By Dave Fairburn
Senior Security Advisers
There is an enormous cyber security skills gap, according to the Information Systems Audit and Control Association (ISACA). In the rush to attract and hire qualified candidates, companies are accepting security certifications as a testament to the value these candidates can provide.
As if that weren’t scary enough, the people recruiting and hiring for these positions are too often unable to identify the true talent that they need and how to match that to the candidate pool. The result is the development of a false sense of security at the C-Suite level, that they have successfully addressed their immediate security needs.
The talent is out there. It is not necessarily inexpensive to acquire, but it is out there. Knowing how to determine and discover the right type of talent for your company is the hardest aspect of the process. So many companies require a CISO to guide cyber security programs throughout the entire company. However, they mistakenly hire a strong and technically savvy cyber engineer to act in this regard. These experts are often needed; just not at the C-Suite level. The result is often a technological approach to cyber which involves massive device and application purchases and implementations that, while effective at performing dedicated functions, fail to truly capture and present the real security posture.
The consequences can be devastating. One simply has to look at the recent publicized attacks at Yahoo, LinkedIn, Target, PayPal, and many others (we won’t even mention the issues with government agencies) to see the effect of having a strong technological solution in place without the requisite oversight, management, vision, or understanding of how an experienced cyber security program should operate.
Technology is vitally important to every CISO, much like a hammer is important to a craftsman. However neither tool is as valuable as understanding, involvement, planning, and execution. These skills are learned, practiced, and honed only through experience. When leveraged properly, they will deliver the desired effect.
A good craftsman knows when hammer should stay in the toolbox. A good CISO knows when technology is not the answer.