Use the human-centered approach for smarter security and compliance teams

Published 05 - March - 2020
Source: CEP Magazine
Read full article

By Steve Durbin, Managing Director of the Information Security Forum.

As the cyberthreat landscape becomes more varied and intense in sophistication and strategic intent, demands on information security and compliance teams relentlessly shift and swell. With limited personnel to manage the rising risk, the difficulty attracting, recruiting, and retaining an appropriately skilled workforce has become a risk in and of itself.

Shortages in skills and capabilities are being revealed as major security incidents damage organizational performance and reputation. Building tomorrow’s security and compliance workforce is essential to address this challenge and deliver robust and long-term security for organizations in the digital age. Filling the skill shortage will require organizations to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts. An overly rigid and traditional approach to identifying candidates, coupled with overstressed and understaffed work environments, is clearly in need of new tactics and fresh ideas.

Organizations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures (e.g., security software platforms, patching and configuration practices, analytics, and machine learning) become more complex.

Today’s security and compliance workforce, typically defined as the personnel responsible for an organization’s information security and compliance activities, has evolved rapidly since its inception. Over the course of its evolution, the lack of a consensus definition of the information security and compliance functions has allowed numerous, disparate components to form an organization’s workforce. For example, employees working within threat intelligence, business continuity, and security operations are all essential information security contributors, yet they rarely convene in one distinct function under a designated leader.