InfoSec Staffing Myths We Can't Afford

There are a trio of myths that are holding us back from solving for our inability to fully staff security teams. These are so pervasive that they're simply accepted as truths - and by people who should know better. So let's tackle these and see if we can bust them.

Myth: You can't be an effective Infosec resource unless you've come from IT.

I understand why people would feel that way. Infosec technology is a $77B/year business, and if you look at what the industry looks like you might think that way too:

How could somebody who doesn't have at least 30 product certifications possibly survive, let alone provide value in your infosec program? In fact, I'd argue that this thinking keeps security programs overly focused on the Protect function of the NIST-CSF at the expense of the other 4 functions (Identify, Detect, Respond, and Recover) that are equally important. After all, these technologies are about 85% focused on that Protect function.

But wait, there's a whole lot more to Infosec than keeping all the appliances working and updating all the software packages. CISA publishes a Cyber Career Pathway Tool and that tool recognizes more than 50 different roles in infosec:

Every one of these roles is appropriate to a fully functional security program, and while some of them are clearly technical, many of them don't require a career-path through IT. Do they require an understanding of IT? Most of them do, yes - but that is experience you can get through experiences other than having had a progression of IT jobs. Which is not to say you can get by with no familiarity with the mechanics information technology - just that you don't need to perform some years long apprenticeship in IT before you can be even considered for an Infosec role. You start to wonder why they assume running routers and switches is a prerequisite to a security governance role.

Myth: There are no entry level jobs in Infosec.

This one gets me every time. Apparently there must be some orchard out there, probably in California, that grows senior Infosec people who are picked at the height of ripeness and rushed off to market. This would explain why infosec people are so hard to find, the orchard must be very small.

However, this isn't a phenomenon unique to Infosec. Developers are often required to have more years of experience with a programming language than possible - because the language hasn't been around that many years. Or jobs paying just better than minimum wage requiring Masters degrees. Or, more mundane but still extremely ridiculous, requiring that you have multiple years experience doing the exact same job in order to get the job - in other words expect to be pigeonholed into this one job the rest of your career.

"But Bill," I imagine the voices in my head saying, "Infosec is too crucial to a business to trust to entry-level people!" To that I respond with a series of rhetorical questions: are there no entry positions in medicine? Are there no entry positions for emergency responders? Are there not entry level positions in banking? Of course there are.

Is there not high-volume, low-skill work in Infosec? (Hint: if you're leaning towards answering "no" maybe take a poll of your team first) For whatever reason, however, we seem to expect that only those highly skilled (translates to: relatively expensive) workers can do ANY of the work in Infosec. Translated to the medical field: this is why you only see heart surgeons performing transport duties (pushing patients around on beds and in wheelchairs) because only they can be trusted with that task.

Myth: If my company invests in training people in Infosec they'll just leave.

This one is harder to argue with in Infosec in the short term. Why? Because we have such a small talent pool that every company covets skilled Infosec workers, and we all know the old adage that when you want a significant raise you change companies.

My best argument here, however, is that this is looking at a symptom and thinking you've found the cause. A bit like focusing on treating a fever while ignoring the acute appendicitis causing it - no combination of ice packs and pain killers is going to fix that fever. Employees leave for a variety of reasons, but in my experience it generally comes down to a couple of key items:

• They no longer believe in the company (or just their current boss)
• They no longer believe the company (or their current boss) values them

Training someone can, in and of itself, be an indication to an employee that they're valued. But it can also be too little too late. If your security team feels overworked and under appreciated (under paid, under staffed, expected to work 24x7, or just under recognized) then yeah, they're going to be flight risks, and training them on something new gives them a better chance of landing something better elsewhere. But the underlying problem is still one of those two bullet points, not training. And every employee is a little different - one may need a raise while the other just needs an extra coworker to share the load with. Take care of those problems and you'll see a lot less "I'm trained, now I'm leaving" issues.

TLDR: so what?

Here's what I know. We can't find and hire enough Infosec talent the way we've been doing it. These three myths are at the core of how we're making it hard on ourselves as we try to hire - how we're perpetuating our own problems. So let's change up the script. Hiring people who can add value to our Infosec programs from whatever previous, related experience they have - not just IT experience - opens up our talent pool and adds significant diversity in both background and in approach to security. Hiring entry level resources allows us to get lower cost resources into our security teams, as well as free up our more expensive resources to tackle the issues that require their capabilities - not the repetitive stuff they're stuck doing. And educating your resources - at all levels - won't immediately send them off to greener pastures - unless your pasture is particularly brown to begin with. Who knows, your might even up-level those entry resources to being critical senior resources on your team someday, and you'll be glad you did.