When does technology become too easy to use? And when does simplicity start working against you? These were among the many the questions tackled by a group of panelists during a 2020 (ISC)² Security Congress virtual session called “Easily Deployed and Sold Short.”

At issue was whether easy-to-use user interfaces on complex security tools make it more difficult for cybersecurity team leaders to figure out what skills their team members have mastered. Timothy Robnett, vCISO at Wavefront Consulting, made no bones about it: “A simple UX makes it harder to promote somebody,” he said.

Simplicity of use, he said, doesn’t erase the need for critical thinkers who tackle hard questions and know how to dig into a problem. But it does make it harder to figure who has those skills. “We are losing our ability to make judgments about the information that is being presented because it’s so heavily curated.”

John Carnes, an executive advisor at insurer Anthem, agreed. He drew a parallel with modern cars that are easy to drive but have a lot of sophisticated, complex technology under the hood. It’s harder to tell whether someone is a good driver when the car has automated braking and lane assist.

The panel, moderated by Brightfly Inc. Managing Director Brandon Dunlap, addressed a range of issues pertaining to expectations set by vendors for their products, who should take part in decisions to deploy solutions, and how to build security teams to run those solutions.

Understanding the Environment

One important message panelists wanted to convey was that regardless of what claims vendors make about their products, a lot of effort is necessary to figure out it a product is right for your organization.

This requires legwork by the IT and security teams as well as input from business-side stakeholders. It’s not enough to seek input from vice presidents or department managers; you have to communicate with the people in the frontlines most affected by the solution. It helps to have a business analyst in place whose “job is to be that bridge between IT and the business people,” said Carnes.

Once a solution is in place, “keep a finger on the pulse” of what it is doing, said Erik Von Geldern, CISO at FXCM. “ You install a thing, and the thing gets a new version. What are the capabilities of that new version?” You have to figure out what has changed and how it affects the unique environment in which you have deployed the solution, he said.

It’s also important to analyze how a new deployment affects other technologies already in place. For instance, does a new security tool have an effect on the backup and recovery system, what is the effect, and does it need to be addressed to prevent problems?

Getting all of this right requires making an investment in institutional knowledge. Robnett talked about the importance of building a staff that understands the business environment and how to derive value business value from the solutions you implement. However, building that staff is anything but easy.

Global Search

Von Geldern said finding qualified people for cybersecurity teams has changed dramatically over the past year. “Everything has effectively become a global search. We are continually having to reassess the programs we have in place to find that talent.”

The problem of course has to do with a massive skills gap that (ISC)² estimates is leaving about about 3 million positions unfilled worldwide. Hiring managers have to be creative and consider priorities. Von Geldern stressed the importance of diversity. “I’m always looking for people who think about problems in a way that I don’t.”

Robnett talked about drawing people from other parts of the business, properly training members, and creating a career path for cybersecurity professionals. Recognize, he said, that junior team members working in the helpdesk don’t want to stay there forever.

Carnes, who has worked for Robnett in the past, urged managers to find ways to spot the people who want to grow and help them on their path. Having individuals in jobs that only one person knows how to do doesn’t make the person irreplaceable, he said. Someone can always be replaced, and that’s a good thing because when you’re replaced, you open opportunity for someone else as you move on to your next one “If you are not replaceable, you are not promotable,” he said.