The concern about the skills gap in cybersecurity is not new. At the start of 2017, I released a five-part blog series about the gap, how it was created, and how we can solve it. Three years later, the skills gap is wider than ever and little progress has been made, at least in the United States, to close it.
Closing the cyber security skills gap is one of the most important issues facing corporations today. Companies must deal with demanding compliance requirements—and potentially devastating costs when sensitive information is lost. But they also struggle to recruit, hire, train, and retain the highly skilled staff they need to implement and manage effective data protection programs. In the absence of government intervention, the private sector can take immediate steps to solve for their specific skills gaps.
Let’s take a look at where we stand, how organizations are addressing their talent hiring and cultivation needs, and options for implementing more effective data protection through shared resources such as managed data protection services.
Defining the Problem: The Cyber Security Skills Gap Remains Critical
“A problem clearly stated is a problem half solved” —Dorothea Brande
It seems that every day, a new data security threat emerges. In the years since mega breaches like those that hit Target, UPS, Goodwill, JP Morgan Chase, Sony, and Equifax, cybercriminals have become only more sophisticated, executing a digital crime epidemic that appears to be sweeping the globe.
What’s behind the growth of cybercrime?
This problem is not soon going away; in fact, it is increasing in scope. Attackers have access to marketplaces, instruction manuals, tips and tricks, and even entire portions of the internet that are dedicated to the pursuit of separating valuable data from its rightful owners. The explosion of advanced cybercrime is fueled by multiple factors:
- There is very little downside for an attacker as an unsuccessful breach rarely has meaningful consequences given the fact that there are few laws—either internationally or within countries—that allow for the global prosecution of cybercrime.
- Although a cost/benefit analysis typically shows that investment in a stronger security posture is hugely beneficial, many organizations still hesitate to make that investment. Many businesses haven’t determined the value of their sensitive information and intellectual property or completed a proper risk analysis.
- In contrast, the bad guys have a very clear idea of what they will gain and how much effort and cost they should expend trying to achieve that benefit based on the margins they would like to maintain. They know exactly how much data is worth and who will buy it. In short, attackers are running their operations like a business.
As a result, attackers often have more people and more capital at their disposal than the people who are trying to protect the data.
We have the tools, but not the people, to address the skills gap.
With GDPR in full effect and the emergence of other sweeping regulations in countries like Japan and Brazil and states like California and New York, it is clear that global governments will not continue to bear the multi-trillion dollar burden associated with cyberattacks without requiring private organizations to implement reasonable protections for the data they control.
“Your cybersecurity strategy must be built into your business strategy” —Tom Ridge
Unfortunately, when organizations decide to invest in cybersecurity, they quickly discover there is a dearth of suitable talent. Plenty of technology solutions are available to help an organization succeed in protecting their environment, but those are simply tools. If you had thousands of hammers, drills, wrenches, etc. but no skilled carpenters to use them, how many houses could you build? The same challenge faces cybersecurity initiatives in many organizations.
To address this skills gap, organizations need to look at both long-term and short-term solutions. Naturally, there is no single prescription to solve the problem, but we have some practical, actionable steps available to us today to begin solving the problem: improving hiring and retention, nurturing in-house talent, and looking to partners who can provide effective resources and expertise.
Hiring to Win
“The secret of my success is that we have gone to exceptional lengths to hire the best people in the world.” —Steve Jobs
The first instinct of many executives is that they want to hire in-house talent in all aspects of their business. This approach gives the organization maximum flexibility and control with respect to those resources, but it comes at a great price in the cybersecurity sector.
In a competitive job market like we have now, organizations are paying top dollar for experienced cybersecurity professionals. The trouble is, plenty of other organizations are also willing to pay top dollar for that top talent. The result is that these in-demand pros tend to move from job to job every 18-24 months, advancing their salaries.
Organizations realize a return on their investment in a cybersecurity professional when they are able to affect organizational and programmatic change that will simultaneously protect the organization from external threats and educate users to better protect the information they handle.
“The competition to hire the best will increase in the years ahead. Companies that give extra flexibility to their employees will have the edge in this area.” —Bill Gates
If it is your goal to hire all your talent directly, these three recommendations are foundational to your success:
- Ensure you have either internal or external recruiters who are dedicated to sourcing the best cybersecurity talent possible.
- Ensure your HR department is set up to attract and retain this type of talent. This may mean evaluating and providing compensation changes to match the open market more frequently than you do with other employees in the business. This also includes being creative with compensation packages that include work-life balance initiatives and less traditional benefit options.
- Ensure you implement a holistic human capital strategy that challenges and develops team members. Cybersecurity professionals who do not have an opportunity to gain new skills and use those skills on the job will leave quickly.
These recommendations are especially pertinent as you recognize that your next generation of cybersecurity professionals are millennials. To not only hire but retain them, it is important to understand that they may have a different set of career expectations than previous generations.
