Help Wanted:

Hiring and Retaining Information Security

Talent

Talent Shortage in

Information Security ?

Who Am I?

Brian Phillips

• VP, IT Security and Information Security for Macy’s, Inc

• CISO and CIO of FDS Bank

• 20+ Years of Experience

• C|CISO, CISSP, CISM, CRISC, CCA, SCSA, OCA, CCNA, CCNP, RCSA, MCP…ABCDEFG

• Twitter: @BrianRPhillips

• Short Version – I’m a Security Guy in Retail

• Like most of you, I hire people and build teams

Obligatory Legal Disclaimer

Disclaimer: The views and opinions expressed within this presentation are my own, and therefore often unpopular. They do not reflect the views, opinions, or disposition of my employer.

Just know, that if anything goes wrong:

Legal Defense = Blame Russia

10/10/2017 ciso.eccouncil.org 4@BrianRPhillips

Talent Shortage in Information Security ?

• Is there really a Talent Shortage?

• If so, is it as bad as Advertised?

According to a prediction from ISACA:

“There will be a global shortage of 2 Million Cyber Security Professionals by 2019.”

Every year in the U.S. 40,000 InfoSec jobs go unfilled, and companies are

struggling to fill another 200,000 cybersecurity related roles. - from CyberSeek

For every 10 cyber security job ads that appears on career site Indeed,

only seven people even click on the ad – let alone apply (wouldn’t share that info).

10/10/2017 ciso.eccouncil.org 5@BrianRPhillips

Talent Shortage Retention

• Zero Unemployment Rate (or Negative)*

• Talent Poaching

*CSO Magazine

10/10/2017 ciso.eccouncil.org 6@BrianRPhillips

Strong InfoSec Leadership

10/10/2017 ciso.eccouncil.org 7@BrianRPhillips

Isn’t Security Cool Yet?

10/10/2017 ciso.eccouncil.org 8@BrianRPhillips

The Math Doesn’t Add Up

Strong Security Leadership Unfilled JobsAppealing Field

10/10/2017 ciso.eccouncil.org 9@BrianRPhillips

10/10/2017 ciso.eccouncil.org 10@BrianRPhillips

Our Jobs Are Not Exactly Easy

How Do We Fix This?

•Few Observations

•My Own Experience

•Recommendations – Not a Definitive Solution

ciso.eccouncil.org10/10/2017 ciso.eccouncil.org 11@BrianRPhillips

- Three Categories

Recommendations

1) Stop Hunting Unicorns

10/10/2017 ciso.eccouncil.org 12@BrianRPhillips

10/10/2017 ciso.eccouncil.org 13@BrianRPhillips

Unicorn = Extremely Rare, If Not Fictional, Candidate

Examples

1) SOC Analyst - Req: 8-10 Years Experience, GCIH, GCFW, and GCIA [SANS Inc. Handling, Firewall, and Intrusion Certs]

2) Junior Security Analyst – Req: 5 Years Experience, GPEN [Pen Testing],C++/Java/.Net [Programming], and min. 3 years using EnCase [Forensics]

3) Junior Security Admin – Req: Entry Level, CISSP [Not Associate – yes required]

and

[Pen Testing][Programming] [Forensics]

Entry Level, CISSP

10/10/2017 ciso.eccouncil.org 14@BrianRPhillips

More Examples

1) Junior Position – 3Years of Experience of Security Incident Response

2) Programming Knowledge in C++, Python, .NET, and Ruby

3) Have Implemented and Maintained ML and AI Frameworks - Algorithm Creation

10/10/2017 ciso.eccouncil.org 15@BrianRPhillips

Degree vs Certifications vs Experience

• Not Debating the Validity or Superiority of one over another

• Caution on Ruling out Qualified Candidates

The U.S. is 4th overall in the number of InfoSec job postings. In 2014

candidates met 60% of the job requirements, increased to 67% in

2016. - Indeed.com

Israel by far has the most InfoSec Job Postings. Yet in 2014

candidates only met 24% of the job requirements, increased only to

28% in 2016. - Indeed.com

10/10/2017 ciso.eccouncil.org 16@BrianRPhillips

Candidates vs Job Requirements

10/10/2017 ciso.eccouncil.org 17@BrianRPhillips

Filling Multiple Needs

• Filling Needs or Skill Gaps

• Challenged to Do More with Less

• Want High Caliber Applicants

• Mixed Mediocre Skill – at best

• Talented Candidate Shy Away from Applying b/c of certain requirements

• Position Stays Unfilled for a Longer Time

Want:

Get:

10/10/2017 ciso.eccouncil.org 18@BrianRPhillips

Where Are the Candidates?

