We take it as gospel that we have a skills gap in cybersecurity. In fact, the narrative across most of the industry is that you need tools and you need automation because there aren’t enough people to do the work.
And we believe it. But what if that’s not actually the case?
Let me play devil’s advocate for a bit here. I know of quite a few entry-level security folks that are having trouble getting jobs. Now, these are young folks, so maybe their expectations are a bit wacky in terms of compensation or perks or culture but, all the same, if we had such a severe cybersecurity skills gap, wouldn’t the market normalize the additional salary and perks to hire anyone? Is it about the bodies or getting the right bodies? Are we in a position to be picky?
Maybe that’s it. A lot of the entry-level folks aren’t very good at security. How can they be? Security is hard. You need to know a lot of stuff about a lot of stuff, and it’s not the kind of knowledge you really get in a classroom. To be clear, a cybersecurity curriculum provides a great foundation for security professionals, but you don’t really learn until you are screwing it up for real in a live-fire environment.
What if everyone likes to bitch about how we can’t find enough people because they want to cover their asses regarding the reality that most security teams don’t perform very well? Is the industry just diverting attention away from our abysmal outcomes by blaming it on the lack of people? Is this security’s Wizard of Oz moment?
Let’s talk about the folks that should have the most acute problem: The MSSPs or MDR (managed detection and response) companies. These companies can’t grow without people, and they’ve raised capital at valuations that promise that they’ll be growing quickly for many years. How are they addressing this problem?
MDR companies are growing their staff internally. They invest in automation, threat intelligence and supporting technologies that help entry-level security practitioners to become productive faster. They send these n00bs to training and they put guardrails around them to make sure they don’t screw up (too badly).
Maybe that’s the answer. There are enough practitioners, but they don’t have the right skills. The raw materials are available, but we may not want to make the commitment to develop them into workable security staff. So your choice breaks down to either bitching about not having enough staff or getting to work developing your junior staffers.
Now, I may be wrong—t wouldn’t be the first time and it won’t be the last. We may not have enough practitioners to get the work done, but I think we’re focusing too much on what we can’t do and not enough on what we can by making an investment in our people.
The Great Resignation is sweeping the world, and the causes and impacts are still being analyzed. Texas A&M University professor Anthony Klotz coined the term, predicting an unusual rise in voluntary resignations as employees anticipated the global pandemic coming to end and life returning to normal. Many employees stayed longer in roles because they were uncertain of the future during the pandemic, while frontline workers experienced an elevated level of burnout due to increased stress. Workers in all industries are looking for new opportunities and leaving past roles behind.
IT and security staff are resigning too, feeling increased stress from managing more remote employees, a rapid transition to the cloud that didn’t allow time for them to gain cloud expertise before making the leap, and a rise in cyberattacks globally. Finding and retaining security talent is an ongoing challenge, one that exposes organizations to increased risk because there simply aren’t enough security experts available.
Most employees, certainly in technology companies but in other industries as well, are required to undergo security training and sign non-disclosure agreements (NDAs) when they join a company. That’s frequently the last time they consider security training, how they use personal devices for company communications and data, and what data belongs to the company and what data they’re permitted to share externally or take with them when they leave. Much of this information is only communicated in an NDA, a document that’s rarely read carefully or reviewed regularly. This may result in reduced adherence to security rules and practices — and, consequently, data losses. Some disgruntled employees may even be tempted to disclose sensitive information or leave security holes to allow them to access the company’s IT infrastructure after departure.
All employees have access to secrets, whether that’s a product strategy document, internal lists of sales prospects or customers, or other internal communications or presentations that aren’t intended for external consumption. Security and engineering teams have access to many internal systems, passwords, and secrets. When many employees leave an organization in a brief period, risks increase because there are so many things to take care of for so many people at the same time.
How to ensure employees, especially security staff, are off-boarded appropriately
Off-boarding employees can pose challenges for any organization. In the past year, data exfiltration incidents increased due to employees taking data, systems access, or both with them when they exit. This is when organizations can refer to their onboarding plan to create a successful off-boarding plan, one that includes people, process, and technology.
