The Cyber Security Hub offers a wealth of content on enterprise security, including its many domains, from access controls to artificial intelligence (AI), to cloud computing and endpoint security. One relevant topic of late is the oft-covered “talent crisis,” and an overall lack of resources for security teams.
One way to combat that involves grassroots efforts to boost the ranks. But do security teams search for qualified, seasoned experts, and do they look for specialization or the proverbial “generalist” who can cover many corners of the cyber space? It is an ongoing debate in the industry, and today, we’ve brought together two security thought leaders to provide their take. We sat down with Kayne McGladrey, Co-Founder and Spokesperson, Include Security, and Rebecca Wynn, Head of Information Security and Data Protection Officer (DPO), Senior Director, Matrix Medical Network.
What follows is a Q&A on the subject matter expert (SME) question, occasionally using identity and access management (IAM) as a useful sort of lens.
Cyber Security Hub: Cyber security, in a general sense, is understaffed. So should practitioners be well-versed across various domains?
Kayne McGladrey: By 2021 there will be more unfilled cyber security jobs than the total population of Iowa, and there are currently more job openings for CISSP certification holders than CISSPs. Cyber security job requirements are generally misunderstood by many hiring managers and HR professionals at organizations outside of the cyber security industry. Individuals working at 80% of commercial or public organizations that don’t make cyber security solutions should be well-rounded and hold a certification like the CISSP to show their competency across many domains. I recommend those working at the top 20% of public sector organizations and commercial firms pursue specialist skills and certifications as they’re likely to work in multidisciplinary teams.
Rebecca Wynn: I think the biggest issue around staffing in cyber security is actually finding people who truly have the passion and skills to be in the specialization. I see the lack of truly qualified applicants as a multi-faceted issue. Namely, there are too many colleges and universities out there handing out degrees if you pay them enough. This doesn't do society any good at all. Secondly, as far as certifications, the same is true. There are too many companies out there making money by teaching the tests, or people are downloading test dumps. Both of those are against the certifications Code of Ethics, but people do it anyway. Security is so much more than that. I look for people who like puzzles, who are thinkers, and want to get to the root of the issue; (they’ll) have good communication skills, both oral and written, and they’re fast learners who can apply what they learn. It is more than just watching an episode of “Mr. Robot,” picking a lock, or reading a book. The teams I lead have the skills and I cross-train them across the domains. With machine learning, artificial intelligence and open source cross correlated data, as the years go by, you’ll need thinkers on your team, not just bodies. The days of number of staff per number of IT personnel or other such measure is outdated. You need to be able to analyze data quickly and use outside partners like vendors to their fullest. There will be a shortage but the shortage is in the fact that schools and certifications are not teaching people how to do analysis and make wise decisions. Those skills along with critical thinking need to be emphasized.
CSHub: Will an enterprise get more productivity from a SME in a specific vertical, say IAM, or the generalist who can move between tasks?
McGladrey: It depends on the size and composition of the team, and that the enterprise has realistic expectations. Time is the limiting factor for cyber security roles. At a smaller firm, it’s workable for an individual or small team to handle many of the day-to-day tasks associated with cyber security, such as threat analysis, investigations, configuration management, end-user training and more. Organizations with high-value assets, a lower tolerance for risk, or in industries targeted by advanced persistent threats will need to plan on higher staffing levels with specialized roles inside the team. Mandatory scheduled job rotation is a best practice for larger organizations so that individual contributors don’t get bored or stop following best practices by getting overly comfortable. If a team member knows someone else will inherit their work in three months, they’re very likely to follow the defined procedures, particularly if job rotation is tied to their variable compensation.
Wynn: I myself am known for being a polymath. Being only good at one thing really limits you. Organizations are agile and quickly being acquired (or acquiring others). The more skillsets that you have at a very high, professional level the better off you are, and the company (will be better for it). I am a constant learner. That is what I recommend to all.
CSHub: In what way is the enterprise moving, overall: Is it shying away from SMEs or generalists? Are hiring managers searching for degrees and certs? Or is there a larger disconnect between CISOs and HR, etc.?
