Re: Is there really a Cybersecurity skills gap? - Page 2

gidyn · ‎10-14-2020

People often talk about a cybersecurity skills gap, but I haven't seen much evidence of it. Interest from recruiters and job boards, when compared to other IT positions, seems pretty weak. (Disclaimer - this could be a regional thing.)

rslade · ‎10-19-2020

> CISO-Italiano (Newcomer I) edited a reply in Career on 10-19-2020 05:38 PM in the (ISC)Â² Community :

> "The client insists on someone who has 'banking experience'"

Actually, banking experience is an interesting example. Obviously, you don't have
any. If you did, you would know that bankers are a very insular bunch. Bank staff
are encouraged to socialize with other bank staff. To the point of "job
requirement." (Since you practically have to be born into a banking family to get
a job in a bank, I suspect that this is so that bank staff will marry bank staff, and
produce little potential bank staffers.) "Banking experience" is not just knowing
the systems and processes, but seems to be a kind of protection against insider
attacks, since the people you work with have to know *ALL* about you.

(Of course, this does mean that if you *do* know the insider jargon, bankers are
some of the easiest people in the world to do social engineering on, since if you
are "one of us" you are automatically accepted. Another such group is law
enforcement.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
It was much better to imagine men in some smoky room somewhere,
made mad and cynical by privilege and power, plotting over the
brandy. You had to cling to this sort of image, because if you
didn't then you might have to face the fact that bad things
happened because ordinary people, the kind who brushed the dog
and told their children bedtime stories, were capable of then
going out and doing terrible things to other ordinary people.
- `Jingo,' Terry Pratchett
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

CISOScott · ‎10-20-2020

I wanted to work for them because I (or someone with my skill set) was exactly what they needed. It was a CIO position which I have past CIO experience. Yet they also needed a CISO but had zero security staff. I have experience with that as well. I also know how to train up security staff. As far as being made the fall guy, I have ways of documenting security lapses and getting either management's buy-in or their written and signed acceptance of the risk. That way they can either choose to fund it or be liable if the risk they accepted comes back to bite them. They needed someone who knew how to run the place, while also improving their security posture. They needed an IT leader not just an IT doer. Lots of candidates can run or manage an IT shop, but it takes a leader to truly make it efficient. That is what I do, lead. I don't go into positions worrying about being made the scapegoat. You can be sure that I will inform management of the security risks we face and give them the opportunity to remediate or accept the risk.

My current role has me taking less of a leadership role and more of a managerial role so I missed the opportunity to lead and make a difference. That is what really drew me to the position. I know some may say, well if you are so good why did you lose your previous position? Simple answer. Management changed and went from being receptive/supportive of my ideas to trying to control me. They changed out the CIO and 2nd in command due to retirements. They moved the CISO position from being a direct line to the second in the agency to under the CIO's control (which by the way I have more CIO experience that the person selected to replace the retiring CIO). The new CIO knew he couldn't control me and figured I would be a problem to his tyrannical reign. Plus they could get someone who was not as strong as I was, get them cheaper, and be able to control them as they were looking to get their start in the CISO role (they had only had 1.5 years of being a CISO at a small company of 200 people). So sometimes you can do all the right things and then management changes on you and you become an outsider. Life happens. You prepare yourself and keep looking for better opportunities.

CISO-Italiano · ‎10-20-2020

In Recruiters' eyes one loses its job just because he/she is not a good worker. How far from reality...There are number of reasons why Management might want to get rid of a Head of Security and Risk. He/She might point out bad IT practices, reveal hidden risks, forcing them to make uncomfortable choices. Also a proper CISO should challenge IT Governance, when it's not accounting for a proper mix with Information Security Governance. Real example? Structure of IT Dept Teams, Admins groups and Segregation of Duties. Ultimately this does affects how AD Groups are implemented and how the security controls will work and possibly even which relevance and usability the the logs will have in case of a Security Incident. Basically a bad IT Governance can hinder -or completely impede- the CISO job.

Sometimes the CIO could not want to even try to understand those issues, as they are not HIS (her) top list issues. Plus fixing those would require structural changes in the IT Dept. (e.g. Org. changes, teams compositions) which the CIO might not be interested in. Following ITIL guidance means to delegate power: not many CIOs are able/interested to go that way. Much easier to replace an 'intrusive' CISO with a less experienced and more malleable one. That is a peek on the many reasons why the Information Security function should NEVER report into IT structure. Reporting to the CEO is where it belongs, regardless from the sector in which the organisation operates.

tmekelburg1 · ‎10-20-2020

@CISOScott wrote:
That is what I do, lead. I don't go into positions worrying about being made the scapegoat. You can be sure that I will inform management of the security risks we face and give them the opportunity to remediate or accept the risk.

