The state of cybersecurity worldwide is in grave peril.
We are facing a massive deficit of talent, and it’s about to get much worse. An estimated 3.5 million jobs won’t have a qualified person to fill them by 2020. It goes without saying that a cyber talent gap translates to an ever-growing security gap between the rapid pace of technology change and security innovation.
Without premium security talent functioning at peak capacity, the resulting security gap becomes a devastating tsunami, made harder to withstand by cultural landscapes of toxic environments that block innovative problem-solving. In this scenario, the talent gap corresponds to the security gap.
This state of affairs did not happen overnight. Over the last 18 years, we have fallen short, and the fault lines are only getting wider.
Well-meant and legislated programs focused on improving “diversity and inclusion” are not working to bridge the gap. It is not enough to mandate that women are on boards of directors, or that certain percentages of diverse individuals are hired. HR departments are doing the work of recruitment and onboarding a breadth of talent but the way these individuals are onboarded, together with the entrenched management environment, receives the incoming rainbow of diversity and blends it all to remove variety in a culture that strives for the ease of sameness. All the potential benefit is lost and groupthink retains its gatekeeper, inertia.
In talking with women, men, non-binary professionals, and people of color, we’re hearing that cybersecurity is a sub-culture within a culture, and has some major challenges. Women represent somewhere between 11-18% of the cybersecurity workforce; for people of color, the numbers are lower by an order of magnitude. Women are opting out of cybersecurity in mid-career, citing reasons like work environment, lack of a clear career path progressing with more responsibility and leadership opportunity, not having role models at the top, and abnormally high levels of stress.
On the brighter side, some companies have found a solution to thrive in this tsunami and help their companies become stronger and more innovative by addressing the need for culture change. And their approach is paying off already.
Allgress, Inc. CEO Gordon Shevlin intentionally harnessed the power of collaborative, egalitarian culture to develop next-generation GRC technology for SMBs. They are doing something right - their growth is 100% YOY and they were recently awarded the Risk Management Innovation Award from CyberSecurity Breakthrough Awards Program.
Emily Heath, VP, and CISO at United Airlines recently posted on LinkedIn that the challenges of cybersecurity demand “a broad range of skills, creativity, and diversity in thinking.” The company tackled this issue head-on, making diversity and inclusion a very visible part of their innovation strategy. They are tackling the “beige management culture” first, and a more diverse community is a result. As of July 2018, “the security risk and compliance team at United is now 48 percent female and 42 percent minority, represented by 25 nationalities and talented team members from a wide variety of backgrounds and experiences.” Emily reports that this has created a “huge advantage” for United.
By “doing the right thing” and addressing the culture issue head-on, companies like Allgress and United have shown that including more varied perspectives and unexpected ideas can free a company from its circular groupthink, create better solutions and directly benefit the bottom line.
Of course, this approach comes with its own challenges. It shakes up the status quo and boots some people out of their comfort zone.
Over the next seven months, we’ll be providing insights and tips on how you can find, hire, nurture and retain the people who will let you surf the talent-shortage tsunami instead of being broadsided by it. Then, at RSA Conference we’ll be hosting an event-within-an-event focused on the latest talent acquisition and retention strategies in today’s cybersecurity space.
You can read the full length piece here: https://www.karenworstell.com/rsac/tsunami/