This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.
The lack of security Jedi is disturbing. With the evil forces of the Empire running rampant through all of the members of the Republic, there just aren’t enough skilled practitioners trained in using the Security Force to keep the attackers at bay.
To be clear, it’s not a resources issue. Leaders are willing to invest in training up the next generation of Security Jedi. Forget about finding and bringing on experience Security Jedi. You need to build out your own Jedi Academy, finding a sufficient number of Padawan to grow into Jedi over the next few years with proper training.
And it’s not like the job is getting easier. Adversaries are improving. Technology stacks are getting more complicated. So if anything, the level of skill required is increasing at a dramatic pace.
But here’s the thing: Security Jedi are not built in a day. There is no academy where you can send them and they’ll emerge a fully-functioning security person. Sure, lots of organizations will portray their programs as focusing on getting security n00bs up and running quickly. But that’s crap. Security Jedi are built through experience. Not classrooms.
It takes time for practitioners to have sufficient experience and learn to harness their power. To learn enough from experience to know how to handle situations under enemy fire. To have screwed enough things up to be able to know what not to do and live to tell the stories. When to act and when to let things play out. You don’t learn that in some class or in even at the Jedi Temple in Coruscant.
So what do you do? You have the need for Jedi to protect your sensitive assets. First, accept that training Padawan to become Security Jedi is your most important responsibility. More important than filling out reports for the CFO. More important than placating assessors. Even more important than cleaning up the mess from John from Finance that keeps clicking on nasty links. Even after you tell him that Svetlana from Naboo doesn’t really want to marry him.
Always be recruiting new Padawan. When you go to an event like the RSA Conference, network your behind off. Meet other practitioners. See if they are happy in their job. See if they are open to looking at other opportunities. Sure, you could hire one of the handful of headhunters specializing in security to do that, but guess what every other CISO is doing?
Go to other conferences, especially local security shows. Get involved in organizations like the Cloud Security Alliance that has local meetings. Go meet the interns your company has brought into other technology areas. Find out who are the highest potential IT operations people. See if they think security is cool. Those strong with the Security Force can be found anywhere. But only if you are looking.
Once you have identified a promising Padawan, team them with one of your existing Security Jedi. That’s right, one is the Master and the other the Apprentice. To be clear, the Apprentice may have better security skills than the Master. But the Apprentice doesn’t know how to get things done in your organization and that’s what they need to learn. Remember that being an effective Security Jedi isn’t all about technical skills.
Optimally you don’t want to overwhelm the Security Master by having them handle more than one (two max) Apprentice(s). Focus is critical to success. If the Master cannot devote enough of their Force to the Apprentice, the Padawan will struggle and get fed up and leave.
And to be clear, regardless of what you do, a portion of your Security Jedi will leave and go to another galaxy to bring the Force to that new places. Be proud of how you’ve taught them, what they will accomplish and let them go. Others will head to the Dark Side of Consulting. They believe spending years on a TiE-fighter and doing battle with the Sith across the galaxy is cool. Let them go as well.
And keep the cycle going by continuing to find new Security Padawan and training them to be functional Security Jedi. It’s not like the forces of the Dark Side are going away.
— Mike Rothman
Check out the complete series: Introduction
Theme posts: Threat Intelligence & Bothan Spies, R2DevOps, Escape from Cloud City, The Beginning of the End(point) for the Empire, Training Security Jedi, Attack of the (Analytics) Clones
Deep Dives: All Threats, All the Time..., Data Security Deep Dive, Cloud Security Deep Dive