As the range of cyber threats confronting industry continues to grow more varied, intense and sophisticated, security teams will find themselves coming under increased pressure. With limited personnel to manage the rising security threats, the difficulty attracting, recruiting and retaining an appropriately skilled workforce has become a problem for organisations of all sizes.
How serious is the current cybersecurity skills gap?
By 2019, ISACA forecasts that there will be a global shortage of two million cybersecurity experts. Across Europe, there is expected to be a skill gap shortage of 350,000 workers by 2022. Statistics, such as these, demonstrate that we are currently experiencing a skills gap predicament of larger-than-life proportions, and few organisations know what to do about it.
With global financial stability at risk, the gap in cybersecurity capabilities needs to be plugged, and ultimate responsibility rests on the shoulders of CEOs. As organisational leaders, CEOs are charged with ensuring day-to-day operations are run smoothly and safely. This includes building security teams with the essential skills needed to maintain a secure operating environment across both public and private sectors. So, how can we help close the cybersecurity talent gap, fill jobs, and meet our urgent cybersecurity needs?
The evolution of the security workforce
The security workforce – typically defined as the personnel responsible for an organisation’s security activities – has evolved rapidly since its inception. The information security function, for example, often exists only as part of another associated business function, such as risk, technical IT operations, legal and/or audit. It can be identified as information, cyber, assurance, or operational security, and can also report into various business units, including finance, risk, governance or IT.
Over the course of its evolution, the lack of a consensual definition of the function has allowed numerous, disparate components to form an organisation’s security workforce. For example, employees working within threat intelligence, business continuity, and security operations are all essential information security contributors, yet they rarely convene in one distinct function under a designated leader.
Adopting a creative approach
Today’s cyber skills gap is an issue of economic and international security. The gap continues to grow and governments around the world are recognising that cyber attacks are critical, national vulnerabilities. Attracting more diverse backgrounds into the industry will not only help reduce the shortage in skills, but also provide the necessary basis for a safer world in today’s progressively connected society.
Shortfalls in skills and capabilities are manifesting as major security incidents damage organisational performance and reputation. Building tomorrow’s security workforce is essential to address this challenge and deliver robust and long-term security for organisations in the digital age. Filling the skill shortage will require organisations to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts. An overly rigid and traditional approach to identifying candidates, coupled with over-stressed and under-staffed work environments, is clearly in need of new tactics and fresh ideas.
The importance of hiring from every section of society has never been greater. Consider, for example, that research by Cybersecurity Ventures finds that only 20% of the global cybersecurity workforce is comprised of women – a statistic that proves there are large, untapped pools of talent. Looking deeper, there are lessons to be learned about what organisations must do differently to attract bright prospects from a wider spectrum of education, experience, and expertise. And of course, it goes way beyond gender diversity – organisations must understand how to recruit effectively from younger and older age groups, underprivileged districts, liberal arts colleges, and other atypical populations. Additionally, business leaders must focus on building and maintaining an all-encompassing culture. By nurturing an environment where employees feel valued and supported, organisations can retain their present skilled team members and increase the number of workers who apply for jobs, giving them access to a broader range of talent. Organisations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures become more complex.
Closing the gap between supply and demand
Closing the gap between supply and demand is imperative for an enterprise to develop an effective security posture. It is evident that individuals with the required skills, qualifications and experience are either unavailable or demanding compensation that cannot be met with existing budgets. Because they are in high demand, talented security staff regularly move to new employers as they seek out better salaries and projects at more prestigious companies. But is this inevitable? Are those responsible for hiring so inflexible in requiring candidates to have specific skills, qualifications, and years of experience that they end up hindering their security teams? Are uninformed and unimaginative recruitment practices contributing significantly to the perceived shortage? As salaries escalate, organisations are urgently seeking a solution to the perceived crisis around hiring security professionals.
To address the growing demand, organisations need to broaden their approach, and work purposefully to recruit security professionals from a diversity of backgrounds, disciplines and skill sets. Focus on the aptitude and attitude of candidates rather than insisting on a host of specific skills, experience and qualifications that eliminate a large portion of current and prospective information security professionals.
Developing a sustainable security workforce
Increasing reliance on digital systems, coupled with a dynamic threat landscape, has made the security workforce core to an organisation’s survival. However, for many enterprises, developing a sustainable security workforce is only an aspiration: attracting and retaining experienced, certified security experts is a constant battle.
Organisations need to establish a series of strategic objectives that lay a foundation for a stronger workforce and more robust pipeline. With clear direction and sustained efforts, organisations can formalise the structure of the security workforce, harness the appropriate talent, and bring security teams into better alignment with the organisation’s security objectives.
A mature and innovative approach to embracing the vast resources of untapped talent is the way to address the looming crisis in the global security workforce. A diverse security workforce will empower organisations to face future workforce challenges, such as automation, role and function amalgamation, and increased outsourcing. A sustainable security workforce is essential if the security function is to become a partner to the business and effectively manage the increasing cyber risk and security burden.