IoT
IoT
IT Leadership // Enterprise Agility
Commentary
9/16/2014
11:55 AM
100%
0%

The Security Skills Shortage No One Talks About

Lack of soft skills in information security is an even bigger problem than the shortage of technical expertise.

Geek's Guide To NYC Travel: Interop Preview
Geek's Guide To NYC Travel: Interop Preview
(Click image for larger view and slideshow.)

Seventy-five percent of chief information security officers (CISOs) say that someone on their team is asked to speak in front of the board of directors or CEO at least once a year, a CEB survey finds.

Sixty-seven percent of information security professionals across all roles say they interact with a business partner outside security at least daily, a similar survey finds.

What these findings show is that information security's rise in prominence within companies is amplifying the need for soft skills alongside technical security depth. Even employees with deep technical security backgrounds must be able to explain advanced threats to a senior audience and drive investments in security.

"Anyone can do security -- just unplug the computer," the CISO at a Fortune 500 food services company put it during our research. "The real question is, 'Can we develop people who can communicate with, engage, and understand the business?' "

[If perception is reality, you'd better start worrying. What The Business Really Thinks Of IT: 3 Hard Truths.]

CEB interviewed CISOs across the globe about their most pressing concerns, and this soft skills shortage came up repeatedly.

"I need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line. But it's very hard to find information security professionals who have that mindset," a CISO at a leading technology company told us.

The global shortage of technical skills in information security is by now well documented, but an equally concerning shortage of soft skills, or competencies, has gone largely unmentioned in the public discussion. Leaders in information security are beginning to take notice, and our research lends empirical support for increasing investments in growing the prevalence of soft skills in security.

(Source: Areyn)
(Source: Areyn)

Soft skills are a powerful predictor of performance in security
Using methodology from CEB SHL Talent Measurement, we have built a scientific behavioral assessment for IT staff that measures their proficiency at 12 competencies, including soft skills such as influence and organizational awareness. Using this assessment tool, we measured competencies of more than 350 information security professionals at more than 45 organizations.

We found soft-skill competencies to be more important to performance in security than technical expertise, but significantly less prevalent. Technical certification, higher education in information security, and past experience in IT -- even when combined -- are less predictive of a security professional's performance than proficiency in competencies such as business-results orientation, decision-making, influence, and organizational awareness. Startlingly, fewer than 40% of today's information security workforce is proficient in any of these four soft skills.

Although it may seem counterintuitive, soft skills' dominant impact on security professionals' effectiveness is consistent with an evolution in information security's mandate over the past several years.

In the past, security was most often a small, back-office function that interacted infrequently with the organization outside of IT. The security team made decisions about how to mitigate information risks in isolation, typically emphasizing the reduction of risk, regardless of its impact on business outcomes. The ability to identify threats and build effective technical controls was singularly important to a security professional's effectiveness. Soft skills were considered, at best, inessential.

Much has changed. Business unit leaders saw that the security team's risk aversion was detrimental to business goals, so they started circumventing security entirely. To avoid such end-runs, most CISOs shifted their teams to a more consultative model. Today, instead of working to reduce information risk in isolation, security professionals are expected to help business leaders understand risk, balance it against business goals, and choose appropriate courses of action themselves. Technical acumen remains table stakes for the security team, but if not coupled with an understanding of business context and ability to effectively influence others, this expertise is insufficient.

CEB's analysis of the most progressive CISOs' talent-management practices reveals a common set of tactics most effective at promoting staff development of soft competencies: 

Invest in coaching. Contrary to conventional wisdom, soft skills are not "innate" but can be taught -- especially through effective coaching. Managers in security should look for opportunities to show their employees how they can use soft-skill competencies to more effectively execute tasks.

Create opportunities for on-the-job learning. Formal training for soft skills is rarely effective. Instead, managers in security should look for opportunities to provide staff "stretch" opportunities that will compel them to think about business realities or communicate with a non-security audience.

Make it a team effort. CISOs saw some of the most dramatic changes in staff performance when they began discussing business and organizational context during team meetings. Creating a group discussion around how security's work impacts the business is a powerful way to change the security team's mindset.

Information security executives who invest in developing staff able to understand, communicate with, and influence the many components of their organizations will see their teams brought into key projects and decisions earlier, more often, and with better outcomes. It is this embedding of security into organizations' processes that will be key to protecting information in an increasingly volatile and crowded threat environment.

Need to broaden your security team's business-tech acumen? Send them to the one-day InformationWeek Leadership Summit, Sept. 30 in New York City, at Interop New York. Use the half-off promotion code BLSUMMIT.

Jeremy Bergsman is practice manager and Emma Kinnucan is a senior research analyst at CEB. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/23/2014 | 12:26:04 PM
Re: The Security Skills Shortage No One Talks About
GonzSTL,

True.

The CIO cannot always be trusted to make an objective Decision between various  conflicting needs in an Organization.

Security should preferably report either to Finance/Compliance or Directly to the Board of Directors.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/23/2014 | 12:23:05 PM
Re: The Security Skills Shortage No One Talks About
GonzSTL,

I have no doubt that you will prove to be (already are) an Awesome Teacher and your Students will most definitely be thanking you for your hardwork with them today(in the Future when they graduate and start working).

