Commentary From Crisis Management Expert Edward Segal, Bestselling Author of the Award- Winning Book "Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals, and Other Emergencies " (Nicholas Brealey)
Just when companies need to shore up their cyber defenses in the face of the growing threats posed by Russia, businesses are still plagued by an alarming shortage of cybersecurity talent, according to a new survey and recent news reports. This is a continuing crisis that could create even more crises for many organizations.
Falling Short
The Philadelphia Inquirer reported that "About one million people work in cybersecurity in the U.S., but there are nearly 600,000 unfilled positions, data from CyberSeek show. Of those, 560,000 are in the private sector.
"In the last 12 months, job openings have increased 29%, more than double the rate of growth between 2018 and 2019, according to Gartner TalentNeuron."
Struggling To Find And Keep Talent
The results of a survey released today that was conducted by cybersecurity company Cobalt found that "Nearly every security team has been, is, or will be struggling with finding and retaining talent. Indeed, 45% of security respondents said their department is currently experiencing a shortage of employees."
According to Cobalt's The State of Pentesting, "... a whopping 90% of respondents who have suffered shortages or lost team members are struggling with workload management.''
Cobalt surveyed more than 600 security and developer practitioners and gathered data from more than 2,000 cyber penetration tests in 2021.
Tangible Impact
The company said, "Teams have now been struggling with the same vulnerabilities for five years in a row." According to the survey's report, "Talent shortages have a tangible impact on security programs. As colleagues leave and roles stay open, they are struggling to maintain security standards, particularly around compliance and supporting secure development. Vulnerabilities are more likely to slip past undetected, and teams are concerned they're not ready to respond to cyberattacks."
"When security professionals' bandwidth is strained, tasks slip through the cracks, leaving digital assets at risk and potentially exposing organizations to Colonial Pipeline-level attacks," the report pointed out.
A Widening Gap
John DeSimone, president of cybersecurity, intelligence and services at Raytheon Intelligence & Space, observed that "... there is still a cyber skills gap that is only widening with each passing year. There is an opportunity to be had if organizations can properly take advantage of those individuals who are looking for more growth and a career change, especially in cyber.
"For instance, organizations must recruit and train individuals that may not exactly meet the usual cyber standards, ensuring they can do the job, while taking advantage of their unique skills and expertise that could still prove valuable to the company," he said.
"They must also further train those cyber job candidates who interview, but just miss the mark of what the role requires for success —helping to build the skills they are looking for in such positions," DeSimone noted.
More Than A Tech Issue
Deborah Golden, who leads Deloitte Risk & Financial Advisory's U.S. Cyber and Strategic Risk, thought that "... cybersecurity is not simply a 'tech issue.' It traverses the organizational ecosystem and underscores the need to think about talent a bit differently."
She said that "Organizations that take the opportunity to widen cyber talent recruiting and retention practices may better engage naturally curious problem-solvers to work with cutting-edge technologies and new applications…"
Diversity
"Cybersecurity teams should be as diverse as the cybersecurity challenges we face today—the more diverse the team the more prominent the ability to solve the problem at hand," Golden commented.
Perceptions
"Our adversaries aren't one-dimensional and we can't afford to be either. We must help to change the perceptions of cyber talent because the reality today is that cyber is at the center of the business universe and we need an infusion of skillsets and capabilities to address the multitude of challenges caused by the change in the threat landscape," she concluded,
Wells Fargo: Using Supplemental Resources
Sunil Seshadri is Wells Fargo's chief information security officer. He said the company "... is supplementing its existing recruiting staff with specific resources for cybersecurity roles and streamlining processes for hiring managers.
"The company is also expanding its base of cybersecurity professionals through existing partnerships with university and diverse talent programs, as well as spotlighting its referral system to leverage employee networks," according to Seshadri.
Accenture Security: A Different Approach
Ryan LaSalle, North America lead for Accenture Security, pointed out, "People have traditionally entered the cybersecurity workforce through computer science and information technology backgrounds, which narrows the talent pipeline. At Accenture, we've launched upskilling and reskilling initiatives to make sure our workforce is ready for next-level jobs."
Look For Different Perspectives
LaSalle said "It's also important to look at talent from other relevant areas because they often bring new perspectives and make great cybersecurity professionals. For example, people with degrees in anthropology, the social sciences and even criminology bring an understanding of human-centric behaviors, which is key to analyzing cyberattacks."
Apprenticeship Program
"We also have an apprenticeship program that recruits and trains early-career workers, many without traditional four-year college degrees. We've also helped high schools create curricula to attract young people to the many opportunities in the cybersecurity professional community," he noted.
Investing In Entry-Level Talent
LaSalle thought that "Businesses can make this even more achievable by looking at the skills and credentials really, truly required for the roles they need, how they can better access entry-level talent, and then invest in developing them. We've had great success with that and know that other companies can as well."
Advice For Business Leaders
Brian Wilson is the chief information security officer at analytics software company SAS. He recommended that business leaders take the following steps to deal with the security staffing crisis.
Hire To Fill Multiple Requirements
"When possible, recruit and hire for multiple job [requirements] at once," he counseled."
"This can help stay ahead of attrition, with the added benefit of training two or more new employees at the same time. It's an easy sell when you factor in the challenges of finding scarce talent and how long it takes for new team members to build relationships and get accustomed to how the business is run."
Be Flexible And Creative
"If you can't offer candidates a higher salary, for example, offer them [the] flexibility to work on their terms. As more and more companies are forcing staff to return to the office full-time, offering some work from home flexibility can be a significant differentiator," Wilson recommended.
###