We frequently hear about the cyber security talent shortage and technical skills gap. According to the ISACA “State of Cybersecurity 2018: Part 1: Workforce Development” study, lack of technical skills ranked as one of the top two challenges for security professionals and managers. Often, though, it’s easy to overlook or underestimate non-technical challenges. This can include competition for organizational resources – whether budget or headcount or both – and misaligned technical talent. It’s important to consider these areas too, because they can have a big impact on your overall security program.
In today’s blog, we’ll discuss some ways to close these gaps by maximizing resources you already have. After conducting many third-party cyber security assessments, I can tell you firsthand that reallocating resources and realigning existing staff are the most common recommendations we make to solve these problems. Here are four real-life scenarios that illustrate how you can make the case to shift resources and better align technical skills.
Case #1: The Employee Who Focused Too Much on Policy
Organization A had a highly-qualified, experienced, and certified cyber security professional on staff. Since the organization had competing priorities, though, they shifted her from more technical tasks to focus on strategy and policy.
She performed wonderfully, and her policy work helped the organization reduce their overall cyber risk. Given her high-visibility role, she got drawn further into IT governance, with involvement in configuration management and other working groups. However, this left her very little time to supervise or perform technical tasks.
During our assessment of Organization A, we discovered that not surprisingly, the employee’s department was unhappy that she was getting pulled in different directions. This was a clear example of competition for resources. Our recommendation to management was to either define her job role more narrowly and push back against her being significantly used outside this, or to hire someone to take on the technical tasks and move her into the policy role full time.
Case # 2: Reprioritizing Staff Resources
Organization B had a public-facing retail website for registration and payment transactions. While customer service was a priority, leadership was looking for new ways to enable staff to spend more time on information security.
After we completed our assessment, the organization wanted to reassign some of their team to tackle specific risks we’d uncovered. They knew that the most common help desk request was password resets. To free up resources, Organization B increased the number of unsuccessful log-in attempts allowed. This small but significant change greatly reduced the number of help desk tickets and enabled the existing staff focus on more critical work. Rather than lobbying to add new headcount, they looked at practical, cost-effective options to give their existing staff time to work on other projects.
Case #3: Justifying a Budget Increase
Assessments are critical to get an objective analysis of your security environment. They can also help you make the business case for additional budget. The emphasis that corporate governance places on cyber and information security varies by organization. Sometimes, cyber and information security roles may report to other department heads or executives instead of a dedicated security team or chief information security officer (CISO). In these cases, competition for budget and resources can be especially fierce.
For instance, after one assessment, departments from Organization C used the recommendations from our report to create a business case for increased budget. We essentially took care of all the research and writing for them and they were able to use language directly from the assessment to support their request. Armed with detailed findings, organizations can make a better argument for more funding or even creating a dedicated information security department if they don’t already have one.
Case #4: Future Work Plans for Existing IT Personnel
Organization D was in the final stages of transitioning server and application hosting to a service provider within the umbrella of their organization while we were conducting an assessment. Naturally, we reviewed all documentation concerning the transfer.
After Organization D accomplished most of transition tasks, one big question remained: what would the staff that helped with the transition work on next? No one had outlined this as part of the overall project plan, so this was an urgent issue.
During our assessment review with the client, we discussed how they could use their existing IT staff for future projects. As a result, Organization D was quickly able to make detailed future work plans for the existing IT personnel involved in the transfer project.
Summary
As you look at how to tackle the gaps like these, there are some tools and processes that can help you get organized. A responsible, accountable, consulted, and informed (RACI) matrix is one way for your organization to assign and supervise tasks and business processes. These four functions are also the four roles that stakeholders can play in any project. If you view multiple RACI matrices in an aggregate format, the overlap and gaps quickly become obvious. Completing the RACI matrix is also largely a non-technical task. While complex tasks must be examined in technical detail, much of the work of creating the matrix can be delegated.
Managers will always need to hire, train, promote, and replace cyber security professionals. Hopefully, by following the tips in this blog and adopting the RACI matrix, they can also protect, allocate, and maximize the existing staff they have.
If you’re an organization looking for additional security staffing and resources, you may want to consider a managed security approach. Moreover, if you’re a managed services provider (MSP) looking to add managed security capabilities, turning to a managed security services partner (MSSP) can help you overcome the lack of in-house technical skills. View our on-demand webinar, “Build a Managed Service Dream Team: Why MSPs and MSSPs Need to Join Forces,” to learn more.