Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tackling the Talent Shortage Problem: An Honest Look at Challenges Related to Finding and Retaining Information Security Talent.

144 views

Published on

Talk given at the 2019 Cyber Security Summit
It’s a fact, there aren’t enough of us to go around. The unemployment rate is already at 0%, and the future looks bleak for people in need of information security talent. Luckily, the industry is filled with people and organizations willing and able to do something about it. In this session, Evan Francen, CEO and founder of FRSecure gives a look at what it takes to build a good security analyst from the ground up: the foundational skills necessary for someone to break into the security industry, how technical-focused employees and non-technical employees develop successfully within the security industry, and what roles and skills should a CISO have in all of this.

Published in: Recruiting & HR
  • Be the first to comment

  • Be the first to like this

Tackling the Talent Shortage Problem: An Honest Look at Challenges Related to Finding and Retaining Information Security Talent.

  1. 1. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn
  2. 2. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem An honest look at challenges related to finding and retaining information security talent Evan Francen, CEO FRSecure and SecurityStudio
  3. 3. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Introduction • So,I’m told thatwe haveatalentshortageproblemin ourindustry. • I don’ttrusteverything I hear, andneither shouldyou. • Dowe actuallyhavea talentshortageproblem? • Regardless,whatarewe going to doaboutit? Beforewedivein,letme introducemyselfandwho Iworkfor.Don’tworry,there’snosalespitch.
  4. 4. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio Idoa lotof security stuff… • Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy buttons don’t exist). • 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was cleaning bootsector viruses from Windows 3.1 systems) • Worked as CISOandvCISOfor hundreds of companies. • Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
  5. 5. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio Idoa lotof security stuff… • Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy buttons don’t exist). • 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was cleaning bootsector viruses from Windows 3.1 systems) • Worked as CISOandvCISOfor hundreds of companies. • Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) Me. I look better as a cartoon.
  6. 6. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem UNSECURITY:Information SecurityIs Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry? Chapter10:Too ManyFewExperts – Theinformationsecurityindustryisbrokenbecausewehavetoomany“experts”butnotenoughexperts.
  7. 7. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio Just prepping you… • I’m a binarythinker. • Things Iappreciate: – Logic. – Simplicity. – Truth. If you like these things too,we’ll have fun here (andmaybe we should dosome worktogether too).
  8. 8. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Who I work for FRSecure & Security Studio This is best explained in adiagram…
  9. 9. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Who I work for
  10. 10. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Who I work for I work here!
  11. 11. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem OK, nowlet’sdivein.
  12. 12. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Thesubtitle for this presentation is “An honest look at challenges related to finding and retaining information security talent”. • Thekeyword is “honest”, I think • Otherimportant words are “finding” and “retaining”.
  13. 13. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Honesty • If youreadthenews, you’dthinkthatwe havenobodytodo securitywork,but is this true? • Toanswerthe question,“Dowehaveatalentshortageproblem?”weneed toexaminefrom(at least)threedifferentperspectives: – Theindustryitself -We need talent. – Thosewho are hiring -You need talent. – Thosewho are seeking -You aretalent. Who are you?
  14. 14. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s) • Security Magazine– TheCybersecurityTalent Gap = an IndustryCrisis – Byone estimate,therewill be3.5million unfilledcybersecurityjobsby2021. – Lackofqualifiedstaff. – Using underskilled practitioners. – Securitytool sprawl.
  15. 15. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s) • Security Boulevard – TheGreat CyberSecurityTalent Shortage Continues • According toaNovember,2018ISACA study,more than1,500cybersecurityprofessionals: – 69%cybersecurityteamsareunderstaffed. – 58%haveunfilledcybersecuritypositions. – 60%cybersecuritybudgetis underfunded
  16. 16. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s) • CSOonline –Thecybersecurityskills shortageis getting worse • Morethan1/2oforganizationsreporta “problematicshortage”ofsecurityskills
  17. 17. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s)
  18. 18. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Theproblem(s) It’snowonderourbusiness leaderswanttodothis.
  19. 19. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent. How badis it really? • It’s bad, but youhavesome options (coming later). • Everyoneinthis industryhas a motive, usually to sell yousomething. – The3.5millionnumberwasfromCybersecurityVentures,theygetmorecoverageandmoreclicks fromsensationalnumbers.This was apredictionONLY. – TheISACAstudywasasurveyof“cybersecurityprofessionals”. – Thescarytitle“The CybersecuritySkillShortageEpidemic” came fromDeepInstinctandtheysellstuff(endpointprotection, mobile security,etc.)
  20. 20. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Youcan help. • It’s hard tochangea whole industry. • Focus on you and your area of influence. • What weneed: – Moreeducationeverywhere(home,school,work,etc.) – Awarenessofthe opportunities – Makementorshipeverywhere. What you can do to help?
  21. 21. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Youcan help. Someideas: • FRSecure’s CISSPMentor Program -https://frsecure.com/cissp-mentor-program/ • SANSMentor -https://www.sans.org/mentor/ • Start yourown “mentor program” • Volunteersomewhere • https://www.safeandsecureonline.org/s/volunteers • https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/community
