What am I proposing? Well, more than demanding compliance with information security policies from staff, companies need to keep them with the most up-dated training and knowledge about the latest cyber threats, and vendor specific and technology trainings. Likewise, IT staff need to have the kind of sense that their work is contributing successfully to accomplish the organization’s objectives, goals and profits by being compensated with market rate salaries. Providing staff with the necessary tools, knowledge and motivation, will let them know their value within the company, as well as the importance of their jobs. This will also help companies to attract and retain the best talents.
Technical trainings and awareness should be directed to multiples areas such as secure development, system hardening, security controls effectiveness, vulnerability assessment, patch management, IT asset management (software & hardware), and IT staff recruitment, just to mention a few. Likewise, management should consider mid to long term professional development plans, that may allow them being certified among various paths like CEH, CISM, CISSP, MSCE, Security+, and ITIL, among many others. This should strengthen the staff with the latest technological and security knowledge. Also, this would help them to develop and/or maintain a more mature security posture. Not to mention that they would be intrinsically better motivated.
Companies investing in developing their internal IT staff should consider this a win-win scenario, where better prepared, compensated, and motivated staff, presented more engaged and loyal employees. Even though that this will not necessarily be always the case, it is worth the try. It will cost much less that being hacked.
Remember, most of the time, hackers are organized, better prepared than some industries, and highly motivated. Internal IT staff should be ahead of them.
Author: Gilberto Crespo, MSCE, CDIA+, CIP, ITILv3
Computer Engineer & Technology Blogger