SlideShare a Scribd company logo
1 of 41
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
An honest look at challenges related to finding
and retaining information security talent
Evan Francen, CEO
FRSecure and SecurityStudio
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Introduction
• So,I’m told thatwe haveatalentshortageproblemin ourindustry.
• I don’ttrusteverything I hear, andneither shouldyou.
• Dowe actuallyhavea talentshortageproblem?
• Regardless,whatarewe going to doaboutit?
Beforewedivein,letme introducemyselfandwho Iworkfor.Don’tworry,there’snosalespitch.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Idoa lotof security stuff…
• Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy
buttons don’t exist).
• 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was
cleaning bootsector viruses from Windows 3.1 systems)
• Worked as CISOandvCISOfor hundreds of companies.
• Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Idoa lotof security stuff…
• Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy
buttons don’t exist).
• 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was
cleaning bootsector viruses from Windows 3.1 systems)
• Worked as CISOandvCISOfor hundreds of companies.
• Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
Me. I look better
as a cartoon.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
UNSECURITY:Information SecurityIs Failing. Breaches Are Epidemic. How Can We Fix This Broken
Industry?
Chapter10:Too ManyFewExperts – Theinformationsecurityindustryisbrokenbecausewehavetoomany“experts”butnotenoughexperts.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Just prepping you…
• I’m a binarythinker.
• Things Iappreciate:
– Logic.
– Simplicity.
– Truth.
If you like these things too,we’ll have fun here (andmaybe we should dosome worktogether too).
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Who I work for
FRSecure & Security Studio
This is best explained in adiagram…
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Who I work for
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Who I work for
I work here!
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
OK, nowlet’sdivein.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Thesubtitle for this presentation is “An honest look at challenges related to finding
and retaining information security talent”.
• Thekeyword is “honest”, I think
• Otherimportant words are “finding”
and “retaining”.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Honesty
• If youreadthenews, you’dthinkthatwe havenobodytodo securitywork,but is this true?
• Toanswerthe question,“Dowehaveatalentshortageproblem?”weneed toexaminefrom(at
least)threedifferentperspectives:
– Theindustryitself -We need talent.
– Thosewho are hiring -You need talent.
– Thosewho are seeking -You aretalent.
Who are you?
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• Security Magazine– TheCybersecurityTalent Gap = an IndustryCrisis
– Byone estimate,therewill be3.5million unfilledcybersecurityjobsby2021.
– Lackofqualifiedstaff.
– Using underskilled practitioners.
– Securitytool sprawl.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• Security Boulevard – TheGreat CyberSecurityTalent Shortage Continues
• According toaNovember,2018ISACA study,more than1,500cybersecurityprofessionals:
– 69%cybersecurityteamsareunderstaffed.
– 58%haveunfilledcybersecuritypositions.
– 60%cybersecuritybudgetis underfunded
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• CSOonline –Thecybersecurityskills shortageis getting worse
• Morethan1/2oforganizationsreporta “problematicshortage”ofsecurityskills
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
It’snowonderourbusiness leaderswanttodothis.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.
How badis it really?
• It’s bad, but youhavesome options (coming later).
• Everyoneinthis industryhas a motive, usually to sell yousomething.
– The3.5millionnumberwasfromCybersecurityVentures,theygetmorecoverageandmoreclicks fromsensationalnumbers.This was
apredictionONLY.
– TheISACAstudywasasurveyof“cybersecurityprofessionals”.
– Thescarytitle“The CybersecuritySkillShortageEpidemic” came fromDeepInstinctandtheysellstuff(endpointprotection, mobile
security,etc.)
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
• It’s hard tochangea whole industry.
• Focus on you and your area of influence.
• What weneed:
– Moreeducationeverywhere(home,school,work,etc.)
– Awarenessofthe opportunities
– Makementorshipeverywhere. What you can
do to help?
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• FRSecure’s CISSPMentor Program -https://frsecure.com/cissp-mentor-program/
• SANSMentor -https://www.sans.org/mentor/
• Start yourown “mentor program”
• Volunteersomewhere
• https://www.safeandsecureonline.org/s/volunteers
• https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/community
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• Focus onyouandyourareaofinfluence.
• Gotkids? Talkto them.Talktoteachers.
• Free training& awarenessstuff:
• https://www.commonsensemedia.org/
• https://staysafeonline.org/
• https://s2me.io Start
somewhere.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• Focus onyouandyourareaofinfluence.
• Gotkids? Talkto them.Talktoteachers.
• Free training& awarenessstuff:
• https://www.commonsensemedia.org/
