As much as tools and technology evolve in the cybersecurity industry, organizations remain reliant on clever, well-trained humans with incisive critical thinking skills to protect themselves from the perilous cyber threat landscape. But just as the threat landscape continues to expand, so, too, does the corresponding skills gap that puts organizations at risk of major financial losses and irreversible damage to their brand reputations.
Finding and retaining a sufficient pool of qualified cybersecurity professionals grows ever more challenging, as reflected in ISACA’s recent State of Cybersecurity 2019 research. The retention piece can be especially problematic, particularly for organizations that face substantial resource limitations. Better financial incentives, such as higher salaries and more lucrative bonuses, overwhelmingly came across as the top reason why cybersecurity professionals change jobs, with other considerations such as career development opportunities and better work culture/environment also factoring in among the leading reasons.
The State of Cybersecurity 2019 report reveals several problematic data points about the current cybersecurity workforce outlook, including:
- 69 percent of respondents say their cybersecurity teams are understaffed
- 58 percent indicate their organizations have unfilled cybersecurity positions
- 32 percent report it takes six months or more to fill cybersecurity jobs at their organization
That last statistic is especially troubling. Think of the enormous damage a cyberattack can inflict upon an organization in six hours, let alone the six-plus months that it takes 1 in 3 organizations to fill an open cybersecurity position. That it takes so many organizations such an extended period to secure the candidates that they are looking for is indicative both of the need to cultivate more people to become interested in the cybersecurity profession and, thinking realistically, of the need for organizations to come to grips with the need to reskill and train candidates who might not check every desired box on the job description. Rather than wait six months or longer in hopes that the ideal person walks through the door, organizations would be well-served to take technologically-savvy candidates with tangential skills and bring them into their cybersecurity teams, realizing that a commitment to training and professional development will be needed.
Looking beyond conventional candidates
Along those lines, organizations should become more receptive to seeking out talent from non-traditional backgrounds. As my ISACA colleagues noted in a panel discussion this month at the RSA conference, veterans and others from non-technical backgrounds who possess skills and interest that align with cybersecurity roles often can rise to the occasion when given the opportunity. Furthermore, the cybersecurity industry must do a much better job attracting and retaining women in the field. The underrepresentation of women in the cybersecurity profession is an important piece of the overall skills gap faced by organizations globally. Taking these factors into consideration, organizations would be well-served to develop a business plan that redefines their protocols for how security talent will be attracted and retained.
Little margin for error
Organizations can build and retain effective cybersecurity teams, but the margin for error is slim. Quality cybersecurity practitioners will have many options, so the onus is on enterprise leaders to give them a compelling reason to want to come – and stay – at their organization. Offering a competitive salary is a natural starting point, as the State of Cyber 2019 report reinforces. When budgeting for the overall scope of their security teams, leaders might need to resist the temptation to purchase the latest intriguing tool or gadget if it comes at the expense of being able to offer key team members competitive salaries. Beyond the pay component, there are other areas in which organizations should take stock of what they are offering to make sure team members feel appropriately valued. To that end, organizations should invest in performance-based training for existing staff to groom more practitioners who are technically proficient – often the most elusive professionals for organizations to find. Instilling an upbeat, team-oriented culture also can go a long way toward preventing employees from looking elsewhere.
With each passing year, the recognition that robust cybersecurity is a central business imperative for all organizations in the digital economy becomes increasingly widespread, but there is a difference between knowing cybersecurity is important and having the vision and commitment to put an effective security program in place. That starts with bringing aboard quality cybersecurity practitioners, and then providing the ongoing training needed to fill in knowledge gaps and keep professionals current on the latest attack methods they will be tasked to combat. While artificial intelligence and automation-driven tools will prove useful for enhancing cybersecurity in the coming years, that doesn’t change the reality that no organization will be on secure footing until it has the right people in place to strategically address cyberattacks that will continue growing in volume and sophistication.
Editor’s note: This post originally appeared in CSO.