• We’re Competing with Other Companies over the Same People

• Recruiting Headhunters are Stealing Your People and Mine

• We Need to Reinvigorate How We Look For Candidates

10/10/2017 ciso.eccouncil.org 19@BrianRPhillips

Recommendations

• Focus on One Role When Posting a Position

• Look to Other Internal Areas of the Business/IT

• Seek Out Passion

10/10/2017 ciso.eccouncil.org 20@BrianRPhillips

Passion

Passion Can Take Many Forms:

• Home Labs – Practicing Off-hours

• Actively Learning (or Teaching) a New Skill

• Up-to-date on Recent Security News

• Leading a Community Effort or Group

• Passionate about their Hobby (Not Security Related)

Recommendations

1) Stop Hunting Unicorns

2) Build Talent Pipeline

10/09/2017 ciso.eccouncil.org 21@BrianRPhillips

• Existing Security Talent is Hard to Find and Hire

• Where Do We Look From Here?

10/09/2017 ciso.eccouncil.org 22@BrianRPhillips

I’ve Looked, So Where’s the Talent?

10/10/2017 ciso.eccouncil.org 23@BrianRPhillips

Sourcing

• College Students

• Seek out internal candidates from other parts of the business

• Look in non-InfoSec Disciplines

10/10/2017 ciso.eccouncil.org 24@BrianRPhillips

Sourcing

• NionSpy.B – March 2015

• Project Management

Recommendations

1) Stop Hunting Unicorns

2) Build Talent Pipeline

3) Training

10/10/2017 ciso.eccouncil.org 25@BrianRPhillips

10/10/2017 ciso.eccouncil.org 26@BrianRPhillips

Training

CISO:

CISO:

CIO:Our Security Team needs training.

What happens if we invest in developing our people, and then they leave us?

What happens if we don’t, and they stay?

External Training:

10/10/2017 ciso.eccouncil.org 27@BrianRPhillips

Training

SANS.org CYBRARY.it

Product

Vendor/Product

• Training Classes

10/10/2017 ciso.eccouncil.org 28@BrianRPhillips

Training Correctly is Hard

• Knowledge Sharing/Shadowing

• Teaching Others

Repeated Exposure for Adult Skill RetentionNew Skills:

Methods:

• Internal Lab Environments

10/10/2017 ciso.eccouncil.org 29@BrianRPhillips

Lab / Cyber Range

• Internal Lab Exercises (Team Members Teach each Other)

• Hackathons

• Hacker Trivia

• Lunch and Learn Style Sessions

• Capture The Flag Competitions

• Career Path Illumination

• Purple Team Exercises

10/10/2017 ciso.eccouncil.org 30@BrianRPhillips

Purple Team Example

• Red Team (Attackers) targets a test web

server (Recon/Web Shells)

“Red and Blue teams ideally work in perfect harmony with each other, as

two hands that form the ability to clap.” - Daniel Miessler

• Blue Team (Defenders) monitors for detection/alerting

• Blue Team actively defends where applicable

• Assume Red Team succeeds and allow them to go

further into the network – rinse repeat

Red Team Blue Team

Recommendations

1) Stop Hunting Unicorns

2) Build Talent Pipeline

3) Training

10/10/2017 ciso.eccouncil.org 31@BrianRPhillips

•Focus Job Postings on a Specific Role/Need

•Build your Talent Pipeline via Universities/Interns/Internal Candidates

•Be Creative in How you Train your Teams

10/10/2017 ciso.eccouncil.org 32@BrianRPhillips

Conclusion

Brian Phillips

Brian.Phillips@Macys.com

678-474-2745

@BrianRPhillips

10/10/2017 ciso.eccouncil.org 33@BrianRPhillips

Questions / Contact Info