• https://staysafeonline.org/
• https://s2me.io Start
somewhere.
So, we know we have a talent shortage
problem.
What does this mean to you if you’re in
the market for information security talent?
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
So, wehavea supply vs. demandissue.
• Demand is high, supply is low.
• This means you pay more,oneway oranother.
• Unless you havean unlimited budget, this means you better get it right, meaning:
– Youidentifytheright needs.
– Youget the right person (orpeople).
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Theright needs.
• Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense.
• If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that.
Right?
• Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get
help.
• Get yourexpectationsinline with yourneeds.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Theright needs.
• Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense.
• If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that.
Right?
• Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get
help.
• Get yourexpectationsinline with yourneeds.
DO NOT:
• Hire just because you were
told you should.
• Hire just because others are.
• Copy a job description from
someone else.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
OK,so you’ve decided that you need someone.
1. Why do Ineed someone in the first place?
2. What needs will the person/people serve(specifically)?
3. What are myexpectations?
Before you go there,
answer three questions
and write it down.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
OK,so you’ve decided that you need someone.
1. Why do Ineed someone in the first place?
2. What needs will the person/people serve(specifically)?
3. What are myexpectations?
What you’ve written is
the start of your job
description.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Nowyou sort ofknowwhat you want. How are you going togetit?
You havethree options:
1. Buy
2. Build
3. Outsource
Each option has
pros and cons.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#1- Buyyourtalent
• Pros
– Verifiable experience.
– Less wasted time/effort.
• Cons
– Expensive.
– Unlearning.
– More than you need.
If you buy talent,
culture fit must
be #1.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#2- Buildyourtalent
• Pros
– Customfit.
– Loyalty.
– Cheaper.
• Cons
– Patience.
– They leave.
– Hard.
If you build talent,
take your time.
Support is key.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#3- Outsource
• Pros
– Customfit.
– Only buy what you need.
– Experience.
• Cons
– No in-house IP.
– Motives/bias.
– Accountability
If you outsource talent:
1. Make sure there’s mutual
accountability.
2. Measurement is important.
3. Use someone who’s product
agnostic.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#3- Outsource
• Pros
– Customfit.
– Only buy what you need.
– Experience.
• Cons
– No in-house IP.
– Motives/bias.
– Accountability
If you outsource talent:
1. Make sure there’s mutual
accountability.
2. Measurement is important.
3. Use someone who’s product
agnostic.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Nowyou sort ofknowwhat you want. How are you going togetit?
You havethree options:
1. Buy
2. Build
3. Outsource Whatever option you choose, choose
the option that’s best for you!
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.–Most commonproblems.
Do you fit oneormore of the following?
• Wrong motivations.
• Misaligned needs.
• Poorexpectations.
• Can’t afford talent.
• Good talent vs. not so good talent.
Go back to:
1. Why do I need someone in
the first place?
2. What needs will the
person/people serve
(specifically)?
3. What are my expectations?
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
Manyofourtalentseekersclaimthereisn'ta talentshortageproblem.
– They’re trying to get their 1st job in the industry and can’t.
– They’re very experienced and can’t get hired again.
– Expectations misalignment.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
They’retryingtogettheir1st jobintheindustryandcan’t.
“YouWanttoGetintoSecurity”
Short(34 page), freee-book.
https://books.apple.com/us/book/you-want-to-get-into-security/id1457146083
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
They’reveryexperiencedandcan’tgethiredagain.
• My heartgoes outtothesepeople.
– Ageism.
– Stuckin yourways. Open yourmind to new approaches while figuringout new ways to communicate
the fundamentals.
• Hire one ifyoucanget one.Thewisdom aloneis worthit.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
Expectationsmisalignment.
• An educationexperience forall.
• Job seekers.
– Youmight not be worth as much as youthinkyouare.
– Takea cut, career path is moreimportant.
• Hiring people.
– Makesure youasking for what youreallyneed.
– All those letters look good, but do youreallyneed them all?
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.
Theshort eBook, five chapters:
1. Abundanceof Opportunity.
2. The RightPerson.
3. LandingYourFirst Job.
4. Becoming Good.
5. StayingHealthy. Read it. Share it. Give me
feedback. It’s free!
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
That’sit!Thank you!
• Email: efrancen@frsecure.com
• @evanfrancen
• @FRSecure
#S2Roadshow
• Blog - https://evanfrancen.com
• Podcast (The UNSECURITY Podcast)

