Finding Top Security Talent: If You Build It, They Will Come

Finding Top Security Talent: If You Build It, They Will Come

I recently attended a meeting of likeminded Chief Information Security Officers who were discussing the challenges of their role.  Conversation bounced between the need for better reporting metrics to the lack of value in threat intelligence, but one topic seemed to come up continuously – the difficulty in finding qualified security talent.  Makes sense given a recent report by Forbes described a shortage of over one million cybersecurity experts in the United States.  In Atlanta alone there are 115 cybersecurity companies, all fighting for the same talent, and that does not include the more traditional companies requiring talent for their security departments. This shortage seems to be getting worse as demands on the average information security officer increase daily.  What options exist to mitigate this never-ending problem?

Good security candidates today have expectations about positions and have the leverage to demand that their expectations be met. The right compensation is only the basic ante for access to the talent. For this reason, this post is focused on non-compensation related strategies.  Frankly, without the right compensation and benefits packages, none of the below matters.

Our experience is that modern candidates expect:

  • Personalized technology (e.g. the endpoint of their choice or the latest IDE)
  • The use of latest methodologies (e.g. Agile Software Development)
  • Influence over the technology roadmap, regardless of rank
  • Flexibility to innovate when required (e.g. new approaches are encouraged)
  • The ability to work in collaborative, technically-challenging environments

Many companies that I meet with are working hard to create personnel pipelines but pay no attention to the internal environment that is attractive to top-end talent. Not every company can be like Google or Facebook, but without the right environment they shouldn’t be surprised when it is hard to find talent. Companies might consider including a technology package in the offer letter or job description to entice candidates.

Companies should also not overlook the small benefits when recruiting.  For many candidates I have recently interviewed, all things being equal, access to standing desks, MacBook Pros, and free coffee have been important differentiators between positions.  All too often, I speak with CISOs who believe that the honor alone of working for their company should be enough.  Short of being one of the big names (e.g. Uber, Facebook, Google, Twitter, Netflix, etc), honor alone is tough to sell.  Not to mention, creating the right culture is of paramount importance to those big names.

Where can talent be found?

In my experience, companies are leveraging three general techniques to fill their pipelines: universities, industry technical groups, and internal skill transition.

Local universities present a great option for finding new talent. Many universities will carefully modify their curriculum to meet local company needs and are hungry for outside ideas and funding for capstone projects.  While creating these university pipelines at multiple universities leads to more hires, it is a long bet for primarily junior talent.  Furthermore, simply financially supporting these programs is not enough.  It requires a time commitment from leadership within the company and active involvement in the program from career fairs, co-operative programs, internships, capstone projects, and active partnership with student organizations. The primary advantage of university-trained talent is access to classically trained engineers and scientists.

I often ask CISOs if a college degree is an important attribute for their company when looking for new employees. Almost universally, unequivocally, I hear no. For many of them, a requirement for a college degree eliminates too many technically qualified candidates. While there is certainly a role for university-trained talent, many positions simply don’t require the classic computer science or engineering background. It is hard to compare an engineer with five years of Red Hat experience to a newly graduated candidate who understands the Linux scheduler but has never managed Linux in a product environment. Local technology meetups and industry groups such as ISACA and ISSA are great places to identify hard to find talent. If an engineer is invested in their field enough to join an industry group, there is a good chance they are good at their profession. At Kudelski Security, we actively participate in Open Stack related meet-ups to stay abreast of local, qualified talent.

Short of finding qualified talent, many CISOs are looking to transition IT talent. As one CISO told me, “if you can’t find them, make them.” This approach requires the development of information security programs and technologies that do not require years of security experience. For example, I recently met with a company re-purposing Perl developers to build security automation systems – they partnered each few development team with a security architect to mitigate any experience gaps.  Another approach is to build a farm system of security talent or a minor league team.  Through internships and other temporary positions, companies may be able to train talent internally.  The challenge with this approach is that you are paying for talent that is not contributing in the short term.

It is worth noting that employees that like their job are more likely to stay and will also try and attract top level talent to join them. The security community is not that large and both good and bad information on employers travels quickly. Six degrees of Kevin Bacon is alive and well within the community – even the candidate doesn’t know someone who worked at a company, they likely know someone, who knows someone, who did.

Overall, finding qualified talent is difficult and outside the box thinking is often required. I have seen more progressive companies take serious outside-the-box approaches to finding and re-training existing talent. While somewhat self-serving as a Managed Security Service Provider (MSSP), it is important to note that careful outsourcing of capabilities can help reduce the impact of this problem. By outsourcing tasks that a company cannot possibly hope to staff, this enables them to focus on staffing qualified talent they can find. My experience is that CISOs that first focus on building an environment that is attractive to top talent do not struggle as much with talen shortfalls. Correlation or causation?


A Shift in Mindset for the Modern CISO: An Investment Portfolio Approach to Cyber Program Management

A Shift in Mindset for the Modern CISO: An Investment Portfolio Approach to Cyber Program Management

In the spirit of bringing fresh perspectives to cybersecurity leadership, Kudelski Security has been reconsidering the way CISOs approach cybersecurity program management. The Investment Portfolio approach builds on the fundamentals of financial management, enabling CISOs to optimize their security programs by managing them along the lines of a financial investment portfolio.

