global ciso forum 2017: help wanted: hiring and retaining information security talent
TRANSCRIPT
Help Wanted:
Hiring and Retaining Information Security
Talent
Talent Shortage in
Information Security ?
Who Am I?
Brian Phillips
• VP, IT Security and Information Security for Macy’s, Inc
• CISO and CIO of FDS Bank
• 20+ Years of Experience
• C|CISO, CISSP, CISM, CRISC, CCA, SCSA, OCA, CCNA, CCNP, RCSA, MCP…ABCDEFG
• Twitter: @BrianRPhillips
• Short Version – I’m a Security Guy in Retail
• Like most of you, I hire people and build teams
Obligatory Legal Disclaimer
Disclaimer: The views and opinions expressed within this presentation are my own, and therefore often unpopular. They do not reflect the views, opinions, or disposition of my employer.
Just know, that if anything goes wrong:
Legal Defense = Blame Russia
10/10/2017 ciso.eccouncil.org 4@BrianRPhillips
Talent Shortage in Information Security ?
• Is there really a Talent Shortage?
• If so, is it as bad as Advertised?
According to a prediction from ISACA:
“There will be a global shortage of 2 Million Cyber Security Professionals by 2019.”
Every year in the U.S. 40,000 InfoSec jobs go unfilled, and companies are
struggling to fill another 200,000 cybersecurity related roles. - from CyberSeek
For every 10 cyber security job ads that appears on career site Indeed,
only seven people even click on the ad – let alone apply (wouldn’t share that info).
10/10/2017 ciso.eccouncil.org 5@BrianRPhillips
Talent Shortage Retention
• Zero Unemployment Rate (or Negative)*
• Talent Poaching
*CSO Magazine
10/10/2017 ciso.eccouncil.org 6@BrianRPhillips
Strong InfoSec Leadership
10/10/2017 ciso.eccouncil.org 7@BrianRPhillips
Isn’t Security Cool Yet?
10/10/2017 ciso.eccouncil.org 8@BrianRPhillips
The Math Doesn’t Add Up
Strong Security Leadership Unfilled JobsAppealing Field
10/10/2017 ciso.eccouncil.org 9@BrianRPhillips
10/10/2017 ciso.eccouncil.org 10@BrianRPhillips
Our Jobs Are Not Exactly Easy
How Do We Fix This?
•Few Observations
•My Own Experience
•Recommendations – Not a Definitive Solution
ciso.eccouncil.org10/10/2017 ciso.eccouncil.org 11@BrianRPhillips
- Three Categories
Recommendations
1) Stop Hunting Unicorns
10/10/2017 ciso.eccouncil.org 12@BrianRPhillips
10/10/2017 ciso.eccouncil.org 13@BrianRPhillips
Unicorn = Extremely Rare, If Not Fictional, Candidate
Examples
1) SOC Analyst - Req: 8-10 Years Experience, GCIH, GCFW, and GCIA [SANS Inc. Handling, Firewall, and Intrusion Certs]
2) Junior Security Analyst – Req: 5 Years Experience, GPEN [Pen Testing],C++/Java/.Net [Programming], and min. 3 years using EnCase [Forensics]
3) Junior Security Admin – Req: Entry Level, CISSP [Not Associate – yes required]
and
[Pen Testing][Programming] [Forensics]
Entry Level, CISSP
10/10/2017 ciso.eccouncil.org 14@BrianRPhillips
More Examples
1) Junior Position – 3Years of Experience of Security Incident Response
2) Programming Knowledge in C++, Python, .NET, and Ruby
3) Have Implemented and Maintained ML and AI Frameworks - Algorithm Creation
10/10/2017 ciso.eccouncil.org 15@BrianRPhillips
Degree vs Certifications vs Experience
• Not Debating the Validity or Superiority of one over another
• Caution on Ruling out Qualified Candidates
The U.S. is 4th overall in the number of InfoSec job postings. In 2014
candidates met 60% of the job requirements, increased to 67% in
2016. - Indeed.com
Israel by far has the most InfoSec Job Postings. Yet in 2014
candidates only met 24% of the job requirements, increased only to
28% in 2016. - Indeed.com
10/10/2017 ciso.eccouncil.org 16@BrianRPhillips
Candidates vs Job Requirements
10/10/2017 ciso.eccouncil.org 17@BrianRPhillips
Filling Multiple Needs
• Filling Needs or Skill Gaps
• Challenged to Do More with Less
• Want High Caliber Applicants
• Mixed Mediocre Skill – at best
• Talented Candidate Shy Away from Applying b/c of certain requirements
• Position Stays Unfilled for a Longer Time
Want:
Get:
10/10/2017 ciso.eccouncil.org 18@BrianRPhillips
Where Are the Candidates?
