Cloud Security
Published in

Cloud Security

Dealing With A Cybersecurity Talent Shortage

How to improve your cybersecurity posture with limited resources

Are you facing a cybersecurity talent shortage? There are many things you can do to improve your cybersecurity posture and protect your organization, even if you cannot afford a CISO or a large cybersecurity team. Here are some ideas to help you with your cybersecurity efforts.

Train existing staff

I’m a big believer that smart people can learn to do jobs they are not doing now. I’m going to explain how you can supplement training existing staff with additional resources. But if you have existing staff who are eager to learn, offer them training and guidance to help out or move to your cybersecurity team. Here are some things you can do to provide training to existing staff:

  • Send staff to traditional cybersecurity training. I’m not talking about security awareness training or OWASP top 10 training, but rather security training that teaches them about governance, risk management, compliance, vulnerability management, network security, monitoring logs, and other aspects of cybersecurity. This type of training goes far beyond basic application security or telling people not to click on phishing links.
  • Start holding lunch and learn sessions with your existing cybersecurity team. You may find people who have an interest and knack for cybersecurity. You could start leveraging skills across departments or move them to the security team.
  • Train software QA team members to seek out cybersecurity flaws in applications as well as functional flaws. I’ve heard some people say QA professionals cannot be penetration testers. They may not have the advanced knowledge of penetration testers but they can certainly run tools that find basic cybersecurity application flaws and misconfigurations.
  • Train your help desk professionals to monitor cybersecurity logs and perform threat hunting when they have downtime. Help desk members can also be instrumental in spotting unusual activity that is indicative of a data breach. A security-aware person spotted the unusual phone request that uncovered the Solar Winds Hack.
  • When you hire a firm to perform a penetration test or security assessment, they explain findings well enough so your team can understand them, learn from the experience, and prevent the same security problems going forward. If you hire 2nd Sight Lab, you get a developer-friendly report because I was a developer. I also answer questions about the report after the fact to clarify what the team needs to fix the problem now and in the future. The right penetration test or security assessment can help teams obtain cybersecurity skills.

Leverage an external incident response company

If you do not have the time and money to hire or properly train your staff to perform all the steps required for incident response, establish a relationship with a company that can do that for you. Some companies specialize in this area. Hopefully, you are not dealing with security incidents that require high-level skills every day. You could set up an ongoing relationship with a company that you call on an as-needed basis and supplement with basic incident response training for in-house staff.

This external company will likely be able to work with and train your team on how to handle an incident internally until the point where the experts take over. Ensure your staff knows how to properly handle evidence to maintain chain of custody and doesn’t shut down systems or destroy evidence. The company you hire should be able to help train your existing staff on basic security event and incident handling in conjunction with the service they provide.

Outsource your SOC

A security operations center constantly monitors systems for cybersecurity threats. Some companies offer services to continually monitor your network and systems for cybersecurity threats. These companies have tools and services designed to identify and notify you in case of system compromises or network attacks. Understanding all the ins and outs of monitoring systems and doing it properly is a full-time job. Consider outsourcing this service if you don’t have people dedicated to this task or are having problems hiring enough people to do it.

Be aware that an IT company may not have the same skills as a company dedicated to security monitoring, and that sometimes attackers leverage these third-party managed security service providers (MSSPs) to get to your systems and data. Ensure you hire a company that not only sells the service but follows best security practices themselves. You can read reviews and search for news reports about attacks involving the company you plan to hire. Also, check the credentials — and verify them — for key personnel at the company.

Minimize Your Risk

The more you reduce your risk, the less risk you have to manage. If you run systems with little controls or governance, your organization is a cyber-attack waiting to happen. You will have a lot more to worry about since you will have many sources of potential attack. Minimizing attack vectors gives attackers fewer chances for an attacker to get into your network and potentially less to monitor.

Although people don’t like restrictions on how they go about their work, those restrictions and limitations will make cybersecurity easier to manage for your organization. You may require fewer people to handle all the variables in your cybersecurity risk equation. For example, if you choose one cloud environment for custom applications, such as AWS, Azure, or Google Cloud Platform (GCP), you will only have to learn that one platform and how to configure it properly, instead of having to worry about the best practices for all three.

I wrote a book about the top 20 questions executives should ask their cybersecurity team called Cybersecurity for Executives in the Age of Cloud. Evaluate those questions and the information I provided in my book to reduce the potential attacks and exploits that exist in your environment. If you don’t have a cybersecurity team, you can hire a consultant to perform an assessment of these 20 items to tell you where you stand and provide actionable steps to reduce cybersecurity risk.

Many more complex formulas exist than what I wrote in that book to calculate risk. Some are quantitative and some qualitative. Cybersecurity quants offer complex risk analysis formulas or suggest spending hours assigning labels to resources and risks that seem like random guesses.

If you’re trying to minimize cybersecurity staff due to a shortage, keep it simple and start with your known vulnerabilities and gaps. You can iterate and as your organization matures, move towards more complex models. I’m working on a new book with a more step-by-step approach to governance, risk management, and cybersecurity metrics. Follow this blog to get the first few chapters for free.

