This blog was written by Grant Bourzikas, previous CISO at McAfee.
Depending on whose study you believe, there is going to be a shortage of 1.5 million or more cybersecurity professionals in 2020. As McAfee re-emerged from Intel as an independent company, we have stood up our own fusion of converged physical and security operations center (SOC) functions in the past nine months. We have been very mindful of both the problem and the opportunity.
Working on building out our SOC capabilities, we’ve needed to hire analysts, advanced threat researchers, and engineers in short order. Then there has been the need to standardize the knowledge and approach to managing cyber threats for one of the world’s leading cybersecurity software companies.
So we have gone through a fairly intense period of training. Everyone has received 80 hours of online training, 40 hours of classroom training, and 40 hours of on-the-job training. We have also hired SOC staff from within our own professional service, engineering teams, and sales engineers.
But all of this can be undone quickly by the pressures of working in an intense, demanding 24/7 environment and by other companies making our people offers that they can’t refuse. McAfee just published a new study on this never-ending challenge, Winning the Game.
In this study of 950 cybersecurity professionals and managers in seven developed economy countries across the globe, we found that there are three clear factors with which organizations can win the game when it comes to cybersecurity. These are:
- Happy workers
- Playing more games
In organizations that have experienced a breach in the last 12 months, those staff who are extremely satisfied are, on average, more likely to report fewer hours to identify the breach (11 hours) than those who are dissatisfied (23 hours).
Similarly, automation is also a positive indicator for the ability of an organization to attract and retain top talent. Nearly one-third of respondents cite the opportunity to work with new technology such as automation, machine learning, and AI as a key factor that would attract them to a job and influence their decision to move.
And, there is a correlation between the use of gamification and happier cybersecurity staff. More than half (54 percent) of respondents who are extremely satisfied in their roles say they use “capture the flag” gaming once or more a year, compared to just 14 percent of those employees who are dissatisfied in their roles. (At McAfee, we run table-top exercises every two weeks, and red team exercises monthly.)
So what does this say for building a model for talent development and management that is sustainable for now and for the future?
I think of the staffing challenge as a series of waves that are constantly churning one upon the other. To ride these waves, we need to design talent programs that are nimble at inception.
At the beginning, we build strong teams with interns and new hires focusing on investing in investing in strategic talent. The objective is to invest in talent so the entire organization can be successful – IT/Engineering/SE/Sales/Support. Hopefully, some will stay in the company. This helps us to strengthen the enterprise by creating more secure aware teams, instilling a security culture that will carry across the business.
But it’s the middle range that is the challenge. As people become more skilled, they become more marketable, and turnover increases. To use a sports analogy: It’s easy to draft rookies. It’s easy to hold onto longtime veterans. It’s hard to keep free agents in a hot market. If you don’t have mid-level free agents, you have to either ask the rookies to play above their experience, or ask the veterans to do their old jobs. To mitigate the churn, we need to invest in talent we identify as strategic, knowing that some of them will go to other firms.
And from a talent management perspective, I think that it is vital to nurture the natural interests and passions that team members possess. We support this natural development process by providing assigned mentoring, outside reading, and outside vendor training. We encourage gaming, creative problem solving, curiosity, and collaboration. Additionally, everyone in the SOC is being required to develop specializations. This encourages a diverse domain of skills and expertise, which is vital to developing a sustainable model for security operations that can adapt as the threat landscape evolves.
As a chief information security officer, I think you have to recognize that this is always going to be an evolving, never-ending adaptation to meet the changing threat landscape and the dynamic flow of people in your organization. Cybersecurity isn’t just an industry; it’s a robust, active ecosystem. The threats landscape never stands still, and neither does the workforce.
A great summation of this comes from Bill Woods, our Director of Information Security for our converged physical and cyber security operations.
“You have to accept the fact that you are never going to have impenetrable systems. It’s always going to be a game of chess. The opposer is always going to be making moves, some of which will hurt you. It’s always going to be a battle. But that is what keeps the job interesting.”