Tammy Moskites, CIO & CISO, Venafi
You only have to look at recent headlines to confirm that cybersecurity is a critical concern that touches every industry and every individual, and threats are only continuing to increase. Yet in a recent study conducted by ISACA and RSA, 52 percent of global cybersecurity and IT managers and practitioners said “that less than a quarter of applicants for cybersecurity positions have the necessary skills for the open position. As a result, 53 percent said it can take three to six months just to find a qualified candidate.” Then it takes another three to get them on board. This is a pressing issue within this field of work that needs to be addressed. So how did this shortage or “talent gap” happen in the first place?
Despite the growing breadth/depth of security threats in the everyday organization, it is typical to find an unstructured security team that is not providing professional growth or continued education opportunities. Furthermore, the few professionals who are qualified are spread too thin and tend to burn out quickly. This has also had a profound impact on the security industry, which is now seeing 1 million unfilled cybersecurity jobs in 2016 alone, and that number is expected to increase to 6 million global job openings by 2019.
While the task of closing this gap seems daunting, it is important for enterprises to shift their focus to their internal teams to cultivate the talent that already exists within their organizations, even if it’s minimal to start. They need to provide an environment that encourages career growth and constant training to ensure security professionals are armed with the knowledge and skills to defend their organizations. If this becomes the practiced behavior, it is my belief that the skills gap will start to close.
To do this you must understand what skills you already have and then determine what you need within your security team when hiring. There is a range of talent that is required to keep an enterprise secure so you must know your must haves when doing so. In addition, it’s important to understand the soft-skills needed which include creative problem-solving, the ability to foster collaboration and a drive to challenge conventional thinking to stay ahead of hackers. It is no longer easy to find that 100-percent candidate or even the 80/20 rule doesn’t work any more! You have to accept, at times, you may have to hire the must have(s) and train the rest – maybe a 50/50 rule?
Companies can be slow to increase cybersecurity spending because it's been historically hard to measure the bottom line impact of the investment. That's where the CISO can play a key role and provide answers that resonate... Only once you get a good understanding of what you need, you need to make sure you are finding the right people and making a concerted effort to retain the talent within your organization. Though this is a long-¬term process, which requires continued effort, below are some quick tips to point you in the right direction:
Cultivating talent early on is the most effective strategy to address the growing talent shortage. Work with schools/students to provide insight into the cybersecurity industry by supporting training and education initiatives that will arm young professionals with the skillsets necessary for success. This includes adding internships to your hiring practices!
Since threats are constantly evolving and technology is advancing more rapidly than ever, continued education is necessary to keep skills sharp. It’s essential that organizations provide in-¬house and ongoing security trainings and certification courses that will give security professionals a leg up on hackers for everyone enterprise wide.
Retain the talent within your organization by ensuring that employees feel their employment is meaningful. By offering opportunities for professional guidance and mentorship, you’ll create a supportive environment, leading to higher employee satisfaction and reduced turnover rates. Give them the opportunity to learn and empower them to be the best that they can be. This also includes ensuring you are paying them what they deserve!
If we want to address the cyber talent shortage, we need to tackle the issue head on. By making a concerted effort to cultivate talent, encourage continued education and create a supportive workplace environment, we can strengthen the security industry and help build the workforce to thwart cyber attackers.