Have a virtual CISO or an on-call team of experts

Given the cost of a CISO these days which can be upwards of $300,000 for an experienced professional, you might want to consider having a virtual CISO. This type of individual works as a part-time instead of a full-time CISO and may be a fraction of the cost of a full-time staff member.

Another option would be to hire a team of security professionals to answer questions on an as-needed basis. I’m on the faculty of IANS Research, an organization that has on-call experts who can help you with your cybersecurity questions and issues. Each faculty member has areas of expertise. You would be hard-pressed to find a single individual who can answer the range of questions IANS faculty members can answer. If you can’t afford a CISO you can leverage the IANS team as your outsourced CISO until you can hire one. Many CISOs leverage IANS as a source of information sharing and additional guidance.

I specialize in cloud and application security. I also perform penetration tests, assessments, and offer cybersecurity training. I wrote a book on fundamental cybersecurity, risk management, and governance. Some of the types of questions I answered recently include:

  • Secure Kubernetes implementation and monitoring.
  • Help with IAM, authentication, and authorization in applications and cloud environments.
  • Container security.
  • API security.
  • Risk assessment of unpatched software in a particular environment.
  • Cloud security and best practices, backups, applications, encryption, storage, and networking.
  • Application security and assessment of application architectures.
  • Cloud security metrics and risk management.
  • DevOps, Software Development Lifecycle, Secure programming, Secure deployments, and supply chain management.
  • Hybrid cloud security issues.
  • SAAS risk assessments and security issues.

These are just some examples of the types of questions I can help you answer in the realm of cloud and application security. Others on the staff specialize in topics such as on-premises IT management, data centers, endpoint security, compliance. Likely someone at IANS has direct experience with and can answer almost any security-related question you have.

Transfer Cybersecurity Risk

Sometimes it makes sense to transfer cybersecurity risk to another company by outsourcing portions of infrastructure and application management. I wrote about this in my book about leveraging infrastructure as a service (IAAS) or software-as-a-service (SAAS) cloud environments and applications. When you run your application on a cloud environment such as AWS instead of in your own data center, that company is responsible for some (but not all!) of the cybersecurity responsibilities associated with the application.

When you choose to outsource all or part of running an application to another company, you should perform a proper risk assessment to ensure that the company follows security best practices. You also want to make sure that your contract transfers the risk and any associated liability for a data breach should one occur, in relation to the services they provide. When you host an application on AWS and leverage AWS support you have instantly increased the size of your security team. They recommend that you contact them in the event of a security incident to get help.

When I hosted e-commerce websites, I used an e-commerce gateway. I ensured that I never stored any sensitive credit card data. When it got submitted by the customer, it went straight to the gateway over an encrypted channel. The data never remained on my system. By doing so I was able to transfer the risk of storing and processing credit cards mostly to the e-commerce gateway vendor. One less thing for my company to worry about managing securely.

Leverage Automation

I specialize in cloud security and application security. I spent 25 years as a programmer and also ran my own software engineering and e-commerce company for over ten years. I cannot tell you how much I love the fact that you can automate so many of the things I used to do manually when I ran my own systems in a co-location facility many years ago in a cloud environment with virtual infrastructure. You can also leverage automation in on-premises environments to a degree. It’s just easier in a solid IAAS cloud.

I like most security-minded people did not think AWS was secure enough initially. When I started revisiting the service, I noticed that you could automate configurations and lock them down in ways that prevent other people from changing them. It was easier to prevent errors and implement segregation of duties. If you automate your production deployments you can be sure someone won’t fat-finger something on deployment night, a problem I’ve experienced way too often. TLS (SSL) certificates and domain names renew automatically. You can more easily automate secure, zero-trust networking.

Automation can help you minimize time spent on security issues — if you do it correctly. That’s one of the things I wrote about in my last book and will be covering in more detail in an upcoming book that picks up where the last one left off. Many factors come into play to ensure the automation can’t be used against you as it was in the Target and Solar Winds attacks. Automation can take a lot of time so you need to implement it iteratively and in a manner that makes people’s jobs easier, not harder. That includes a proper architecture and design that works for developers or whoever is leveraging the automation.

Other ideas to deal with a security staff shortage?

These are just some of the ways you can deal with a shortage of cybersecurity professionals. You can optimize your cybersecurity risk management with a combination of these approaches. Perhaps you hire a more junior-level person on staff and leverage a virtual CISO or cybersecurity team to help that individual as needed. Almost any software professional or IT professional can learn to be a cybersecurity professional. People from other fields and with different perspectives may be good at different aspects of cybersecurity.

While looking at employment statistics in the past I noticed that the average salary is higher for a software engineer than a cybersecurity analyst or engineer. Do you really have a shortage of cybersecurity professionals, or are you not paying enough to entice others in your organization to join the security team?

I’ve also seen organizations that insist on hiring employees instead of outsourcing services. Maybe it’s time to think about the needs for cybersecurity in an organization a bit differently. Companies used to build their own data centers. Now they mostly outsource that to others that specialize in that area. Consider all your options and you might come up with some creative ideas to deal with your own cybersecurity staff shortage.

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

____________________________________________

Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty | 2ndSightLab.com