- Kevin Beaver, Principle Logic, LLC
What comes to mind when you think of information security? I'm guessing it's technical stuff like firewalls, passwords and encryption, and the incidents and breaches they help prevent. After all, these are the core security components that seem to get the most attention -- both positive and negative. They're a significant part of the equation, but these "solutions" aren't representative of a fully functional information security program.
Money is spent, classes are taken and metrics are measured on products. But that's not where the real security issues lie. For its defense efforts to be effective, organizations must have on staff persons with specific 'soft' skills for cybersecurity.
Many of the greater security challenges include things that no one discusses:
- weak leadership with limited buy-in;
- lack of financial support;
- business culture that fosters mediocrity;
- users making their own decisions; and
- technical staff unable to get their points across.
There are hundreds, likely thousands, of vendors with products and services that can fix every security challenge known to man. What we really have are people problems. Poor communication. Politics. Power struggles. And these missing skills for cybersecurity create the same challenges that every other aspect of the business faces.
What's different, and often why things don't get done in security, is the perception many people have of the field: that security is IT's problem to solve. This has led to the common issue of technical staff swooping in and attempting to control every aspect of security. Often, the right people aren't on board to make security decisions, management fails to see the value, users remain unsupportive and the cycle of security struggles continues.
What's needed to solve modern information security challenges is for IT and security professionals to focus less on the technical issues and more on the people issues. I think it's safe that say that 80% of an effective information security program involves people skills. Oddly enough, it seems that no one has ever taken a course in such skills for cybersecurity.
Taking a soft-skills approach to cybersecurity can pay more dividends in terms of security effectiveness than any technical skill ever will. This has been known for a while. Still, technical knowledge seems to trump everything. I've attended national and regional information security conferences that have sessions on security careers and the essential soft skills for cybersecurity success. They're not nearly as well attended as the sessions on cool and sexy topics like threat hunting, cryptocurrency and ransomware.
I'm not convinced there's an information security skills shortage -- at least not in the sense that technical skills are lacking. Technical skills are a dime a dozen. Tons of smart people in the field can solve technical problems. But technical problems aren't what's holding security back. It's the people, communication and business skills for cybersecurity that are lacking. Rather than blame management and users for security problems, technical professionals need to look in the mirror. That's where the challenges lie.
The only reasonable approach to minimizing the number of security incidents and breaches is to obtain -- and maintain -- the necessary support for ongoing security initiatives. This comes through developing emotional intelligence and studying things like becoming a better salesperson, improving presentation skills, fostering positive relationships in business and the like.
There's no magic solution, but I can assure you the answer is not more technical knowledge. It's focusing on soft skills. As with the "healthcare" industry, there are plenty of smart doctors and massive amounts of drugs to (presumably) solve all our problems. Yet type 2 diabetes, mental disorders and other seemingly unsolvable ailments are at all-time highs.
Be it healthcare or information security, we keep suffering because the symptoms are being treated -- or covered up -- rather than the causes. Your security program doesn't have to remain stagnant. Just know that you don't necessarily need more products, and you don't need more technical skills. You just need to determine where your blind spots are and vow to do what you know it will take to see it through. It starts and ends with you.