Andrew Rose, resident CISO EMEA at Proofpoint, discusses the biggest cyber security staff challenges facing organisations, and how to overcome them
The digital disruption that hit businesses in the last decade did not arrive as a single tsunami. Instead, it surged in a series of waves that crested into a technological renaissance that generated additional organisational dependency on IT and sped up a problem that had already become obvious — the shortage of security resources.
The sparsity of cyber security resources is real, and it has a profound effect on organisations’ efforts to grow and maintain an effective security function. A recent Harvey Nash report stated that nearly half of digital leaders in the UK have admitted to a security skills shortage, and 40% revealed that they struggle to keep staff. Indeed, when asked about their greatest barrier to security strategy execution, 43% identified a lack of skill resources — more than budget (35%), technology (13%), and board level support (9%).
When security leaders consider how to tackle this challenge, they often revert to a collection of standard answers:
- Encourage schools and universities to identify talent early and bring students on board as apprentices.
- Source talent from within your Champions network.
- Stop reaching for the moon — seek raw talent rather than finished products.
- Encourage diversity by crafting job adverts and roles to accommodate different circumstances.
There is value in each of these suggestions, however they have been well known for years, and yet the problem grows. We must dig deeper for ideas that can truly ‘move the dial.’
A problem of perception
Two challenges contribute to the problem.
The first is simply the perception of technology. The generation of security professionals now in leadership positions grew up alongside technology, watching as it matured in line with the growth of their own knowledge and experience. They could visualise and understand the entire stack, unlike many who now view technology as a consumable, or an ‘app.’ This removes an element of understanding and positions IT to be like facilities management, where staff simply expect the health, safety, and security of their office space to be provided in an impeccable state, with no curiosity into how their quarters got into, or remain, in that condition.
The second is the perception of security. Every widely read cyber security story is one of failure and escalating risk. Our inability to keep up with the threat landscape paints a dismal picture that many students may seek to avoid. If the newspapers were full of stories of collapsing buildings, would you really aspire to be a builder, despite the obvious commercial opportunities?
Steps to be taken
What actionable steps can we take to combat these perceptions, and tackle the problem?
Rebrand cyber security as a force for good in the world
So many CISOs get personal fulfilment from their role by framing their responsibilities as ‘helping society,’ with 44% listing it as their top source of job satisfaction in a 2021 CISO survey. Each security professional removes a sliver of risk from an enterprise, and each enterprise contributes to a functioning, vibrant, and optimistic society. Rather than focusing on the failures, we need to position the cyber security brand as a righteous crusade to creating a better world.
Widen the scope
Too many people perceive cybersecurity as a complex, technical world dominated by geeks in hoodies. They cannot see the vast opportunity for them to add value with their own skill sets. We need to broaden the vision so that every employee can become a partner in the security family and enrich it with their own talents. Marketers, lawyers, crisis leaders, authors, and game designers can all be part of a holistic security strategy, adding value and reducing risk, without stepping away from their primary passion.
Relieve strain on security staff
Too many senior staff are leaving the industry due to stress and overwork. The security leadership role has become incredibly broad, having accountability to protect against risks and threats across the entire business, and yet the team remains a pyramid with a narrow base. By clearly pushing accountability back to the business units to adhere to standards and holding them (rather than the security team) accountable when they fall short, we can free the leadership from much of the stress, minimising staff turnover.
Adjust the interview process
Change the process so that job interviews are no longer a tirade of questions and answers. Ask candidates to present on a topic after only 30 mins prep. Give them scenarios and problems to solve so you can see their minds at work, and not just test their recollection. Seek passion and enthusiasm rather than knowledge or certificates, as the former will lead and surpass the latter with time.
Keep resources up to date
Security Analysts often move on just to build their resume with experience in attractive technology. Retain developing talent by committing to keeping your technology up to date and investing in staff training and development. Make staying with your organisation as appealing as moving elsewhere.
This problem has been growing for years, and no single action will address the imbalance between supply and demand. Tactical solutions may enable organisations to keep going, however we must recognise that software is ‘eating the world,’ and our society is becoming increasingly dependent upon technology to function. The demand for resilient and secure systems is only beginning, and if we wish to stand any chance of getting alongside, or even ahead of this issue, then each of us needs to take accountability in positioning the industry in a positive light. That is the only strategic solution.
Five cyber security trends for 2022 — Daniel dos Santos, senior research manager at Forescout Research Labs, identifies five trends that will shape cyber security in 2022.
The importance of staff diversity when it comes to information security — Ankita Dhakar, managing director at Security Lit, discusses the importance of staff diversity when it comes to information security.