No question, corporate cybersecurity has improved in recent years. But it needs to do better still, and a lot has to do with personnel management of one sort or another.
In particular, enterprises must find ways to hire more cybersecurity pros. Companies have to finally embrace the notion that an appropriate college degree is helpful but certainly not essential. To sufficiently meet demand and capitalize on varied perspectives in the workplace, enterprises also need to attract a broader pool of hires, including women (just 24 percent of cyber pros are females, and most are paid less than men), underrepresented minorities and military veterans. Another way to address hiring is to learn to think more creatively about cyber personnel.
I’ll elaborate on this shortly, but first, some perspective is in order.
There has been a chronic shortage of cyber pros for years. According to ISC(2), an international nonprofit that offers cybersecurity training and certification programs, there is an unfilled need for 359,000 of them in the United States alone and 3.1 million globally (up from 1 million in 2014). Other surveys, meanwhile, show that more than two-thirds of companies are impacted by the cyber skills shortage—a situation expected to deteriorate further.
Compounding matters is that hard-to-find cybersecurity experts regularly move to a new job in three years or less—and not so much because of better pay. Rather, studies have shown they often feel isolated and believe their efforts aren’t taken sufficiently seriously, in part because security staffs are chronically busy and understaffed. So business niceties tend to take a back seat.
It doesn’t help, either, that a sizable majority of employees in most enterprises have to do their part to help security pros succeed. They have to be mindful of phishing scams, for instance, and learn how to sidestep them. Unfortunately, too many employees continue to make costly security blunders on their computers and smartphones and even less has been done to help remote workers protect themselves from an attack.
According to a recent survey by U.S. telecom giant AT&T, 55 percent of remote workers have experienced a cybersecurity incident in the past year. Many of these attacks are believed to be due to human error, poor cyber hygiene and a lack of security awareness. AT&T found that 54 percent of workers frequently use work devices for non-professional purposes and that 50 percent of companies haven’t provided cybersecurity training since moving staff online at the start of the COVID-19 pandemic.
Against this backdrop, we have witnessed huge cybersecurity disasters in recent months, including the SolarWinds, Microsoft Exchange and Colonial Pipeline breaches, underscoring that attacks are impacting far more victims than ever.
So what can enterprises do to better address these issues?
Two significant steps would be to be more open-minded about what is required to be a good cybersecurity pro and heightened creativity overall. One major company that deserves laurels on this front is IBM. Big Blue offers select job candidates on-the-job cybersecurity job training, industry certifications and access to community college courses. The idea is to prioritize capability and willingness to learn over degrees. “New collar” jobs have represented nearly 20 percent of IBM security hires since 2015.
A more recent tact has been taken by the Public Infrastructure Security Cyber Education System (PISCES) in the state of Washington, which offers smaller cities and counties in the state free network threat monitoring. The cyber workers are qualified students at five state of Washington universities, each a federally recognized center for cybersecurity education. The cities and counties get the cyber defense they need, and the students learn how to be cyber analysts in real life, further cementing their interest in the field. Seattle-based CI Security, one of the private stakeholders in PISCES, lends its time to train students.
Also sorely needed is an expansion on the hiring front. Insufficient diversity in hiring has dogged the technology community at large for years, and cybersecurity is no exception. According to Bricata, a network security company, women, for example, make up just 11 percent of the global information security workforce.
Military veterans of both genders, and not just the technologists, should also be targeted for cybersecurity openings. The vocabulary used in cybersecurity borrows heavily from military terminology, such as the words “breach,” “reconnaissance” and “obfuscation.” Most important, military veterans are usually good students and already come with instincts to protect sensitive information.
Here are some additional tips for companies to improve their management of cybersecurity talent:
+ Partner with colleges creating cybersecurity programs. Rather than have computer science or computer engineering majors take specific cybersecurity courses along the way, more universities and colleges are now creating cybersecurity-specific programs. Team up with them to create internship programs.
+ Coach and promote entry-level talent. Many technology companies, in particular, already have young, eager IT employees who understand cybersecurity. Explore their interest and potential to become cyber pros.
+ Build an in-house corporate training program. PricewaterhouseCoopers, as an example, is confronting cyber labor scarcity head-on, aggressively hiring people for its cybersecurity consulting practice. PwC identifies new candidates through increased recruiting of new college graduates, including liberal arts majors.
+ Get out of the office. Make a point of pushing top cybersecurity people to attend conferences and hackathons and, when possible, address current cybersecurity trends and how best to address them. It’s a good way to attract fresh talent.
With the cybersecurity labor gap expected to keep growing as much as 20 percent to 30 percent annually in the coming years, companies and other enterprises have no choice but to do more to attract potential cyber talent. Eventually, a broad rethinking of education systems to include cybersecurity training, starting at least as early as high school, may be required. For now, creating in-house corporate training programs and partnering with colleges to create cybersecurity programs is at least a step in the right direction.