It looks like Ray Umerley had a good time at the RSA Conference. Besides seeing pics on the Tweeter of him at the Ju Jitsu gathering, he took some time to document his thoughts about what he saw at the show (RSA Conference 2013: My Takeways). Ray covers security intelligence, and how as you collect more security data, it becomes more important that it be used within a security/risk management program.
He points out that we need more quality people in the information security field.
I’m going to go out on two limbs here: we need quality people regardless of certification, those with the aptitude, passion, and intellect to excel across multiple security disciplines but also more security people who can apply the business and soft skills to develop into effective leaders. I really feel our resource gap is in the latter more than the former. I question the effectiveness of many of the traditional CISO/CSO and whether we as a profession have evolved to meet the needs and expectations of our organizations.
Can I hear an amen? That’s exactly right. We don’t need more bodies. Okay, maybe a few more bodies. But what we really need are quality folks. Inquisitive souls who love learning, but who also have the temperament to handle a job with murky success criteria (at best). Then Ray moves on to flesh out the leadership gap, as well.
The security industry is oftentimes very insular, difficult to break into some of the cliques, and we have a frustrating habit of eating our young. What we need to do is continue to nurture and foster a pipeline of security neophytes and intermediates and help them develop into multi-disciplinary security professionals.
We as an industry need to continue sharing what we know and paying it forward. Obviously we can’t find enough qualified folks to meet the need, so we need to train them. If you are staff constrained and you don’t have a plan (aside from sending n00bs to a week-long SANS course) to develop your folks in a very structured fashion, you’re doing it wrong.