When I reported to basic combat training April 22, 2002 the screaming drill sergeants made one thing clear, we were all the scum of the earth! Anything that identified us as individuals was taken from us. The only items that remained on our Battle Dress Uniforms were last name and U.S. Army. Over the days and weeks to come the skills they taught us served a common purpose, we had to be able to kill and wage war. This is where I first became acquainted with the phrase "everyone is an infantrymen".
The core business process of the Army is to kill and wage war. Drill Sergeant was charged with creating Soldiers that were killers regardless of their Military Occupational Specialty (MOS). While most of us would not go on to serve in the infantry we had to know that basics that would keep us alive on the battlefield.
Today, businesses are faced with many challenges and leaders are tasked with identifying and solving these problems. One of the most formidable challenges for any business regardless of size is cyber security. In 2015, ISC2 estimated a global cyber security workforce shortage of 1.5 million over fiver years. Steve Morgan estimates 209,000 security jobs are unfilled while postings have increased 74 percent over the last five years.
Dice estimates the top five IT security salaries range from $178,000 to $225,000. This creates an even larger problem for small businesses. It is estimated that one security professional receives multiple job offers and each prospective employer increases compensation 30 percent. This confluence of events creates a perfect storm that seems insurmountable.
If you want to be part of the solution consider these four points.
1. Everyone is an infantryman
Not every business or organization is designed to wage war. However, they do employee personnel who are well acquainted with the organization's core business processes. One of these core processes must be security awareness! All employees (regardless of organizational size) must understand they are the first line of defense. SANS Securing the Human offers some excellent free resources and insight that will help any organization who is willing to try.
2. The GAP will only continue to grow
Degrees and certifications don't necessarily decrease the gap. They only validate what someone has learned in a closed environment. What about the experience earned from working in the field or within a particular business. Employees are vital resources because they represent institutional knowledge and experience that new hires lack. Retraining employees within various functional areas retains institutional insight and results in a more tailored security approach.
3. SMBs cannot compete within the current model
We are only as secure as our weakest link (Target Breach). If mom and pop cannot improve their security posture we all suffer. Hiring a dedicated (or even contracted) security staff is only a reality for the largest businesses. While retraining and increasing awareness is a solution that works for everyone.
4. Emotions
Yes, I said emotions. Emotions activate thoughts which influence behavior. Implementing a successful security strategy means we have to impact our employees at the emotional level. They need to understand their ability (or lack of) to secure the business directly affects success, which affects their employment, which in turns affects their ability to provide for their families and keep them safe. No, I am suggesting we intimidate or scare our employees. I am saying that they must understand we are fighting a battle and it is win or loose.
The bottom line
We can continue treading water or we can choose to try new ideas. Sitting around complaining and begging for money won't solve our problem.
Will you be part of the problem or the solution?
Originally Posted on CSO US: http://www.csoonline.com/article/3203505/data-breach/cybersecurity-has-a-huge-skills-gap-will-you-be-part-of-the-problem-or-the-solution.html