More Related Content

More from Evan Francen

MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
People. The Social Engineer's Dream - TechPulse 2017
People.  The Social Engineer's Dream - TechPulse 2017People.  The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionEvan Francen
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceEvan Francen
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information SecurityEvan Francen
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environmentEvan Francen
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance WorldEvan Francen
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderEvan Francen
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByEvan Francen
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information SecurityEvan Francen
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 

More from Evan Francen (15)

MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
People. The Social Engineer's Dream - TechPulse 2017
People.  The Social Engineer's Dream - TechPulse 2017People.  The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information Security
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a Leader
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) By
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
An Introduction to Information Security
An Introduction to Information SecurityAn Introduction to Information Security
An Introduction to Information Security
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 

Recently uploaded

The No-Nonsense Guide to Choosing the Right Human Resources Management Softwa...
The No-Nonsense Guide to Choosing the Right Human Resources Management Softwa...The No-Nonsense Guide to Choosing the Right Human Resources Management Softwa...
The No-Nonsense Guide to Choosing the Right Human Resources Management Softwa...HRMantra Software Pvt. Ltd
 
7 non-negotiable roles of Human Resource Management
7 non-negotiable roles of Human Resource Management7 non-negotiable roles of Human Resource Management
7 non-negotiable roles of Human Resource ManagementHireQuotient
 
The Engagement Engine: Strategies for Building a High-Performance Culture
The Engagement Engine: Strategies for Building a High-Performance CultureThe Engagement Engine: Strategies for Building a High-Performance Culture
The Engagement Engine: Strategies for Building a High-Performance CultureAggregage
 
A Proven #1 Prospecting Hack You're Missing Out On
A Proven #1 Prospecting Hack You're Missing Out OnA Proven #1 Prospecting Hack You're Missing Out On
A Proven #1 Prospecting Hack You're Missing Out Onfross37
 
Presentation on HR for Weekly Review Meeting
Presentation on HR for Weekly Review MeetingPresentation on HR for Weekly Review Meeting
Presentation on HR for Weekly Review MeetingAlokChatterjee16
 
Webinar - Q2 2024: What’s New in MarketPay
Webinar - Q2 2024: What’s New in MarketPayWebinar - Q2 2024: What’s New in MarketPay
Webinar - Q2 2024: What’s New in MarketPayPayScale, Inc.
 
Salary Survey 2024 For Employers to Hire Remotely From India
Salary Survey 2024 For Employers to Hire Remotely From IndiaSalary Survey 2024 For Employers to Hire Remotely From India
Salary Survey 2024 For Employers to Hire Remotely From IndiaNayantikaSrivastava1
 
Market Signals – Global Job Market Trends – March 2024 summarized!
Market Signals – Global Job Market Trends – March 2024 summarized!Market Signals – Global Job Market Trends – March 2024 summarized!
Market Signals – Global Job Market Trends – March 2024 summarized!Career Angels
 

Recently uploaded (8)

The No-Nonsense Guide to Choosing the Right Human Resources Management Softwa...
The No-Nonsense Guide to Choosing the Right Human Resources Management Softwa...The No-Nonsense Guide to Choosing the Right Human Resources Management Softwa...
The No-Nonsense Guide to Choosing the Right Human Resources Management Softwa...
 
7 non-negotiable roles of Human Resource Management
7 non-negotiable roles of Human Resource Management7 non-negotiable roles of Human Resource Management
7 non-negotiable roles of Human Resource Management
 
The Engagement Engine: Strategies for Building a High-Performance Culture
The Engagement Engine: Strategies for Building a High-Performance CultureThe Engagement Engine: Strategies for Building a High-Performance Culture
The Engagement Engine: Strategies for Building a High-Performance Culture
 
A Proven #1 Prospecting Hack You're Missing Out On
A Proven #1 Prospecting Hack You're Missing Out OnA Proven #1 Prospecting Hack You're Missing Out On
A Proven #1 Prospecting Hack You're Missing Out On
 
Presentation on HR for Weekly Review Meeting
Presentation on HR for Weekly Review MeetingPresentation on HR for Weekly Review Meeting
Presentation on HR for Weekly Review Meeting
 
Webinar - Q2 2024: What’s New in MarketPay
Webinar - Q2 2024: What’s New in MarketPayWebinar - Q2 2024: What’s New in MarketPay
Webinar - Q2 2024: What’s New in MarketPay
 
Salary Survey 2024 For Employers to Hire Remotely From India
Salary Survey 2024 For Employers to Hire Remotely From IndiaSalary Survey 2024 For Employers to Hire Remotely From India
Salary Survey 2024 For Employers to Hire Remotely From India
 
Market Signals – Global Job Market Trends – March 2024 summarized!
Market Signals – Global Job Market Trends – March 2024 summarized!Market Signals – Global Job Market Trends – March 2024 summarized!
Market Signals – Global Job Market Trends – March 2024 summarized!
 

