Equifax’s breach was caused by a known and critical vulnerability that went unpatched for months. Addressing critical vulnerabilities is basic security hygiene. It takes people to do the work and if the people aren’t there the basic hygiene work doesn’t get done! There is no doubt in my mind that severely under budgeted staffing practices played a major role in preventing and detecting this breach.
Millions of people’s identities are now at risk. The words “staffing negligence” comes to mind. I am tired of watching organizations that hold sensitive information and organizations that can affect human safety wait months to engage staffing firms to fill their open security roles. This is irresponsible.
There is no greater risk for a cybersecurity leader, the organization they work for and the customers they serve; than a staffing plan without a recruiting budget for agencies. If a cybersecurity department leader doesn’t have access to a budget to pay a staffing firm from day one, expect major risk for the organization. HR departments are not equipped to fill cybersecurity jobs quickly.
There is no doubt in my mind this CISO was negligent, and there is no doubt that the CFO, HR leader and CEO were also negligent. They all are responsible for creating this poor staffing plan. Let this be a lesson to all CISOs and those who inspire to be a CISO: do not stay in an organization that handcuffs your ability to quickly staff and retain cybersecurity talent. Organizations must treat cybersecurity talent acquisition the same way they treat sales talent acquisition in order to fill their positions quickly. Because CyberSN also staffs for security sales people I can tell you first hand that if everyone applied the same staffing budgets they apply for sales to cyber professionals; jobs would be filled quickly. Cybersecurity roles must be filled immediately or organizational risk is significantly greater. Let’s live, learn and make change together.
Much love cyber friends, we need it!
Deidre