Rather than taking a reactive approach to employees leaving the company, embrace a readiness-mindset and prepare for departures in advance. To do that, here are essential steps to take so that you’re ready for employee departures:
Nurture the culture in your organization. This isn’t something you start when your employee gives their notice — it’s something they’re part of from the moment they join your team. Having good interpersonal relationships, sharing values, and identifying and handling personnel issues quickly and appropriately will help you keep your employees and turn them into advocates for your company after they leave. They’ll refer candidates to you, become mentors or contributors in another capacity, or even return for another role in the future. Having a positive relationship makes employees far less likely to pose a threat to your security profile.
Conduct an exit interview through Human Resources to get honest feedback from your employees. When employees are ready to move on to a new opportunity, take the time to ask them for suggestions, learn about problem areas, and build bridges for future relationships even after departure. Whether they’re leaving for a promotion, more flexibility, or because they’re ready to retire, their input can still influence HR decisions around benefits and culture.
Create a knowledge transfer plan. Don’t wait until their last day to find out all the unique knowledge your employees hold. Most of that information probably isn’t in the job description, so documenting it (and having departing employees train your new hires, if possible) will help new employees become productive more quickly.
Review the materials signed during onboarding and security training. Many employees have no idea that the data they take with them increases the security risks for their organizations. Make sure that the person reviewing it with them understands these issues and can communicate them effectively.
Collect company assets. This includes office keys, key cards, laptops, cell phones, badges, corporate credit cards, and any other physical devices that you want returned. Keep a list and track all company assets that you’ve given employees to make sure you get these assets before they leave the building. If employees are keeping an asset, such as a laptop or cell phone, ensure that the data stored on it meets your requirements for employee data retention. For personal devices, former employees need to delete company apps and accounts.
Don’t forget digital access. Whether it’s access to a GitHub repository, Jira, Confluence, the company’s social media accounts, company email and workplace communication platforms, or anything in between, make sure that access ends when employment ends. This helps you make sure that the right people have access even after the employee leaves and reduces the likelihood of you needing to contact them to resolve something when it’s no longer their responsibility. Off-boarding should also include deleting data belonging to former employees and any cloud accounts tied to those employees.
Use single sign-on (SSO) and authentication tools. These technologies can help you manage access in as few places as possible, simplifying your tasks as employees leave. For engineering and security employees, make sure your team doesn’t hard code secrets or embed credentials in code. It’s poor security practice at any time and will allow access even after employees have departed and all other access has been disabled.
Successfully off-boarding security staff introduces some added considerations. While the preceding steps are still critical, security staff have increased access and knowledge when it comes to your systems and infrastructure. Once again, people, process, and technology all play a role. Monitor and audit access to sensitive corporate data, particularly noting whether they’re being accessed by computers or IP addresses outside of the corporate network. Former employees also still have relationships with current staff, so flag and investigate unusual activity there as well.
Adopting a zero-trust framework will help you protect resources even when critical security staff members leave the organization. Putting clear and easily repeatable processes in place can also help you reduce security risks due to departing staff, such as turning off email access but automatically forwarding all email and voicemail to a supervisor so that nothing gets missed. Your process should also include rolling any secrets they have access to promptly, rotating access, and removing their accounts from every system.
hiring and retaining the best talent has quickly become a top priority for most organizations today. In the cybersecurity industry, which faces an immense skills shortage, this is especially true. In fact, according to CompTIA and Cyber Seek, a job-tracking database from the U.S. Commerce Department, there are nearly 500,000 open positions in cybersecurity nationwide as of Q2 2021, which makes hiring the right candidate for a technical role in IT security like finding a needle in a haystack. As a result, it’s never been more important to attract and develop employees in cybersecurity – and here are a few best practices for doing so.
Every employee and organization are different. Even in an industry with a talent deficit, employee/employer culture needs to be symbiotic. What an employee and an employer are looking for must be aligned and when it is, the opportunities are endless.