Tackling the Talent Shortage Problem: An Honest Look at Challenges Related to Finding and Retaining Information Security Talent.

  • 1. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn
  • 2. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem An honest look at challenges related to finding and retaining information security talent Evan Francen, CEO FRSecure and SecurityStudio
  • 3. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Introduction • So,I’m told thatwe haveatalentshortageproblemin ourindustry. • I don’ttrusteverything I hear, andneither shouldyou. • Dowe actuallyhavea talentshortageproblem? • Regardless,whatarewe going to doaboutit? Beforewedivein,letme introducemyselfandwho Iworkfor.Don’tworry,there’snosalespitch.
  • 4. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio Idoa lotof security stuff… • Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy buttons don’t exist). • 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was cleaning bootsector viruses from Windows 3.1 systems) • Worked as CISOandvCISOfor hundreds of companies. • Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
  • 5. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio Idoa lotof security stuff… • Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy buttons don’t exist). • 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was cleaning bootsector viruses from Windows 3.1 systems) • Worked as CISOandvCISOfor hundreds of companies. • Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) Me. I look better as a cartoon.
  • 6. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem UNSECURITY:Information SecurityIs Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry? Chapter10:Too ManyFewExperts – Theinformationsecurityindustryisbrokenbecausewehavetoomany“experts”butnotenoughexperts.
  • 7. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio Just prepping you… • I’m a binarythinker. • Things Iappreciate: – Logic. – Simplicity. – Truth. If you like these things too,we’ll have fun here (andmaybe we should dosome worktogether too).
  • 8. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Who I work for FRSecure & Security Studio This is best explained in adiagram…
  • 9. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Who I work for
  • 10. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Who I work for I work here!
  • 11. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem OK, nowlet’sdivein.
  • 12. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Thesubtitle for this presentation is “An honest look at challenges related to finding and retaining information security talent”. • Thekeyword is “honest”, I think • Otherimportant words are “finding” and “retaining”.
  • 13. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Honesty • If youreadthenews, you’dthinkthatwe havenobodytodo securitywork,but is this true? • Toanswerthe question,“Dowehaveatalentshortageproblem?”weneed toexaminefrom(at least)threedifferentperspectives: – Theindustryitself -We need talent. – Thosewho are hiring -You need talent. – Thosewho are seeking -You aretalent. Who are you?
  • 14. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s) • Security Magazine– TheCybersecurityTalent Gap = an IndustryCrisis – Byone estimate,therewill be3.5million unfilledcybersecurityjobsby2021. – Lackofqualifiedstaff. – Using underskilled practitioners. – Securitytool sprawl.
  • 15. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s) • Security Boulevard – TheGreat CyberSecurityTalent Shortage Continues • According toaNovember,2018ISACA study,more than1,500cybersecurityprofessionals: – 69%cybersecurityteamsareunderstaffed. – 58%haveunfilledcybersecuritypositions. – 60%cybersecuritybudgetis underfunded
  • 16. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s) • CSOonline –Thecybersecurityskills shortageis getting worse • Morethan1/2oforganizationsreporta “problematicshortage”ofsecurityskills
  • 17. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s)
  • 18. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s) It’snowonderourbusiness leaderswanttodothis.
  • 19. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent. How badis it really? • It’s bad, but youhavesome options (coming later). • Everyoneinthis industryhas a motive, usually to sell yousomething. – The3.5millionnumberwasfromCybersecurityVentures,theygetmorecoverageandmoreclicks fromsensationalnumbers.This was apredictionONLY. – TheISACAstudywasasurveyof“cybersecurityprofessionals”. – Thescarytitle“The CybersecuritySkillShortageEpidemic” came fromDeepInstinctandtheysellstuff(endpointprotection, mobile security,etc.)
  • 20. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Youcan help. • It’s hard tochangea whole industry. • Focus on you and your area of influence. • What weneed: – Moreeducationeverywhere(home,school,work,etc.) – Awarenessofthe opportunities – Makementorshipeverywhere. What you can do to help?
  • 21. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Youcan help. Someideas: • FRSecure’s CISSPMentor Program -https://frsecure.com/cissp-mentor-program/ • SANSMentor -https://www.sans.org/mentor/ • Start yourown “mentor program” • Volunteersomewhere • https://www.safeandsecureonline.org/s/volunteers • https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/community
  • 22. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Youcan help. Someideas: • Focus onyouandyourareaofinfluence. • Gotkids? Talkto them.Talktoteachers. • Free training& awarenessstuff: • https://www.commonsensemedia.org/ • https://staysafeonline.org/ • https://s2me.io Start somewhere.