• We’re Competing with Other Companies over the Same People
• Recruiting Headhunters are Stealing Your People and Mine
• We Need to Reinvigorate How We Look For Candidates
10/10/2017 ciso.eccouncil.org 19@BrianRPhillips
Recommendations
• Focus on One Role When Posting a Position
• Look to Other Internal Areas of the Business/IT
• Seek Out Passion
10/10/2017 ciso.eccouncil.org 20@BrianRPhillips
Passion
Passion Can Take Many Forms:
• Home Labs – Practicing Off-hours
• Actively Learning (or Teaching) a New Skill
• Up-to-date on Recent Security News
• Leading a Community Effort or Group
• Passionate about their Hobby (Not Security Related)
Recommendations
1) Stop Hunting Unicorns
2) Build Talent Pipeline
10/09/2017 ciso.eccouncil.org 21@BrianRPhillips
• Existing Security Talent is Hard to Find and Hire
• Where Do We Look From Here?
10/09/2017 ciso.eccouncil.org 22@BrianRPhillips
I’ve Looked, So Where’s the Talent?
10/10/2017 ciso.eccouncil.org 23@BrianRPhillips
Sourcing
• College Students
• Seek out internal candidates from other parts of the business
• Look in non-InfoSec Disciplines
10/10/2017 ciso.eccouncil.org 24@BrianRPhillips
Sourcing
• NionSpy.B – March 2015
• Project Management
Recommendations
1) Stop Hunting Unicorns
2) Build Talent Pipeline
3) Training
10/10/2017 ciso.eccouncil.org 25@BrianRPhillips
10/10/2017 ciso.eccouncil.org 26@BrianRPhillips
Training
CISO:
CISO:
CIO:Our Security Team needs training.
What happens if we invest in developing our people, and then they leave us?
What happens if we don’t, and they stay?
External Training:
10/10/2017 ciso.eccouncil.org 27@BrianRPhillips
Training
SANS.org CYBRARY.it
Product
Vendor/Product
• Training Classes
10/10/2017 ciso.eccouncil.org 28@BrianRPhillips
Training Correctly is Hard
• Knowledge Sharing/Shadowing
• Teaching Others
Repeated Exposure for Adult Skill RetentionNew Skills:
Methods:
• Internal Lab Environments
10/10/2017 ciso.eccouncil.org 29@BrianRPhillips
Lab / Cyber Range
• Internal Lab Exercises (Team Members Teach each Other)
• Hackathons
• Hacker Trivia
• Lunch and Learn Style Sessions
• Capture The Flag Competitions
• Career Path Illumination
• Purple Team Exercises
10/10/2017 ciso.eccouncil.org 30@BrianRPhillips
Purple Team Example
• Red Team (Attackers) targets a test web
server (Recon/Web Shells)
“Red and Blue teams ideally work in perfect harmony with each other, as
two hands that form the ability to clap.” - Daniel Miessler
• Blue Team (Defenders) monitors for detection/alerting
• Blue Team actively defends where applicable
• Assume Red Team succeeds and allow them to go
further into the network – rinse repeat
Red Team Blue Team
Recommendations
1) Stop Hunting Unicorns
2) Build Talent Pipeline
3) Training
10/10/2017 ciso.eccouncil.org 31@BrianRPhillips
•Focus Job Postings on a Specific Role/Need
•Build your Talent Pipeline via Universities/Interns/Internal Candidates
•Be Creative in How you Train your Teams
10/10/2017 ciso.eccouncil.org 32@BrianRPhillips
Conclusion
Brian Phillips
678-474-2745
@BrianRPhillips
10/10/2017 ciso.eccouncil.org 33@BrianRPhillips
Questions / Contact Info