while figuringout new ways to communicate
the fundamentals.
• Hire one ifyoucanget one.Thewisdom aloneis worthit.
39. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
Expectationsmisalignment.
• An educationexperience forall.
• Job seekers.
– Youmight not be worth as much as youthinkyouare.
– Takea cut, career path is moreimportant.
• Hiring people.
– Makesure youasking for what youreallyneed.
– All those letters look good, but do youreallyneed them all?
40. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.
Theshort eBook, five chapters:
1. Abundanceof Opportunity.
2. The RightPerson.
3. LandingYourFirst Job.
4. Becoming Good.
5. StayingHealthy. Read it. Share it. Give me
feedback. It’s free!
41. October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
That’sit!Thank you!
• Email: efrancen@frsecure.com
• @evanfrancen
• @FRSecure
#S2Roadshow
• Blog - https://evanfrancen.com
• Podcast (The UNSECURITY Podcast)