McGladrey: The data at CyberSeek.org shows that there is a disconnect between the most common certifications held by practitioners versus what HR professionals are posting in job listings. This is particularly true for the top-ranked CISSP, CISA and CISM certifications, where there are fewer certification holders than jobs available. This may be caused by a disconnect in understanding between executives and HR, where HR professionals are adding these top-tier certifications as job requirements because someone has asked them to “hire the best.” Some of the worst examples are found in entry-level cyber security job postings that specify the applicant must hold a CISSP, which takes a minimum of five years of cumulative work experience verified by one or more peers. These job postings are a catch-22: entry-level applicants cannot get five years of experience without a CISSP, and people cannot apply for a CISSP without five years of experience. Hence the jobs go unfilled, leading to the perception that there aren’t enough cyber security professionals to go around.
Wynn: Because of the watering down of certifications, most companies are starting to look at true years of experience over certifications. Just because someone has a CISSP doesn't mean that they have technical knowhow and can implement a solution. I see resumes all the time where people were help desk support for three months and then went to a training school and took and passed CompTIA's A+, Network+, and Security+ over the next six months. Yes, they showed initiative, but they have no real experience in the field. I can ask them practical application questions all day long and they can seldom answer one. No, I do not hire those people. It would be better to completely focus on your job and learn everything that you possibly can over those first several years. You would be better served. I have never hired anyone just because they had a certification. At the end of the day, my team has to get the work done. As far as HR goes, they really struggle with understanding that security is a specialty. They do their best but you really need to spend the time and effort to train the HR recruiters on how to recruit for the team you want. Yes, they do get it wrong. That is why you should look at a least a sampling of the resumes they reject. I have found many times they had rejected the candidates that I wanted to interview and passed to me the ones I wouldn't want. You have to train them up, and encourage them, like you would any other team member.
CSHub: In a hypothetical scenario, you’re tasked with hiring out a new SOC position in a large enterprise. You have resumes from candidates with bachelor’s and master’s degrees, plus certs. You also have inquiries from a handful of candidates who have directly overseen IAM/UBA controls for an organization. How would you go about evaluating them?
McGladrey: My initial evaluation criteria would be to find those resumes for individuals who hold vendor certifications in the technologies in use at the SOC. While this amounts to an initial round of buzzword bingo, a SOC position is a hands-on position that requires the use of specialist tools and solutions. Of those candidates with relevant vendor certifications, I’d then look for military service, based on my overwhelmingly positive experiences in hiring and employing veterans. The language and terms used when interviewing veterans differ from the terminology used when interviewing someone with a commercial or public-sector background, and I like to be prepared as an interviewer.
I use a modified version of TopGrading when interviewing candidates, described in the book “Who” by Geoff Smart and Randy Street. I’d proceed with the rest of my normal hiring process if there are candidates who pass my five-question screening interview. If there were no candidates after the screening calls I’d expand my search to include individuals with generalist certifications that would be useful in the SOC, such as auditing, penetration testing and ethical hacking.
Wynn: I start off by looking at the past positions: if someone jumps from one position to the next, to the next, to the next. I am not going to hire them regardless of their background. It takes too much time, effort and expense to hire someone who jumps companies every nine to 15 months. When looking at the companies, I really look at who they are. That includes: How long they had been in business, the size of the company and so forth. You can have inflated titles because a person worked for a company they created and collapsed many times over. I have seen that too many times. I had an HR person tell me one time that 90% of people materially lie on their resume. I won't hire you if you do. If you are going to be on my team, I need to be able to trust your word. Having a degree from a well-known school – not a diploma mill – does hold weight with me. It means that the person was exposed to many different (perspectives) and ways of seeing things; most times that means they are used to adapting quickly. Now, if someone was doing the specific position that I was hiring, and did well on my technical interviews and practicals, and had no college degree, they would not be ruled out. After six years or so of solid performance, a degree doesn't matter. So, in summary, solid proven experience trumps a degree or certification.