The upcoming CSHub Mid-Year Report details the fact that budgets have mostly stayed the same or just slightly increased. There is no demonstrable change in these results compared to the past year of surveys.
In concert with essentially static budgets is the growing industry wisdom that the CISO must become more of a business executive- a workflow enabler as opposed to a barrier of frustration from the perception of the rest of the enterprise.
On queue, Expert DevOps/DevSecOps are engaging in talent flight. There are myriad reasons why talent is leaving- one directly being that 19.1% of Mid-Year Survey respondents have reduced staff as a result of the global pandemic.
One controversial thought is that that 19.1% has the potential to add themselves to the growing cyber criminal syndicate.
Parag Deodhar is the Director - Information Security, Asia Pacific for VF Corporation. VF Corporation has been in business for 120 years with 50,000 associates focused on 19 brands including The North Face, Timberland, Vans, Dickies, Eastpak, Jansport, Kipling, Kodiak and others. Prior to VF, Parag was at AXA holding various regional CISO roles. Prior to AXA, Parag was at Deutsche Bank as Head - Business Continuity & Data Protection. He’s got international experience working for global brands and he understands the human aspect of this equation.
A person must put food on the table for their family. Based on the context of a given person’s kitchen table economy unemployment forces the unemployed person into action. Sudden unemployment without limited resources forces a person to make tough decisions.
When asked about the 19.1% unemployed DevOps/DevSecOps community Parag notes, “when people do not have access to enough money, food or resources, there will be more actors coming up.” So a straight through line could be drawn. But Parag’s bigger point is that actually, “it's a couple of things- it’s not only were folks pushed, but also, the landscape opening up for folks as well.
A quick note on DevOps vs. DevSecOps: Vice President and Group Director, Cybersecurity at Enterprise Strategy Group, Doug Cahill puts it thusly, “why do we have to stick security awkwardly in the middle of Dev and Ops? The reality is that security isn't involved as often as it ought to be in DevOps processes. It's an opportunity because DevOps is all about integrating and automating. We can incorporate security in DevOps, the better our security posture is- and for me, so I like the term, cause I think it's called action to rallying cry.“
The Mid-Year Survey reveals that as many as 2 in 5 cyber security organizations have not changed their approach to security as a result of the global pandemic.
Stop the presses. Nearly 50% of the CISO community has not changed their approach to cyber security as a result of the global pandemic that has hurdled us all into a 100% remote workforce framework!
What’s top talent to do if the most dramatic societal shift any of us have ever dealt with in our respective lifetimes doesn’t change the strategy?
Jamal Hartenstein who’s worked with the department of defense on military bases, as a part of joint task forces, and has experience with every branch of service notes that there was a glimmer of industry realization that organizations needed to be more proactive and better focus on detection and that the global pandemic has accelerated that focus.
When asked what about his perception, he plainly lays out that, “if you don't increase your security measures, you have exponentially just multiplied in magnitudes the risk based on all the threat and vulnerability and risk.”
Florida Crystals CISO Christine Vanderpool intones another result from the upcoming Mid-Year Report that showcases just over 50% of SOC’s are either outsourced or considering outsourcing parts. The cyber security field is growing and some of the best and brightest talent is on the front lines on behalf of third-party services and solution providers. “You have to ask yourself as a person who do you want to be? I get that you need to put food on the table, but there are enough good cyber security jobs out there that if you are a person who wants to continue to do good in the world- you can do that. And you can provide for your family.”
Christine, in her own inimitable fashion- further investigates the human condition, “there are some of those that just like the thrill of trying to get away with things. Well if you think quarantine is bad, try being in prison for a few years. You're not going to like that either.”
So on the one hand, good talent has in fact been pushed out by workforce reduction. But in a growing industry- that talent can and should land on its feet as part of the cyber security force battling cyber security criminals as either in-house talent or outsourced talent.
And on the other hand, good talent has in fact been pushed out by a lack organizational evolution. That, if systemic and continual is potentially the bigger risk.
The silver lining of course is that most of the community certainly has evolved strategy- and had been changing the strategy and communication on the way in to the pandemic.
University of Wisconsin-Madison CISO and CSHub Board Member Bob Turner drills into folks the importance of security within his organization. He also focuses on messaging and people management, “I prefer to help my DevOps/DevSecOps folks to be as successful as they can be, so that they're continuing to do the good work.”
And doing his best to be a business enabler, he spreads that messaging and communication across the enterprise. He shares an anecdote about a leadership team meeting where “one of the directors came and said, ‘I'm going to channel my inner Bob.’ And, what that told me was that the message has gotten through and that security is important.”
Organizations where security is important not only to the security team but to the greater enterprise wouldn’t experience talent flight and certainly not talent flight to the dark side. As Bob puts it, “I have all the confidence that the ones that we have are the best in the business."