And I don't think we should have to either and it's a shame that's what some Organizations do. In my opinion, they have glaring cultural issues around Cybersecurity and probably in other business functions as well.

My current role has me taking less of a leadership role and more of a managerial role so I missed the opportunity to lead and make a difference. That is what really drew me to the position. I know some may say, well if you are so good why did you lose your previous position? Simple answer. Management changed and went from being receptive/supportive of my ideas to trying to control me. They changed out the CIO and 2nd in command due to retirements. They moved the CISO position from being a direct line to the second in the agency to under the CIO's control (which by the way I have more CIO experience that the person selected to replace the retiring CIO).

That's an odd move as well, unless they felt like they need to contract for business reasons. As an example, we're growing so we have to separate the C-Suite more into specialized roles if that makes sense. If I was the CIO, there would be no chance I'd advocate on having the CISO report to me. There are so many benefits to keeping that role separate from IT, it's an unfortunate predicament you're in (or were in).

tmekelburg1 · ‎10-20-2020

@CISO-Italiano wrote:
Also a proper CISO should challenge IT Governance, when it's not accounting for a proper mix with Information Security Governance. Real example? Structure of IT Dept Teams, Admins groups and Segregation of Duties. Ultimately this does affects how AD Groups are implemented and how the security controls will work and possibly even which relevance and usability the the logs will have in case of a Security Incident. Basically a bad IT Governance can hinder -or completely impede- the CISO job.

I'd add one caveat, don't go into the room waving a big stick around. This is where our soft skills, I prefer essential skills, come into play here. If we're new to the role or it's a new position created, we have to learn the office politics and culture before we start making sweeping changes.

Sometimes the CIO could not want to even try to understand those issues, as they are not HIS (her) top list issues.

I second this, security is everyone's responsibility but is typically not at the top of a CIO's priority list.

CISOScott · ‎10-20-2020

@tmekelburg1 wrote:

My current role has me taking less of a leadership role and more of a managerial role so I missed the opportunity to lead and make a difference. That is what really drew me to the position. I know some may say, well if you are so good why did you lose your previous position? Simple answer. Management changed and went from being receptive/supportive of my ideas to trying to control me. They changed out the CIO and 2nd in command due to retirements. They moved the CISO position from being a direct line to the second in the agency to under the CIO's control (which by the way I have more CIO experience that the person selected to replace the retiring CIO).
That's an odd move as well, unless they felt like they need to contract for business reasons. As an example, we're growing so we have to separate the C-Suite more into specialized roles if that makes sense. If I was the CIO, there would be no chance I'd advocate on having the CISO report to me. There are so many benefits to keeping that role separate from IT, it's an unfortunate predicament you're in (or were in).

The new CIO's management style was tyrannical. He has to be in control and uses fear to keep his people "in line". My style is collaboration and working together for the best needs of the agency. He knew that I wouldn't just take orders from him without questioning him. He could not afford to have a strong leader under him, nor could he have a strong leader as a peer. So he convinced the new agency director to move the position back under him and reopen it to bring it back in house (I was a contracted CISO). The saddest part of it all is that he didn't even understand the organizational culture that was present in his organization. The organizational culture was one of fear. So tyrannical leaders do not perform well in cultures of fear. He doesn't realize that and probably will never recognize his own faults. Did I mention that they were several years behind on patches because IT was scared of getting a blue screen of death from patches?

CISO-Italiano · ‎10-22-2020

@tmekelburg1 wrote:
I second this, security is everyone's responsibility but is typically not at the top of a CIO's priority list.

Completely agree 🙂 That's why Information Security should NEVER be put under a CIO 🙂

RRoach · ‎10-29-2020

Couple possibilities depending on the situation.

1. Basically like others hinted at its a failure of company leadership and management. Areas to include: lack of budget, mis-aligned structure (staff function/roles), lack of internal training, lack of succession planning, reduced staff, outdated/insufficient technologies.

2. Interest in multinational companies (recruitment/staffing) who make their profits off hiring foreign nationals as a cheap labor force. When that labor force obtains citizenship then they are competing against the same labor force they were apart of.

3. Education is expensive, not every student wants to work in IT, education programs are not structured for IT (its more like a computer club). Of course there are some good schools just limited for all.

4. Experience. You cant get experience from education. Little exposure but most experience comes from different job roles and access to different technologies.