Tackling the Talent Shortage Problem: An Honest Look at Challenges Related to Finding and Retaining Information Security Talent.

October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn

Tackling the talent shortage problem
An honest look at challenges related to finding
and retaining information security talent
Evan Francen, CEO
FRSecure and SecurityStudio

Introduction
• So,I’m told thatwe haveatalentshortageproblemin ourindustry.
• I don’ttrusteverything I hear, andneither shouldyou.
• Dowe actuallyhavea talentshortageproblem?
• Regardless,whatarewe going to doaboutit?
Beforewedivein,letme introducemyselfandwho Iworkfor.Don’tworry,there’snosalespitch.

ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Idoa lotof security stuff…
• Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy
buttons don’t exist).
• 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was
cleaning bootsector viruses from Windows 3.1 systems)
• Worked as CISOandvCISOfor hundreds of companies.
• Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)

Idoa lotof security stuff…
• Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy
buttons don’t exist).
• 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was
cleaning bootsector viruses from Windows 3.1 systems)
• Worked as CISOandvCISOfor hundreds of companies.
• Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
Me. I look better
as a cartoon.

UNSECURITY:Information SecurityIs Failing. Breaches Are Epidemic. How Can We Fix This Broken
Industry?
Chapter10:Too ManyFewExperts – Theinformationsecurityindustryisbrokenbecausewehavetoomany“experts”butnotenoughexperts.

Just prepping you…
• I’m a binarythinker.
• Things Iappreciate:
– Logic.
– Simplicity.
– Truth.
If you like these things too,we’ll have fun here (andmaybe we should dosome worktogether too).

Who I work for
FRSecure & Security Studio
This is best explained in adiagram…

Who I work for

Who I work for
I work here!

OK, nowlet’sdivein.

Thesubtitle for this presentation is “An honest look at challenges related to finding
and retaining information security talent”.
• Thekeyword is “honest”, I think
• Otherimportant words are “finding”
and “retaining”.

Honesty
• If youreadthenews, you’dthinkthatwe havenobodytodo securitywork,but is this true?
• Toanswerthe question,“Dowehaveatalentshortageproblem?”weneed toexaminefrom(at
least)threedifferentperspectives:
– Theindustryitself -We need talent.
– Thosewho are hiring -You need talent.
– Thosewho are seeking -You aretalent.
Who are you?

We needtalent.–Theproblem(s)
• Security Magazine– TheCybersecurityTalent Gap = an IndustryCrisis
– Byone estimate,therewill be3.5million unfilledcybersecurityjobsby2021.
– Lackofqualifiedstaff.
– Using underskilled practitioners.
– Securitytool sprawl.

• Security Boulevard – TheGreat CyberSecurityTalent Shortage Continues
• According toaNovember,2018ISACA study,more than1,500cybersecurityprofessionals:
– 69%cybersecurityteamsareunderstaffed.
– 58%haveunfilledcybersecuritypositions.
– 60%cybersecuritybudgetis underfunded

• CSOonline –Thecybersecurityskills shortageis getting worse
• Morethan1/2oforganizationsreporta “problematicshortage”ofsecurityskills

It’snowonderourbusiness leaderswanttodothis.

We needtalent.
How badis it really?
• It’s bad, but youhavesome options (coming later).
• Everyoneinthis industryhas a motive, usually to sell yousomething.
– The3.5millionnumberwasfromCybersecurityVentures,theygetmorecoverageandmoreclicks fromsensationalnumbers.This was
apredictionONLY.
– TheISACAstudywasasurveyof“cybersecurityprofessionals”.
– Thescarytitle“The CybersecuritySkillShortageEpidemic” came fromDeepInstinctandtheysellstuff(endpointprotection, mobile
security,etc.)

We needtalent.–Youcan help.
• It’s hard tochangea whole industry.
• Focus on you and your area of influence.
• What weneed:
– Moreeducationeverywhere(home,school,work,etc.)
– Awarenessofthe opportunities
– Makementorshipeverywhere. What you can
do to help?

Someideas:
• FRSecure’s CISSPMentor Program -https://frsecure.com/cissp-mentor-program/
• SANSMentor -https://www.sans.org/mentor/
• Start yourown “mentor program”
• Volunteersomewhere
• https://www.safeandsecureonline.org/s/volunteers
• https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/community

Someideas:
• Focus onyouandyourareaofinfluence.
• Gotkids? Talkto them.Talktoteachers.
• Free training& awarenessstuff:
• https://www.commonsensemedia.org/
• https://staysafeonline.org/
• https://s2me.io Start
somewhere.

