Finding, cultivating cyber talent in health care and life sciences

By Tara Mahoutchian, principal, and Jimmy Joseph, managing director, Deloitte & Touche LLP

Organizations across the spectrum—from the tech companies to local, state, and federal agencies—are finding it increasingly difficult to recruit and retain cyber talent. We have yet to come across a chief information security officer (CISO) in life sciences or health care who is not experiencing some pain points around cyber talent.

More than 700,000 cyber positions are estimated to be unfilled in the United States, 3.4 million globally, according to the latest data from the World Economic Forum’s Global Cybersecurity Outlook for 2023.¹ Recent layoffs announced in the technology sector might move more people into the talent pool, but it is likely not enough to close the gap.

Finding and cultivating talent

According to the 2022 HIMSS Healthcare Cybersecurity Survey, 84% of respondents said recruiting qualified staff is their greatest challenge.² There are two key facets to the cyber-talent challenge:

• Volume: The ongoing talent gap in cybersecurity can be difficult to fill. The increasing volume of technology, combined with an expanding attack surface (e.g., digital transformation, remote working, cloud adoption) is driving increased demand for talent.
• Variety: As organizations innovate and adopt contemporary solutions (e.g., artificial intelligence, virtual health) cyber practitioners will need to possess skills to protect these new technologies.

A shortage of talent can impede an organization’s innovation, agility, and business enablement, and could leave holes in its risk profile. In response, some CISOs might place too much attention on filling open positions, which can be a losing battle. Instead, organizations should consider determining which functions can be sourced through a strategic third-party relationship and which ones need to be kept in-house. Rudimentary tasks like risk analysis, for example, typically don’t require a sophisticated competency and could be outsourced. We encourage our health care and life sciences clients to consider a combination of strategies to find new talent (or train existing employees) to help close the cyber-talent gap. Here are a few places to turn:

• Internal talent: Some existing employees (e.g., the IT service desk or members of the networking team) might possess skills that can be flexed and indexed against the organization’s cybersecurity needs. We recently produced a video series that profiles the experiences of CISOs from large health care organizations (see The Life of a Health Care CISO series). In one interview, Adam Zoller, chief information security officer at Seattle-based Providence, explained that some of his organization’s top network defenders and cyber intelligence analysts are former help-desk employees. He explained that these professionals were previously responsible for picking up phones and solving challenges. They tend to be familiar with the ecosystem because they've had to triage and respond to incidents dealing with people's accounts and systems. Investing in these employees and helping them grow into a new role can help to create loyalty to the organization, he said.
• Skills-Based Organization (SBO): An SBO is a new talent model where jobs are broken down into projects and tasks are based on the skills and capabilities that are required to complete them (see Deloitte Global’s report, The Skills Based Organization). As the technology landscape grows more complex, cyber teams might want to help staff develop skills that can help them respond to threats while increasing their professional longevity. By focusing more on the skills needed, and less on the jobs themselves, organizations might be able to drive more scalable, manageable, and equitable ways of operating. Building an internal skills hub—an engine of skills data, technology, governance, and more, could help inform decisions related to talent and workforce decisions. SBOs are more likely to place talent effectively, more likely to retain high-performers, and more likely to have a reputation as a great place to grow and develop, according to the report.
• Artificial intelligence: In the not-too-distant future, some full- and part-time positions could be filled by, or augmented by, AI. While there may be concerns that AI could completely replace some people, the combination of humans and AI could lead to a more efficient and creative workforce. If AI can take on routine tasks (e.g., repetitive tasks that can be solved with an algorithm) humans might have more time to take on more interesting and human-centric work. The SBO could then be designed around human skills that cannot be solved with AI.
• Cyber education: A growing number of technical colleges and universities are offering certificates and degrees in cybersecurity.³ In addition, some government agencies have launched workforce expansion and cultivation efforts to cope with the cyber talent shortage, including training programs to upskill current employees and new methods to onboard a diverse pool of candidates. The National Initiative for Cybersecurity Education (NICE), for example, is a partnership between the National Institute of Standards and Technology (NIST), academia, and the private sector. The initial concept of NICE was to strengthen the Federal cybersecurity workforce. It has since been expanded to the private sector, where organizations across industries rely on its competency model as a basis for their own skills expectations and role profiles. Some organizations are also beginning to revamp their own talent acquisition practices.⁴ Deloitte has developed a train-to-hire program that identifies non-traditional talent, trains candidates for a range of cybersecurity positions, and deploys them across a range of project types. Candidates can enroll in a variety of boot-camp options that can help prepare them for careers/roles, which previously might have required more formal cybersecurity training, certifications, or education.

Conclusion

Cybersecurity can be a challenging job. Cyber professionals should be vigilant and might need to make personal sacrifices by working late nights, weekends, and holidays. A workplace culture where employees are recognized for their contributions and have an opportunity to advance themselves professionally can help organizations attract and retain talent. The constant churn of resources can make it challenging for organizations to achieve cyber maturity and modernization. Health care and life sciences organizations that place a strategic talent lens on the entire cyber workforce ecosystem may be more successful in finding, cultivating, and retaining cybersecurity talent.

Endnotes:

¹ Global Cybersecurity Outlook 2023, World Economic Forum, January 18, 2023

² 2022 HIMSS Healthcare Cybersecurity Survey, Healthcare Information and Management Systems Society, 2023

³ 10 popular cybersecurity certifications, coursera, June 15, 2023

⁴ FBI and CIA combat cyber talent shortage with new hiring methods, Nextgov/FCW, May 22, 2023

Latest news from @DeloitteHealth

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Return to the Health Forward home page to discover more insights from our leaders.