Yes,It would be better if Security reported directly to Finance (via Compliance) instead of reporting via IT.

Security just like Governance is very much an independent team today which should'nt be influenced or suppressed by IT.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Strategist
9/22/2014 | 4:08:53 PM
Re: The Security Skills Shortage No One Talks About

@ChrisMurphy Separation of duties is a fundamental principle of regulatory mandates such as SOX and GLBA. I believe that Mutual Fund Company falls under those regulations. This principle applies to IT also, especially in the realm of security. Unfortunately, I do not have statistics regarding the separation of those functions in organizations. Forward thinking organizations are taking that strategy, but many are still in the belief that their current CIO is able to make an objective decision when faced with a tie breaker. Whereas that may be true of their current CIO, what happens when the CIO leaves? It is bad legacy to leave behind. What is the guarantee that the replacement will be just as objective? Maintaining that status quo displays a lack of vision, and opens up security challenges in the future, if not already in the present.

ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
9/22/2014 | 3:53:53 PM
Re: The Security Skills Shortage No One Talks About
I have discussed that separate reporting for security and IT functions with a few companies, specifically a mutual fund company comes to mind, but I don't have a good sense of how common that is. Do you have a sense if it's the exception or the rule? I would think as more companies see the fallout from security breaches, that boards and CEOs will push for this indepdent security function.   
GonzSTL
50%
50%
GonzSTL,
User Rank: Strategist
9/22/2014 | 1:06:09 PM
Re: The Security Skills Shortage No One Talks About
@Ashu001 It is not necessary for Security to have a seat on the Executive board - some small companies do not have many on the board itself. What is really important is that the lines of reporting and accountability should be different. If there is no CSO/CISO, then have security report to some executive other than the CIO/CTO if they exist. IT and Security, although rooted on the same foundations, should eventually diverge to enforce a separation of duties and avoid the negative consequences of any conflict of interest.

On another note, I am sure that some of my students do not appreciate the amount of work they have to do, or the effort they must put into the communication criteria I like to impose, but I am not there to win a popularity contest. I simply want to prepare them for something they will surely face in their future work environments. It is gratifying to see how their work has radically changed for the better, though.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:16:44 PM
Re: The Security Skills Shortage No One Talks About
GonzSTL,

Brilliant Points Them all!

I am very sure that you make a Brilliant Teacher at University(and your students are really-really lucky to Have you on board).

Basically what you are saying is that Security should have a seat at the Executive Decision-making Board.

But that happens only in Companies where they have a CSO or CISO.

In other firms its usually the CIO/CTO who handles and looks at Security.

When you have Security Meshed amongst many other priorities,Security usually tends to take  a backseat.

Sad But True Experience.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:10:52 PM
Re: Security requires a conversation among peers
Charlie,

Very True!

Its this degrading of Peers which needs to be prevented(and the resultant Ego Clashes to boot as well).

We all can save enormous Time,Money and Resources in the Process if we just stay disciplined and organized about and around this Principle.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:07:45 PM
Re: The Art of How do we get to YES.
Aws0513,

Super Post!

Just wanted to add something else here ;Its important for Organizations to add a Dollar Value(as close as possible) on the Data they would Like IT-Security to Secure.

When you get Dollar Values for everything on the Table ;it becomes so much easier to decide when to Say Yes and When to Say No to whom and over which issue.

Does it make sense to spend 10000 Dollars for Security Products,Software,Processes,etc to Protect Data which is maybe at best worth 100 Dollars?

I don't think so.

This is very much an emerging area of IT Administration and Management that sooner IT Organizations get on top of it the better it is for everyone concerned.

 

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
9/22/2014 | 12:00:21 PM
The Writers Deserve an award for Stating Things so clearly.
Dear Writers,

You both Deserve a Massive-Massive Thank You and Award just for sharing these lines with the wider IT Audience

"I need people who understand that they are here to help the business make money and enable the business to succeed -- that's the bottom line. But it's very hard to find information security professionals who have that mindset," a CISO at a leading technology company told us

 

Its something which sounds so basic and Simple but its so so true and so ignored today!

As a Security Pro myself I get the Idea that Security can be a mega-Complex ,Mega-Engrossing and Messy affair which requires us to be tuned into Latest Trends and what not(which are often changing on a weekly and sometimes daily basis as well) because That's what Got us into this Profession (and keeps us there) today.

However,Not everyone cares or understands this about Security.Its important to Balance our Personal Passion for the Job with what the needs of the Business are which are always paramount .

After all,if there is no Business what's the point of IT and Security for that matter.

Getting the Right Balance in place is Mega-Critical.

 

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
9/19/2014 | 6:40:10 PM
Security requires a conversation among peers
Knowing the business and being able to talk technology to business people are soft skills that have always been in style, if short supply on the IT staff. It's the meshing of goals that requires a conversation among peers, and too often, someone in the conversation gets degraded from peer level, by one side or the other, before an agreement can be reached.
Page 1 / 2   >   >>
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.