Managing Director, Information Security Forum
Cyber is front and center these days. There is no industry anywhere in the world that is not touched by cyber, and security is something that boards need to open their eyes to. Recently, we have seen Moody’s include cyber as a metric in determining credit ratings, and legislators are increasingly looking at how to increase the responsibility of executives.
Unfortunately, ISACA forecasts that there will be a global shortage of 2 million cybersecurity experts this year. Statistics such as these demonstrate that we are currently experiencing a skills gap quandary of larger-than-life proportions, and few organizations know what to do about it. Building tomorrow’s security workforce is indispensable to address this challenge and deliver robust and long-term security for organizations in the digital age.
Filling the cyber-skill shortage will require CEOs and other executives to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts. An overly rigid and traditional approach to identifying candidates, coupled with over-stressed and under-staffed work environments, is undoubtedly in need of new tactics. Organizations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years as both attacks and defensive measures become more complex.
Building tomorrow’s security workforce
Shortfalls in skills and capabilities are manifesting as major security incidents damage organizational performance and reputation. Building tomorrow’s security workforce is essential to address this challenge and deliver robust and long-term security for organizations in the digital age. Filling the skill shortage will require organizations to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts.
These days, nearly every worker has multiple devices that can compromise information instantly and at scale. Impact is no longer limited by the amount of paper someone can carry. Simultaneously, social norms are shifting, eroding loyalty between employers and employees. Volume of data, ease of access, and increased value of data make cybersecurity even more important to businesses and individuals. The more we transform our businesses, governments, and public and personal lives through digital technology and connectivity, the more we share the accompanying risks. The adage seems appropriate once again: we’re only as strong as the weakest link in the chain. And the security skills gap represents an alarmingly weak link.
However, the answer is not necessarily to produce more technically competent cyber-graduates – we need to recognize that cybersecurity professionals will need to have a more rounded set of skills such as emotional awareness, business skills, and communication. This opens the door to graduates in many disciplines, all of whom can be taught some of the cyber-specific skills that are needed. Fundamentally, the cyber-skills crisis is one that requires us to look further afield than simply cyber-specific skills; smart organizations are hiring psychologists, marketing experts, and other business gurus to work in the cyber-enabled world.
To address the growing demand, organizations should extend their approach and work persistently to recruit security professionals from a diversity of backgrounds, disciplines, and skill sets. Focus on the ability and attitude of candidates rather than insisting on a host of specific skills, experience, and qualifications that would eliminate a large portion of current and prospective information security professionals.
Focus on embedding cybersecurity behaviors
In the coming years, organizations need to place a focus on shifting from promoting awareness of the cyber problem to creating solutions and embedding cyber security behaviors that aﬀect risk positively. The risks are real because people remain a wild card. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure the human element of information security. In essence, people should be an organization’s strongest control.
As tomorrow’s security workforce, filled with recent college graduates, matures and finds innovative ways to embrace the vast resources of untapped talent, the myth of a looming crisis in the global security workforce should reshape into a more realistic picture of the challenges ahead, making room for innovation and wider adoption of proven strategies and best practices. A robust and diverse security workforce will empower organizations to face future workforce challenges, such as automation, role and function amalgamation, and increased outsourcing.
Cyber is an exciting, fast-moving space and security experts require skills to deal with the challenges that we, users, bring to the use of technology. The days of being able to secure your environment are gone; we need to adapt to an open environment in which security needs to be all-pervasive. That requires a new set of skills.
Steve Durbin, Managing Director, Information Security Forum, [email protected]