This approach not only provides a strong structure to the organization of a cyber program, it also enables CISOs to answer the age-old question of how to generate buy-in from C-suite colleagues and boards of directors. It helps create a culture of shared cyber risk ownership across the organization, and challenges the antiquated notion that cybersecurity is principally a technical problem or an exercise in compliance.

A cursory comparison between what high-net-worth portfolio managers and CISOs do reveals a high degree of commonality in many broad thematic areas. Underlying concepts include:

  • High-trust businesses
  • A focus on risk management and maximizing investments
  • Progress unnoticed until poor performance happens
  • A need to manage complexity in hyper-dynamic environments, while looking to predict stock market movement/emerging threats
  • The continuous evaluation of portfolios
  • The use of models and analysis for decision making
  • Continuous communication of performance to stakeholders

Unpacking each of these concepts is the starting point for CISOs interested in adopting a portfolio management mindset that can help focus cyber investments on the highest-impact/greatest risk-reduction priority areas.

The similarities center not only on the broader thematic areas and underlying concepts listed above, but relate also to the operating models, frameworks and analysis techniques that both professions use to manage business risk.

There are several models that need unpacking. Below we summarize one of them – Research Analysis: Stocks & Components.

Research Analysis: Stocks & Components

To create a strategic security organization, CISOs need to learn and evaluate their business like a CEO. High net worth portfolio managers perform detailed analysis on stocks within their investment portfolios, yet at the same time learn those businesses in order to understand growth, opportunities, threats and risks associated to those same companies at a macro level.

Continuous evaluation of the business and the cyber program components is a challenging, though important part of the CISOs role.  When done effectively, with KPIs and appropriate metrics, it can enable CISOs to consistently make smart, risk-aligned decisions and to communicate persuasively with senior leadership and board.

High Net Worth Portfolio Managers consistently evaluate a key set of attributes of stocks within their managed portfolio and new stocks.

Cyber Component Research

Corporate Security Leaders consistently evaluate a key set of attributes for each aspect of their cyber security program.







A mindset shift towards looking at your cyber program as a set of comprehensive capabilities will enable you to evaluate the maturity, threat, risk and investments of your cyber program. This investment portfolio approach can help CISOs better communicate decisions and build confidence in the eyes of executive management team and board members.

Our first CISO Fresh Thinking webinar, “An Investment Portfolio Approach to Cyber Program Management,” explores this and other key issues in greater depth.

You can download the webinar now to hear Mark Butler, CISO at Fiserv, have a conversation with Kudelski Security’s Mark Carney, Vice President of Global Consulting Services and learn how this particular shift in mindset can help you fulfill your mandate better.

Kudelski Security CTO Andrew Howard featured in CSO & Infoworld

Kudelski Security chief technology officer Andrew Howard was recently featured in CSO, a security and risk management news website.

Speaking with CSO’s David Greer, Howard delved into the proper response to device and software backdoors inserted or left by vendors.

Backdoors provide a large concern when the vendors who create them purposely leave them in their products. There are a number of solutions to these concerns as Howard explains in the article.

“When an enterprise does discover a product in their production environment that has a backdoor, they should take it offline where possible until they or the vendor resolve the vulnerability or they should isolate the hardware to contain the risk while deploying additional monitoring and controls around it,” Howard said in the article.

“Isolate the device (or software), according to Howard, in its network segment with no access or very little access to the corporate network to reduce any associated risks. “While it may be possible to compromise the device, this mitigation strategy makes it more difficult for an attacker to move throughout the enterprise network,” he continued. 

“To deal with the potential for backdoors in IoT, an enterprise must first assign a stakeholder who is responsible for these devices. Then when the enterprise discovers a backdoor, they can ensure that the business and security owners remediate it together. These risk mitigations often require trade-offs such as downtime and a potential loss of capabilities, which requires buy-in from both the business and security stakeholders,” according to Howard.

To read the whole article, click here to go to CSO Online.

Story credit: David Greer, CSO


Protecting the expanding perimeter: a Reference Architecture for Endpoint Security

Do you have full visibility on your endpoints?  Are all your endpoints securely configured and managed, even when off the corporate network?  Can you contain and analyze an endpoint attack, regardless of where the endpoint is?

As numbers of remote workers increase, enterprise networks become more interconnected, and as visibility on the network shrinks, the end user and their endpoints have become the growing focus of advanced attacks.

Every CISO has experienced the unique challenges of endpoint security – of selecting technologies that best match business needs and deliver effective defense.  In order to adapt an integrated, holistic and workable endpoint management strategy, CISOs – particularly of larger enterprises and public sector organizations – must reexamine policies and technology choices against an ever-changing and sophisticated threat landscape.

In this first paper of our Reference Architecture series, we consider endpoint security and the relevant protection technologies from some of the industry’s leading vendors.  We use the widely recognized National Institute of Standards and Technology (NIST) Cybersecurity Framework (CST) to identify these activities, and categorize them by their respective components from Secure Blueprint, our strategic approach to cybersecurity program management. We base our analysis of the solutions on our real-world experience in deploying, integrating and managing these technologies.

