Posted on September 19, 2018
For security policies to be followed, they must be known and enforced wherever possible and reasonable. If your users can’t follow your policies due to business process conflicts, or you can’t enforce the rules due to a lack of technology or another shortcoming you’re unwilling to mitigate, then you’re probably better off not having them at all.
Posted on June 28, 2018
In a competitive market for skilled candidates, Combs suggested it doesn’t hurt to take a dose of reality when it comes to your expectations for hiring. Begin by taking a hard look at your interview process.
“Most organizations have an interview process that is too long, with a lot of redundancy, and it’s low-touch,” Combs said. “They rely so much on technology for applications, but you can’t do that in security. It’s too sterile. If you want to be successful, then you need recruitment with real people who move quickly to communicate.”
Combs suggests testing your interview process so you know what the process is like as an outsider. The timeline should be a consideration, too. Investing time in finding the right person is OK, but it should be reasonable, Combs said.
“As long as you drag your feet, the candidate is going to have other options and ultimately may choose to go elsewhere. And in this market, they can,” Combs said.
Posted on June 23, 2018
We are in a state of deep technical debt in security, and there’s no hiding it. Almost all of the threats our peers were warning management about a decade ago are now the realities we face on a daily basis. Because security wasn’t seen as essential — and because the pipeline wasn’t created in colleges and universities — we’re facing a hiring shortage today. Perhaps most importantly, since no education can prepare a student for the real world, training is our only option to fix the problem.
Only a few organizations can afford to pay the salaries required to hire the top talent in our field. The rest of us need to train people internally and help our new hires develop the skills we need them to have. Using training and promotion as an incentive to hire and retain employees seems to be a logical solution — even if it’s going to take long-term planning to make it effective.