Someideas:
• Focus onyouandyourareaofinfluence.
• Gotkids? Talkto them.Talktoteachers.
• Free training& awarenessstuff:
• https://www.commonsensemedia.org/
• https://staysafeonline.org/
• https://s2me.io Start
somewhere.
So, we know we have a talent shortage
problem.
What does this mean to you if you’re in
the market for information security talent?

Youneedtalent.Whatdoesthismean toyou?
So, wehavea supply vs. demandissue.
• Demand is high, supply is low.
• This means you pay more,oneway oranother.
• Unless you havean unlimited budget, this means you better get it right, meaning:
– Youidentifytheright needs.
– Youget the right person (orpeople).

Theright needs.
• Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense.
• If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that.
Right?
• Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get
help.
• Get yourexpectationsinline with yourneeds.

Theright needs.
• Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense.
• If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that.
Right?
• Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get
help.
• Get yourexpectationsinline with yourneeds.
DO NOT:
• Hire just because you were
told you should.
• Hire just because others are.
• Copy a job description from
someone else.

OK,so you’ve decided that you need someone.
1. Why do Ineed someone in the first place?
2. What needs will the person/people serve(specifically)?
3. What are myexpectations?
Before you go there,
answer three questions
and write it down.

OK,so you’ve decided that you need someone.
1. Why do Ineed someone in the first place?
2. What needs will the person/people serve(specifically)?
3. What are myexpectations?
What you’ve written is
the start of your job
description.

Nowyou sort ofknowwhat you want. How are you going togetit?
You havethree options:
1. Buy
2. Build
3. Outsource
Each option has
pros and cons.

Option#1- Buyyourtalent
• Pros
– Verifiable experience.
– Less wasted time/effort.
• Cons
– Expensive.
– Unlearning.
– More than you need.
If you buy talent,
culture fit must
be #1.

Option#2- Buildyourtalent
• Pros
– Customfit.
– Loyalty.
– Cheaper.
• Cons
– Patience.
– They leave.
– Hard.
If you build talent,
take your time.
Support is key.

Option#3- Outsource
• Pros
– Customfit.
– Only buy what you need.
– Experience.
• Cons
– No in-house IP.
– Motives/bias.
– Accountability
If you outsource talent:
1. Make sure there’s mutual
accountability.
2. Measurement is important.
3. Use someone who’s product
agnostic.

Nowyou sort ofknowwhat you want. How are you going togetit?
You havethree options:
1. Buy
2. Build
3. Outsource Whatever option you choose, choose
the option that’s best for you!

Youneedtalent.–Most commonproblems.
Do you fit oneormore of the following?
• Wrong motivations.
• Misaligned needs.
• Poorexpectations.
• Can’t afford talent.
• Good talent vs. not so good talent.
Go back to:
1. Why do I need someone in
the first place?
2. What needs will the
person/people serve
(specifically)?
3. What are my expectations?

Youare talent.Keepat it.
Manyofourtalentseekersclaimthereisn'ta talentshortageproblem.
– They’re trying to get their 1st job in the industry and can’t.
– They’re very experienced and can’t get hired again.
– Expectations misalignment.

They’retryingtogettheir1st jobintheindustryandcan’t.
“YouWanttoGetintoSecurity”
Short(34 page), freee-book.
https://books.apple.com/us/book/you-want-to-get-into-security/id1457146083

They’reveryexperiencedandcan’tgethiredagain.
• My heartgoes outtothesepeople.
– Ageism.
– Stuckin yourways. Open yourmind to new approaches while figuringout new ways to communicate
the fundamentals.
• Hire one ifyoucanget one.Thewisdom aloneis worthit.

Expectationsmisalignment.
• An educationexperience forall.
• Job seekers.
– Youmight not be worth as much as youthinkyouare.
– Takea cut, career path is moreimportant.
• Hiring people.
– Makesure youasking for what youreallyneed.
– All those letters look good, but do youreallyneed them all?

Youare talent.
Theshort eBook, five chapters:
1. Abundanceof Opportunity.
2. The RightPerson.
3. LandingYourFirst Job.
4. Becoming Good.
5. StayingHealthy. Read it. Share it. Give me
feedback. It’s free!

That’sit!Thank you!
• Email: efrancen@frsecure.com
• @evanfrancen
• @FRSecure
#S2Roadshow
• Blog - https://evanfrancen.com
• Podcast (The UNSECURITY Podcast)

Tackling the Talent Shortage Problem: An Honest Look at Challenges Related to Finding and Retaining Information Security Talent.

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Mehr von Evan Francen

Mehr von Evan Francen (15)

Kürzlich hochgeladen

Kürzlich hochgeladen (6)

Tackling the Talent Shortage Problem: An Honest Look at Challenges Related to Finding and Retaining Information Security Talent.