Reading Trey Ford's article https://community.rapid7.com/community/infosec/blog/2015/11/19/ciso-guidance-on-building-the-team led me to want to put some ideas onto the blog that I've discussed at work and over beers but never here. So here it goes.
I'm not going to address each point rather I'm going to just share a few observations and opinions on the subject from my life/career.
1. I don't do any hiring but I can agree that there may be a lack of skilled mid to senior people in the market. At every place I've worked it was always difficult to find qualified people to just to interview let alone hire. The fix, we/us/you/me need to grow them (more below).
1a. What I don't see is a shortage of INTERESTED junior people. There are tons and tons of people that want to get into infosec but sadly everyone wants mid to seniors and they don't want to train juniors.
2. It CAN be hard to afford people, especially in expensive places like SFO/Silicon Valley, DC Metro Area, NYC, etc. However, there is a real reluctance to allow remote workers, so when you base your HQ in an expensive area, or a place with a crappy commute AND don't allow remote employees then you don't get to complain that people are asking for lots of $$$. Valsmith touched on this in a post as well; (http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html).
That being said, I know a lot of people want to make a difference and do cool shit and they are willing to take slight pay cuts to do this (also mentioned in Trey's article). Management should keep this in mind. Also, maybe its less the pay and more the sense that it's going to be impossible to make impact in your organization. That's what keeps me from wanting to go back to doing gov work.
3. There is a clear problem with senior people getting upset that people "get trained" and leave the company. Bottom line, we shouldn't get upset. Every person that goes from junior to mid or mid to senior and moves on to another company brings those skills with them and improves the other company and Security as a whole. Less companies getting pwned or more companies being able to react better/faster to attacks is a good thing.
We should reframe our thinking of not wanting to pay to train someone else's employee and more on we need to grow literally as many security people as we possibly can for our industry. Every company should think this way.
4. Have a FORMAL plan to grow your security people. An unamed CISO mentions this in Trey's article but saidly no details are given;
“I like to work with entry level candidates on a 2-5 year growth path. I realize they may not be here forever, but I want to focus on giving them the right tools and a good experience.”I've never had a job outside of the military that had a written plan to grow a security engineer/pentester from junior to mid or mid to senior. No required tasks or knowledge identified, no listed skills for my job role, no specific training to take, books to read, or anything to prove I was ready for that next level. It has always been On the Job Training (OJT). To be fair there is no replacement for OJT and its absolutely required to gain experience but there is no "growth path" when you rely on the whatever pentest comes in as what guides a person's development or whatever internal projects come up or fires to put out. I think we have attempted to rely on certifications to do some of this, and it does to an extent, but its general knowledge and not going to be organization or position dependent. Not to mention the whole value of certifications dilemma.
You know who does have a plan to grow people from zero to competency? The military. They take someone with aptitude (usually) but zero experience (well... assumes zero experience) and put them through training and testing with specific objectives and at the end they demonstrate proficiency in those specified tasks.
I'm not saying we need to get THAT formalized in our training but we need SOME plan on how to take someone with aptitude (and i'm going to make the assumption that if you got through college with a CS degree or demonstrate aptitude some other way) and repeatably train and grow that person from one level to another.
I don't know if we can do this collectively in a broad security community/PTES type sense (maybe we should try?) but i'd certainly like to see it implemented at a team level inside companies.
The second part of the article is also worth a read: