1

SANS Skills Gap Hiring Survey Results:Reducing Attrition, Increasing Effectiveness

John Pescatore, SANSDirector, Emerging Security Trends

2

Who Am I?

• Graduated with an Electrical Engineering degree in 1978, went to work at NSA

• US Secret Service working on secure communications, surveillance electronics – and bullet-resistant materials

• 11 years with GTE, telecoms and secure government systems

• Trusted Information Systems – first firewall company

• Entrust – first PKI company

• Lead security analyst at Gartner for 13+ years

• SANS in 2013

33

The Goal: Increase Effectiveness and Efficiency

44

Late Action = Incident Response

Early Action = Damage Prevention

55

6

• Headcount gap vs. skill gap

• Is turnover/attrition really high in security teams?

• What reduces security team attrition?

• Best ways for new hires to be productive quickly.

6

Survey Focus

https://www.sans.org/webcasts/closing-critical-skills-gap-modern-effective-security-operations-centers-socs-survey-results-113485

77

Turnover/Attrition

• Hiring offset attrition 🡪Government being exceptionExpensive!

• Hiring offset attrition 🡪• Small companies seeing

highest turnover• Overall turnover

below IT industry average

88

Interviews: Turnover/Attrition Takeaways

� Efficiency/effectiveness of a security team is directly proportional to time spent working together.

� Attrition is lowest where� Burnout is avoided

� Individual skills and creativity are valued/rewarded/supported

� Tools (particularly open source) are used, enhanced and shared

9

• Major focus is time to productivity for new hires

• Tool fluency in use and extension/integration

• Less than 10 tools, more than 1

• Creativity and playing

• Interesting frequent comment: “It would also be nice if they know how to use corporate collaboration tools…”

Desired Tools Experience

10

Applying Those Levers

Shield

Eliminate Root Cause

Monitor/Report

PolicyAssess Risk

BaselineVuln Assessment/Pen Test

Secure Configuration

Mitigate

• FW/IPS• EPP/EDR• NAC

• Patch Management• Config Management• Change Management

• Software Vuln Test• Training• Network Arch• Privilege Mgmt

Discovery/Inventory

• SIEM• Security Analytics• Incident Response

ThreatsRegulationsBusiness DemandOTT Dictates