My friends: are we really going to claim the Equifax CISO is to blame because she’s a woman or because she has a degree in music? Let’s have a closer look.
I see the Equifax breach as being caused by unfilled cybersecurity jobs. When I looked on September 15th, 2017; Equifax had 17 cyber security open jobs listed on their website. Of course this breach happened; how in the world can a security team possibly be successful with the basics having so many open positions? Even one unfilled cyber role exponentially increases organizational risk. Equifax’s breach is easy for me to understand because I have the data that shows how long cybersecurity jobs stay open. On average, cybersecurity jobs are open six months before organizations engage a staffing firm. The cybersecurity profession is short over a million people and organizations still think their internal recruiting teams can recruit for cyber professionals? I just finished a research study with Chenxi Wang, former VP at Forrester Research, to bring cyber job data to our community. CyberSN is the largest US staffing firm specializing in cybersecurity and I am seeing a serious epidemic that organizations are not addressing. Staffing for cybersecurity professionals is like no other position to staff for and HR departments are not equipped to fill these positions. For example, here is a preview of our research project, which will be published soon.
Equifax’s breach was caused by a known and critical vulnerability that went unpatched for months. Addressing critical vulnerabilities is basic security hygiene. It takes people to do the work and if the people aren’t there the basic hygiene work doesn’t get done! There is no doubt in my mind that severely under budgeted staffing practices played a major role in preventing and detecting this breach.
Millions of people’s identities are now at risk. The words “staffing negligence” comes to mind. I am tired of watching organizations that hold sensitive information and organizations that can affect human safety wait months to engage staffing firms to fill their open security roles. This is irresponsible.
There is no greater risk for a cybersecurity leader, the organization they work for and the customers they serve; than a staffing plan without a recruiting budget for agencies. If a cybersecurity department leader doesn’t have access to a budget to pay a staffing firm from day one, expect major risk for the organization. HR departments are not equipped to fill cybersecurity jobs quickly.
There is no doubt in my mind this CISO was negligent, and there is no doubt that the CFO, HR leader and CEO were also negligent. They all are responsible for creating this poor staffing plan. Let this be a lesson to all CISOs and those who inspire to be a CISO: do not stay in an organization that handcuffs your ability to quickly staff and retain cybersecurity talent. Organizations must treat cybersecurity talent acquisition the same way they treat sales talent acquisition in order to fill their positions quickly. Because CyberSN also staffs for security sales people I can tell you first hand that if everyone applied the same staffing budgets they apply for sales to cyber professionals; jobs would be filled quickly. Cybersecurity roles must be filled immediately or organizational risk is significantly greater. Let’s live, learn and make change together.
Much love cyber friends, we need it!