Cybersecurity is a mission-critical priority for organizations. But the cyber profession continues to face a major challenge: a substantial talent gap. There are not enough qualified individuals to fill millions of open positions globally. The cyber workforce gap is so big that a 2019 (ISC)2 study estimates it has grown to nearly four million job openings. That same study reports the population of cyber workers would have to grow 145 percent to meet global demand. Staggering numbers, with no overnight solution.
Some organizations are using tools such as artificial intelligence (AI) and robotic process automation (RPA) to automate tasks and reduce the amount of routine work for cyber teams. Additionally, managed security services providers (MSSPs) enable companies to outsource cybersecurity functions, which can also alleviate pressure from short-staffed cyber professionals.
These near-term steps are just one piece of the puzzle; companies can’t automate and outsource their way out of such a large cyber talent gap. There will always be a need for internal cyber talent focused on the most critical aspects of an organization’s business. Therefore steps should be taken to alleviate the talent shortage over the long-term. Ultimately, that should lead companies to a common goal of creating a cyber-culture that people want to join and where they want to stay.
Culture Shock: The Growing Talent Gap
The industry perception of cyber culture has been beset by stereotypes, including the notion that cyber teams are made up of young, hoodie-wearing males, typing away at highly technical work in dark basements.
This perception needs to change because it’s simply not accurate. The reality today is that cyber is at the center of the business universe. It’s fundamental to the sustainable success of all organizations. Without adequate cybersecurity and privacy controls, organizations cannot properly function in today’s climate. Cybersecurity and privacy lay at the foundation of every well-organized company and serve as business enablers, and proper implementation can serve as a way to project trust to customers.
Privacy regulations such as the General Data Protection Regulation, California Consumer Privacy Act and the Health Insurance Portability and Accountability Act have also broadened the skillsets modern cyber teams require – skills that traditionally trained cyber professionals may not have. Modern cyber teams often require individuals with regulatory and legal expertise. Additionally, intimate knowledge of business processes enables cyber teams to effectively implement compliant processes around how regulated data is discovered, collected, shared and stored.
As privacy’s role becomes an important part of so many domains, a broader expertise is required to build trust, ensure ethics, protect data, implement AI and much more. Together, security and privacy form modern cyber. Therefore, security and privacy need to be effectively addressed in order to reduce the severity of business risks associated with data breaches and regulatory violations.
Solving the talent gap begins with recasting cyber as a “career in business,” not a “career in the basement.” This will attract a more diverse pool of professionals, which will strengthen cyber operations and cyber culture.
Closing the Gap
The cyber talent gap can’t be solved overnight. It takes time to change cyber culture in such a way that the profession will attract a broader range of professionals. Fortunately, there are fundamental steps organizations can take to improve long-term stability and staffing for cyber, including:
Investing in the talent pipeline – Every organization has different needs. For example, a power company in the American Midwest faces different challenges around retaining talented cyber professionals than a high-tech firm in Silicon Valley. By recruiting from local universities, organizations can feed their specific talent pipeline. This benefits the company, the school and the local community, important factors for creating a sustainable business. Furthermore, providing employees with continuous education opportunities creates a clear and attainable career path, which is a powerful tool for both recruiting and retention.
It’s also important to remove the “technical” label from cyber work, which can result in women with the right education and experience shying away from the field. The “technical” label is one of the reasons why women make up half of the college educated workforce in the United States, but only 28 percent of the workforce in science, technology, engineering and math (STEM)-related fields. In the context of cyber, women with legal, business and regulatory expertise can all play important roles, increasing the pool of potential employees, supporting the closure of the talent gap.
Perhaps Astrid Lindgren wrote it best in her classic children’s book Pippi Longstocking when Pippi said, “I have never tried that before, so I think I should definitely be able to do that.” While some women may not feel that they have the appropriate skillsets, privacy and cyber are so diverse that their skills are actually essential for a sustainable and high-functioning cyber working environment. However, this needs to be communicated effectively to them, in order to create a broader, more diverse talent pool.
Focus on the mission – Cyber leaders can make sure the team’s mission is always the focal point for its activities. With security and privacy so closely intertwined, a mission-focused team ensures that all parties work together. Someone with a technical background may think about data protection from a technical perspective. However, on the privacy end of things, an employee with a legal background may think about how the data should be protected to avoid compliance violations. While both parties are focused on the same objective - reducing data risk - they are approaching it from different perspectives. In order to truly mitigate data risks, both perspectives must be considered, making sure data is secure and compliant (which are not the same thing).
Combining skillsets and responsibilities in this fashion, when done consistently, can improve staff morale and retention, mainly because workers feel like they serve a common goal and are delivering value to the business. Over time, this helps to create the type of cyber culture that people want to join, and don’t want to leave, which is an important step to relieving the strain of the talent gap.
Reframe cyber from being a cost center to a revenue generator – When cyber professionals view themselves as part of a cost center, they might not recognize the value they add, or feel they have job stability, especially during challenging economic times.
This problem can be tackled if cyber professionals understand how their work translates to responsible business and revenue. This can generate greater morale and enthusiasm when compared to the “cost center mentality.” In today’s environment, cyber is not a cost center, it is a strategic component of enterprise risk management and a business enabler. When it is positioned as such to employees, they will understand that the company values cyber and see a career ladder to scale.
This perception should be projected throughout the organization. Everyone should view the cyber team as a critical component to the business, just like they do the sales or marketing teams.
Spotlight on employee wellbeing – Cyber teams have experienced a spike in activity since COVID-19 hit, with threat actors taking advantage of the pandemic and companies transforming overnight into “work from home” enterprises. According to a Forbes report, Microsoft detected nearly one million COVID-19 themed attacks per day during the first week of March. And for privacy professionals in particular, government and other organizations have been processing tremendous amounts of health data this year, putting a spotlight on privacy and making it mission critical to business operations.
The reality is, cyber teams understand that a single mistake can cause tremendous damage to the company, and that’s enough to keep them awake at night, often working long hours to make sure nothing slips through the cracks. It’s important for organizations to let cyber teams know their efforts are appreciated, and that properly managing the stress from the job should be a priority.
Closing the cyber talent gap is important, but also time consuming because more people and technology need to be involved. By taking proactive steps to create an attractive, inclusive, and sustainable cyber culture, organizations can accelerate this process while also becoming a magnet for attracting top talent.
Annika Sponselee is Partner at Deloitte Risk Advisory and heads the Privacy Team. This Privacy Team exists of 20 privacy experts, all dedicated to and qualified in their field of expertise (i.e. legal, security and/or compliance). She also leads Deloitte’s General Data Protection Regulation (GDPR) offerings both Globally and for Northwest Europe. Annika is committed to combining the legal, technical and organizational aspects of privacy in the advice to clients and has over 10 years of experience in this field. She has regularly coordinated multi-jurisdictional privacy projects, which involved dozens of different countries. In doing so she gained a lot of knowledge on privacy legislation applicable in other (EU) countries. Annika gives training courses and presentations on this subject too.
Sharon, a principal at Deloitte & Touche LLP, is the Cyber Risk Secure Supply Chain leader for the Cyber Risk Services practice of Deloitte Risk & Financial Advisory. Sharon is a Certified Information Systems Security Professional (CISSP) with more than 20 years of experience helping global clients manage cyber risks. She focuses on the energy industry and brings experience in policy and risk governance implementation, cyber threat monitoring, vulnerability management, identity and access management, and data protection. She has worked with industry frameworks including NIST, ES-C2M2, and ISO, in addition to regulatory requirements including PCI, NERC / FERC, and HIPAA.