Creating a diverse cybersecurity workforce is challenging to say the least as the cyberskills gap is still so prominent within the industry. Bridget Kenyon, EMEA CISO for Thales DIS, suggests how business leaders should consider a wider pool of potential employees in an attempt to plug the gap and create a more varied cybersecurity culture.
2019 was a busy year for the cybersecurity industry as it continued to battle both evolving and increasing volumes of attacks. But one thing was made abundantly clear – there is a real need for more talent within the industry. According to (ISC)², there is estimated to be over four million jobs in the cybersecurity industry unfilled globally, and in order to close that gap, things need to change. While there is no silver bullet to curing the skills crisis, the industry must continue to focus on educating companies on what skills they should be looking out for in people.
Different skills for different roles
From a penetration tester who needs more technical skills to the CEO who requires a more high-level understanding, the truth is that there are hundreds or even thousands of different roles that involve cybersecurity and data protection. It really is an industry that requires everyone to play a role. However, one important skill for anyone dealing with cybersecurity is flexibility, or adaptability.
With technological advancements, and cybercriminals boosting their capabilities, the industry needs to keep up with and understand the new threats they face. Take the rise of ransomware attacks, for example; despite not being sophisticated, many organisations are likely to fall victim to them. For any organisation, it is important to have someone at a senior level with the right level of contextual awareness – a combination of technical and business acumen to ensure that information risk is appropriately considered and decisions are made in a responsible and informed fashion. When an attack happens, they can then ensure that the response minimises the impact to the business. The ideal candidate for this role is someone who is on the board and can act as the champion for information/cybersecurity. This can be the CISO or CSO, or a non-exec member who is an expert in this field.
Training the rest of the business
Beyond the board, there are other cybersecurity skills that organisations may require. The first challenge is identifying them.
One issue with gap identification is the lack of awareness that there is a gap – i.e. getting the rest of the business on board when it comes to security. It is a situation where the lack of awareness makes it hard to convince people that there is a need for better expertise. This is known as the ‘bootstrap problem’. The way out is a good awareness campaign, starting with the decision makers (to ensure that the wider staff will to be motivated to take the training seriously).
On the subject of awareness, as with anything, you’re only as strong as your weakest link. An organisation can put in place the best security policies, for example, but if staff don’t adhere to them, it will remain exposed. In order to overcome this, you must educate the wider company in an effective and straightforward manner. In-house security teams have infinitely more knowledge than the rest of business and can be leveraged for this task. When designing your own training, it’s important not to overwhelm colleagues. Instead, show practical examples of the threats a person will face in their specific role and what they can do about it, such as top tips to spot a phishing attack. Make it completely relevant and completely actionable; this isn’t a theoretical subject! For their part, security teams also have a lot to learn about the wider business, so it’s important to establish two-way communications with colleagues in other departments.
Marketing also needs to be taken into consideration here, namely how the company views security in general. Is it seen as a hindrance – is security the ‘no’ department? This is where the delivery of key messages is important. For example, instead of just focusing on the work involved in protecting information, ask them to balance that effort against the cost, impact and disruption of dealing with a potential breach. Much like home or car insurance, investing in protecting something now can be worth it in the long term.
An encouraging career
As well as focusing internally, it’s important the industry looks to the external world. One thing a company can do is encourage as many staff as possible to consider a career in cybersecurity; hiring from within and training someone up can be really cost-effective and encourages retention. A part of this encouragement includes considering what sort of image the industry is projecting. Bringing in people from diverse backgrounds not only helps to plug the skills gap, but brings fresh ideas and new perspectives to the industry, which can only be a good thing. But how can we expect to attract a more diverse pool of talent if the most common thing they associate with security is a scruffy young man in a hoodie? Hiring people that have skills in marketing or PR can help improve understanding in the company (and the wider community) of what sorts of people already have a career in information security, in turn attracting more diverse talent.
When looking at candidates, don’t always focus on finding that one perfect person who has everything the company needs. For companies with larger budgets, focus on hiring a couple of people who can cover off the skills and experience they need between them; consider flexible working and job sharing. Those with a smaller budget, especially, shouldn’t hold out for the ‘unicorn’ candidate who ticks every box. Unicorns are expensive (if they even exist…). Instead, think about what is vital to the business and work on developing the rest while they’re in the job. Once a person is hired, give them the time and autonomy to work and grow in confidence in the role to ensure they stick around.
Outside of the work the industry can do, the public sector should also help from an educational perspective by introducing more information security projects and courses into university courses including IT, software engineering, economics, finance, marketing and MBA programmes. The government should also consider raising the level of awareness around data privacy in general in schools from a social perspective, to make people aware of how to protect themselves. These can help to drive interest in the industry from a young age, helping to plug the gap in future generations and encouraging students to share their knowledge with relatives.
Investing in early STEM education (from the beginning of primary school) can help create a more diverse sector by engaging with children, for example, before they are influenced by popular media and peer pressure to see some subjects as ‘for boys’ and ‘for girls’. This happens as early as age six.
The cybersecurity skills gap is growing and now is the time to turn it around. An education is clearly needed on the skills that are required, but also on the industry itself as a viable career alternative.
What’s clear though, whether it’s boosting skills internally or externally, is that there is still much work to do.