  22. 22. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Youcan help. Someideas: • Focus onyouandyourareaofinfluence. • Gotkids? Talkto them.Talktoteachers. • Free training& awarenessstuff: • https://www.commonsensemedia.org/ • https://staysafeonline.org/ • https://s2me.io Start somewhere.
  23. 23. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem We needtalent.–Youcan help. Someideas: • Focus onyouandyourareaofinfluence. • Gotkids? Talkto them.Talktoteachers. • Free training& awarenessstuff: • https://www.commonsensemedia.org/ • https://staysafeonline.org/ • https://s2me.io Start somewhere. So, we know we have a talent shortage problem. What does this mean to you if you’re in the market for information security talent?
  24. 24. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? So, wehavea supply vs. demandissue. • Demand is high, supply is low. • This means you pay more,oneway oranother. • Unless you havean unlimited budget, this means you better get it right, meaning: – Youidentifytheright needs. – Youget the right person (orpeople).
  25. 25. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Theright needs. • Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense. • If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that. Right? • Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get help. • Get yourexpectationsinline with yourneeds.
  26. 26. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Theright needs. • Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense. • If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that. Right? • Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get help. • Get yourexpectationsinline with yourneeds. DO NOT: • Hire just because you were told you should. • Hire just because others are. • Copy a job description from someone else.
  27. 27. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? OK,so you’ve decided that you need someone. 1. Why do Ineed someone in the first place? 2. What needs will the person/people serve(specifically)? 3. What are myexpectations? Before you go there, answer three questions and write it down.
  28. 28. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? OK,so you’ve decided that you need someone. 1. Why do Ineed someone in the first place? 2. What needs will the person/people serve(specifically)? 3. What are myexpectations? What you’ve written is the start of your job description.
  29. 29. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Nowyou sort ofknowwhat you want. How are you going togetit? You havethree options: 1. Buy 2. Build 3. Outsource Each option has pros and cons.
  30. 30. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Option#1- Buyyourtalent • Pros – Verifiable experience. – Less wasted time/effort. • Cons – Expensive. – Unlearning. – More than you need. If you buy talent, culture fit must be #1.
  31. 31. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Option#2- Buildyourtalent • Pros – Customfit. – Loyalty. – Cheaper. • Cons – Patience. – They leave. – Hard. If you build talent, take your time. Support is key.
  32. 32. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Option#3- Outsource • Pros – Customfit. – Only buy what you need. – Experience. • Cons – No in-house IP. – Motives/bias. – Accountability If you outsource talent: 1. Make sure there’s mutual accountability. 2. Measurement is important. 3. Use someone who’s product agnostic.
  33. 33. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Option#3- Outsource • Pros – Customfit. – Only buy what you need. – Experience. • Cons – No in-house IP. – Motives/bias. – Accountability If you outsource talent: 1. Make sure there’s mutual accountability. 2. Measurement is important. 3. Use someone who’s product agnostic.
  34. 34. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.Whatdoesthismean toyou? Nowyou sort ofknowwhat you want. How are you going togetit? You havethree options: 1. Buy 2. Build 3. Outsource Whatever option you choose, choose the option that’s best for you!
  35. 35. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youneedtalent.–Most commonproblems. Do you fit oneormore of the following? • Wrong motivations. • Misaligned needs. • Poorexpectations. • Can’t afford talent. • Good talent vs. not so good talent. Go back to: 1. Why do I need someone in the first place? 2. What needs will the person/people serve (specifically)? 3. What are my expectations?
  36. 36. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent.Keepat it. Manyofourtalentseekersclaimthereisn'ta talentshortageproblem. – They’re trying to get their 1st job in the industry and can’t. – They’re very experienced and can’t get hired again. – Expectations misalignment.
  37. 37. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent.Keepat it. They’retryingtogettheir1st jobintheindustryandcan’t. “YouWanttoGetintoSecurity” Short(34 page), freee-book. https://books.apple.com/us/book/you-want-to-get-into-security/id1457146083
  38. 38. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent.Keepat it. They’reveryexperiencedandcan’tgethiredagain. • My heartgoes outtothesepeople. – Ageism. – Stuckin yourways. Open yourmind to new approaches while figuringout new ways to communicate the fundamentals. • Hire one ifyoucanget one.Thewisdom aloneis worthit.
  39. 39. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent.Keepat it. Expectationsmisalignment. • An educationexperience forall. • Job seekers. – Youmight not be worth as much as youthinkyouare. – Takea cut, career path is moreimportant. • Hiring people. – Makesure youasking for what youreallyneed. – All those letters look good, but do youreallyneed them all?
  40. 40. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem Youare talent. Theshort eBook, five chapters: 1. Abundanceof Opportunity. 2. The RightPerson. 3. LandingYourFirst Job. 4. Becoming Good. 5. StayingHealthy. Read it. Share it. Give me feedback. It’s free!
  41. 41. October 28–30, 2019 | Minneapolis Convention Center cybersecuritysummit.org | #cybersummitmn Tackling the talent shortage problem That’sit!Thank you! • Email: efrancen@frsecure.com • @evanfrancen • @FRSecure #S2Roadshow • Blog - https://evanfrancen.com • Podcast (The UNSECURITY Podcast)

×