Our aim is to help you to help you make smart technology decisions in an ever-crowded and noisy endpoint security market.

To better understand your endpoint risk posture and identify gaps that may exist with your current endpoint protection technologies, click here to read our Endpoint Reference Architecture.

“Never tell me the odds” – The Seemingly Impossible Task of Being a Modern CISO

The CISO’s role today might be one of the most difficult at the enterprise management level. What was once a primarily technical position has evolved into one that not only requires in-depth technical knowledge but also skills in leadership, business strategy, risk management and communication.

CISOs must be able to respond simultaneously to constantly evolving threats and business objectives in the form of a strategic cybersecurity program. They must be able to effectively communicate this program in two distinct ways. At the board and executive level, they must distill the value of the program into ROI and risk metrics with an eye to the impact on the business. Then they must relay the technical directives to the operational staff they manage.

Compounding the pressure, those CISOs who do rise to the occasion find themselves walking a tight line between business and security. They face what seems like an incompatible set of parameters – run lean, reduce risk and increase security maturity. And they have to deliver. One false step, one negative headline, and it’s often their head on the chopping block.

If I put together a job description like the one described above, it wouldn’t surprise me to find out that we were having trouble filling the position. And yet, the role is more critical and needed than ever. Attacks are increasing in sophistication and becoming more targeted and diverse in terms of the actors, their objectives and the attack vectors they use.

Amidst this dubious environment, “never tell me the odds” could begin to sound like a mantra of survival. But unlike the captain of the Millennium Falcon, CISOs can’t just ignore the odds. They have to find strategies to manage them. And the best way to do this is by acquiring information to complement their own experiences.

That’s where this blog comes in. We want to have a conversation with you about what matters most for the modern CISO. Our teams of security expert come with years of rich experience in a variety of industries and roles. They’re here to support you in finding the right information to fulfill your mandates across Kudelski Security’s key business pillars – advisory, technology, and managed security services – as well as any custom solution you’re looking for.

We don’t pretend to have all the answers, but we do believe that working together, we can create strategies that help you align with the business, communicate at all levels, understand the latest advanced attacks, allocate staff and resources, and ultimately, win the battle against cybercrime.

Quantum Computers VS Computers Security

This is a summary of the talk “Quantum Computers vs. Computers Security”, given at the DEF CON 23 Hacking Conference in Las Vegas in August 2015 by Kudelski Security Principal Cryptographer, Jean-Philippe Aumasson.

Increasing numbers of cybersecurity experts and stakeholders are watching developments closely in the field of quantum computing. A quantum computer is a model of a computer that works completely differently from a classical one. It’s based on phenomena of quantum mechanics that facilitate the resolution of certain problems that classical computers cannot solve, e.g. breaking the crypto used for e-commerce transactions. How does a quantum computer work? Although it leverages complex quantum mechanical phenomena, the core concepts are pretty simple:

  • Whereas a classical computer works on bits that are either 0 or 1, a quantum computer works on qubits, which can be 0 and 1 simultaneously. In quantum physics, this is called superposition.
  • Superposition is characterized by some probabilities, but not the usual ones: a quantum computer relies on negative probabilities, which are called amplitudes.
  • The actual computation is not performed with usual computer operations such as addition or bitwise logic, but uses basic linear algebra transformations, similar to operations between vectors and matrices like in high school physics.

The good (or bad) news is that quantum computers don’t exist yet. Building a quantum computer is a gigantic and fascinating engineering challenge, and we don’t know for sure if it’s even doable. There’s been some progress over the last decade, and some large companies are investing in quantum computing research – but don’t expect a useful quantum computer within the next decade! Cryptographers obviously pay special attention to quantum computing research. A large enough quantum computer could totally break the RSA and Diffie-Hellman cryptographic algorithms, and more generally, all cryptography based on the mathematical problems of factoring integers (such as RSA) and of solving discrete logarithms (such as Diffie-Hellman and elliptic curve cryptography). In short, if a quantum computer is created today, we’re doomed! But there’s hope: the field of post-quantum cryptography is about creating cryptographic systems that can resist quantum computers. These experimental systems are based on different mathematical problems that are expected to be hard for both classical and quantum computers to solve. One such family of hard problems is that of NP-complete problems, which occurs in many contexts. For example, the problem of finding the optimal scheduling of a group of events is NP-complete. And quantum computers cannot solve NP-complete problems. Quantum physics has more potential applications to cybersecurity than of just breaking crypto:

  • Quantum key distribution establishes a secure link between two systems, leveraging quantum physics laws to prevent eavesdropping. Such systems are practical and are being deployed, though their actual added value in terms of security is sometimes disputed.
  • Quantum money uses the physical “no-cloning” principle to prevent counterfeiting. Quantum money is only a theoretical idea, and seems difficult to put in practice.
  • Quantum machine learning is an emerging field that attempts to leverage quantum computers to improve the efficiency of machine learning algorithms.