For example, millennials may have a different view of benefits such as paid time off (PTO). In response, some organizations are moving towards policies that do not track the number of days off a salaried employee takes and they may take as many as they wish so long as they meet their performance objectives. Other organizations may use a more traditional PTO structure with unlimited sick days, or they may include floating holidays, paid maternity and paternity leave, and other flexible work/life options.
In addition, millennials often view the employee-employer relationship differently than you might expect. The place a high value on their contribution to the organization and they demand that the organization value their work as well. Millennials have a need to know why their work is important to the company and how it impacts the company’s mission. They need to feel connected and confident that the work they are doing has meaning to the organization and the broader community.
The good news is that cybersecurity does have great meaning and significant implications. The challenge is that leadership in organizations needs to communicate with this generation proactively in order to keep them engaged and keep them around.
Hiring is an expensive and time-consuming proposition. Retention is an important piece of the puzzle if your strategy is predicated on having your cybersecurity program operated by internal employees.
Many organizations have people already employed who possess both the technical skill and the willingness to learn to become cybersecurity professionals. A practical strategy for building a stronger information security team is to nurture those existing employees and encourage them to take new roles in cybersecurity.
In order to effectively pursue this strategy, keep some key considerations in mind.
Be prepared to mentor.
Start by ensuring that you already have enough qualified and experienced cyber security professionals to mentor the newer professionals that are being groomed to fill out the team. Be sure, too, that those leaders are willing and able to be mentors and truly care about developing the talents of their new team members. Also realize that you must be patient with your people as they will take time to develop.
Provide the opportunity to learn.
Good cybersecurity professionals are well-trained but also exist in an environment that is designed to help them grow, learn, and discover. Few college courses that can adequately prepare someone to be a cyber security professional. Certifications may provide more targeted learning. However, much like learning a new language, it is best to learn cybersecurity while being immersed in it. This is why education systems and universities struggle to yield battle-ready professionals upon graduation. It takes experience to become truly effective.
Show a clear career path and be prepared to retain.
It takes significant time and resources to cultivate talent, so losing talent you have cultivated can be very costly. In order for this approach to be a good investment for the organization, you must make a concerted effort to retain this talent.
That may not be easy. As soon as your new team members have marketable skills, their inboxes may be flooded with suitors eager to court their new talents. For many younger team members who have not been in the cyber security space, this attention will be new and exciting to them. You must be prepared to show them both growth opportunity and a career path that is commensurate, or ideally superior, to what they will be offered on the open market. Talk to team members and map where they want to go in their careers. And consistently show them how the work they are doing today is helping them reach their long-term goals. If you don’t value your employees, someone else will—and you will be right back where you started.
“You cannot hold on to anything good. You must be continually giving – and getting. You cannot hold on to your seed. You must sow it – and reap anew. You cannot hold on to riches. You must use them and get other riches in return.” -Robert Collier
Managed Security Services
Hiring well is difficult, time-consuming, and expensive. Probably the only thing that is more disruptive and expensive over the long term than hiring well when executing the hiring strategy is hiring poorly.
Cultivating talent is difficult as well. It requires organizational changes in order to create an environment to foster growth beyond formal education. And cultivating talent only to see that person be hired by another company can set your organization back years in terms of building a world-class cybersecurity practice area inside your organization.
Managed data protection services are growing in popularity because many organizations don’t have the means or desire to pursue the first two strategies we’ve discussed. Most organizations are in business to do something other than cyber security, so building an apparatus to hire or cultivate specific cyber security talent and retain it is often a defocusing and ineffective proposition.
The truth is this shortage has become so severe that not only can cybersecurity professionals command very high salaries, but they are also able to choose where they want to work. Many of the best are choosing to work for managed services providers—organizations that give them the opportunity to increase their exposure to a variety of systems, build their skill sets, and advance their careers at an exponentially faster rate than working in a single environment.
It stands to reason then that organizations are solving their skills gap problem in the short term by turning to those same providers for access to those professionals. Managed data protection services offer many other benefits beyond talent acquisition. If you choose the right partner, the talent acquisition portion will surely be done for you, but even better than that, you don’t have to worry about contingency plans if the person you have hired leaves, or the disruptive activity of finding a replacement and training that person.
For a growing number of organizations, managed data protection services may be a viable and cost-effective long-term solution, especially if they are comfortable with their provider and the services they are receiving.
Establish Your Strategy: Bridge the Gap
Regardless of which strategy you choose, addressing the cybersecurity skills gap is an important and pressing need for all organizations. This problem will not solve itself and legions of qualified cybersecurity professionals are unlikely to suddenly materialize, so it is important for each organization to develop a strategy to address the gap and to execute that strategy at a very high level.
Tap into Deep Expertise
InteliSecure’s data protection professionals have the experience and problem-solving capabilities required to help your organization build a successful data protection strategy for the long term. Contact us to learn how we can help you execute the steps needed to create and maintain effective, compliant data protection.