  • 23. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Youcan help. Someideas: • Focus onyouandyourareaofinfluence. • Gotkids? Talkto them.Talktoteachers. • Free training& awarenessstuff: • https://www.commonsensemedia.org/ • https://staysafeonline.org/ • https://s2me.io Start somewhere. So, we know we have a talent shortage problem. What does this mean to you if you’re in the market for information security talent?
  • 24. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? So, wehavea supply vs. demandissue. • Demand is high, supply is low. • This means you pay more,oneway oranother. • Unless you havean unlimited budget, this means you better get it right, meaning: – Youidentifytheright needs. – Youget the right person (orpeople).
  • 25. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Theright needs. • Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense. • If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that. Right? • Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get help. • Get yourexpectationsinline with yourneeds.
  • 26. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Theright needs. • Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense. • If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that. Right? • Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get help. • Get yourexpectationsinline with yourneeds. DO NOT: • Hire just because you were told you should. • Hire just because others are. • Copy a job description from someone else.
  • 27. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? OK,so you’ve decided that you need someone. 1. Why do Ineed someone in the first place? 2. What needs will the person/people serve(specifically)? 3. What are myexpectations? Before you go there, answer three questions and write it down.
  • 28. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? OK,so you’ve decided that you need someone. 1. Why do Ineed someone in the first place? 2. What needs will the person/people serve(specifically)? 3. What are myexpectations? What you’ve written is the start of your job description.
  • 29. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Nowyou sort ofknowwhat you want. How are you going togetit? You havethree options: 1. Buy 2. Build 3. Outsource Each option has pros and cons.
  • 30. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Option#1- Buyyourtalent • Pros – Verifiable experience. – Less wasted time/effort. • Cons – Expensive. – Unlearning. – More than you need. If you buy talent, culture fit must be #1.
  • 31. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Option#2- Buildyourtalent • Pros – Customfit. – Loyalty. – Cheaper. • Cons – Patience. – They leave. – Hard. If you build talent, take your time. Support is key.
  • 32. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Option#3- Outsource • Pros – Customfit. – Only buy what you need. – Experience. • Cons – No in-house IP. – Motives/bias. – Accountability If you outsource talent: 1. Make sure there’s mutual accountability. 2. Measurement is important. 3. Use someone who’s product agnostic.
  • 33. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Option#3- Outsource • Pros – Customfit. – Only buy what you need. – Experience. • Cons – No in-house IP. – Motives/bias. – Accountability If you outsource talent: 1. Make sure there’s mutual accountability. 2. Measurement is important. 3. Use someone who’s product agnostic.
  • 34. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Nowyou sort ofknowwhat you want. How are you going togetit? You havethree options: 1. Buy 2. Build 3. Outsource Whatever option you choose, choose the option that’s best for you!
  • 35. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.–Most commonproblems. Do you fit oneormore of the following? • Wrong motivations. • Misaligned needs. • Poorexpectations. • Can’t afford talent. • Good talent vs. not so good talent. Go back to: 1. Why do I need someone in the first place? 2. What needs will the person/people serve (specifically)? 3. What are my expectations?
  • 36. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent.Keepat it. Manyofourtalentseekersclaimthereisn'ta talentshortageproblem. – They’re trying to get their 1st job in the industry and can’t. – They’re very experienced and can’t get hired again. – Expectations misalignment.
  • 37. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent.Keepat it. They’retryingtogettheir1st jobintheindustryandcan’t. “YouWanttoGetintoSecurity” Short(34 page), freee-book. https://books.apple.com/us/book/you-want-to-get-into-security/id1457146083
  • 38. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent.Keepat it. They’reveryexperiencedandcan’tgethiredagain. • My heartgoes outtothesepeople. – Ageism. – Stuckin yourways. Open yourmind to new approaches while figuringout new ways to communicate the fundamentals. • Hire one ifyoucanget one.Thewisdom aloneis worthit.
  • 39. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent.Keepat it. Expectationsmisalignment. • An educationexperience forall. • Job seekers. – Youmight not be worth as much as youthinkyouare. – Takea cut, career path is moreimportant. • Hiring people. – Makesure youasking for what youreallyneed. – All those letters look good, but do youreallyneed them all?
  • 40. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent. Theshort eBook, five chapters: 1. Abundanceof Opportunity. 2. The RightPerson. 3. LandingYourFirst Job. 4. Becoming Good. 5. StayingHealthy. Read it. Share it. Give me feedback. It’s free!
  • 41. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem That’sit!Thank you! • Email: efrancen@frsecure.com • @evanfrancen • @FRSecure #S2Roadshow • Blog - https://evanfrancen.com • Podcast (The UNSECURITY Podcast)