Whether it’s hiring new staff or up-leveling internal staff, companies have had to get creative in order to deal with the challenges of the skills gap. To understand the different ways that companies have tried to respond to the talent shortage, Steve Moore, chief security strategist at Exabeam talked with industry experts at Spotlight18 in Las Vegas.
One solution is, "Red team/blue team exercises and testing internally to make sure we are keeping staff on their toes,” said Ray Johnston, CISO at Inspire Brands. While internal efforts to keep current team members abreast of the newest threats are fruitful, it’s also important to build relationships outside of the organization.
“We have established relationships with Army cyber defense and National Guard cyber defense units, and we’ve been able to pull from that resource pool,” Johnston said. Through such partnerships, companies can tap into a wide pool of candidates, which includes highly skilled people coming off of active duty.
“Also, we have been establishing relationships with local universities,” Johnston said. Partnering not only with local universities but with existing partners can also open doors of opportunity. Still, many of those existing partners are also confronting staffing issues, which is why another part of the solution is growing people from inside the company with mentors and interns. Additionally, there are organizations such as CyberPatriot that enable experts to mentor younger students and introduce them to the career opportunities available in cybersecurity.
Training is one area where many organizations fall behind, and Moore emphasized the importance of making sure the people in the SOC know what they are protecting in terms of the business they are dealing with, the key risks and where the jewels are.
Given that IT as a whole and security in particular are challenged with constrained staffing and budgetary resources, “The single best advice, is to make sure that your strategy for the SOC is aligned with risk,” said Andrew Wild, CISO at QTS. “Look at the limited resources you have, and make sure those align with the risks you think your organization is facing so that you can explain how they have been appropriately allocated.”
Another creative measure companies can take is to invest in new technologies that allow for security capabilities to be put into the hands of lesser-skilled people across the organization. “We have human resources departments that have started using Exabeam themselves. Even though they have never used a security technology, they can monitor user activity. This is really useful, especially if they know they are soon going to go through a reduction in force (RIF),” said Tony Kolish, EVP customer success at Exabeam.
“Monitoring user behavior in advance of a RIF can flag any anomalies so that other departments – such as HR and legal – can detect if something odd is happening. Then they can push that forward to the security team as something worth investigating.”