4 minute read
How is the industry responding to the skills and talent squeeze?
ROSALYN PAGE
By Rosalyn Page, Award-winning writer and content strategist covering innovation, technology and the digital lifestyle
Security professionals do not need to be told they are experiencing a talent squeeze, but the shortage is worsening. Sixty three percent of respondents to ISACA’s 2022 State of Cybersecurity 2022 report had unfilled cybersecurity positions, up eight percentage points from 2021.
While the pandemic has exacerbated an already tight cybersecurity talent pool, there are other systemic issues. According to Jo Stewart-Rattray, a member of ISACA’s Information Security Advisory Group, the pay disparity between genders has produced a male dominated workforce and has inhibited the creation of a wider cohort in the industry.
Adding to the challenges, ADAPT research analyst Pooja Singh says it is critical to have the right talent. “As organisations try to modernise and remain secure against evolving threats, the cyber skills shortage can often feel more pronounced than shortages in other technical areas,” she says.
However, there are some sectors where the shortage is worse. “The crunch is being felt hardest across the public sector, where government departments struggle to compete for staff against well-heeled private firms in terms of salary,” Singh says. “It is also the case in healthcare, an industry already experiencing massive burnout and the added pressure of protecting highly sensitive patient information.”
THE TALENT SQUEEZE MAKES THE ENTIRE ORGANISATION MORE VULNERABLE
Increasingly frequent attacks coupled with increased digitisation across all sectors means security is no longer just an IT issue, according to Verizon’s head of APJ cybersecurity, John Hines. He says organisations are already struggling with increased security risks. “A cyber skills shortage means teams may not have the right mix of resources to manage potential attacks.”
One of the less obvious issues, according to Hines, is that more organisations are falling into the category of critical infrastructure. “Pressure for a strong security posture for these Australian organisations is at an all-time high.”
ISACA’s Stewart-Rattray agrees that an underresourced security team certainly poses risks for an organisation. “The level of increased risk does depend on the organisation’s security posture and environment to begin with,” she says. “For example, is it a labour-intensive team? Are they using a lot of monitoring tools? Are there state-of-the-art platforms in place?
“The most obvious impact of an underresourced security team is on its ability to respond instantly and remediate a breach. If the organisation has to contract external consultants there is, potentially, a costly time-lag in addressing a vulnerability.”
HOW SHOULD ORGANISATIONS WITH A SKILLS SHORTAGE BOOST THEIR SECURITY POSTURE?
Dealing with the skills shortage is one thing. The other equally important issue is working to reinforce the organisation’s security posture in the face of the ongoing talent squeeze. While they build their talent pipeline, “organisations need to get serious about taking a risk-based approach and use existing tools and resources available to them to mitigate those risks,” says Hines.
Cybersecurity awareness programs need to run throughout the organisation, says Singh, but must move away from the ‘one and done’ approach. Instead, they must actively use phishing emails for testing, collaborate with academic institutes and enrol their cybersecurity team into certification programs. “Designing security in from the start can reduce the time, cost and risk involved with addressing these issues as an afterthought,” Hines says.
Security must also be an underlying qualifier for any and all digital transformation initiatives, including architectural design, cloud projects, data compliance and the use of artificial intelligence and machine learning for prediction and augmentation. “Evaluating these decisions through both a security and enablement lens is pivotal,” Singh says.
WHAT ARE THE SOLUTIONS TO THE PIPELINE PROBLEM?
Those looking for the magic bullet will be disappointed. Everyone agrees attracting more students into security is vital, as is boosting women’s participation, but to achieve these goals ingrained stigmas about security being a male-centric career must be dispelled.
Stewart-Rattray says the gender pay gap only validates this. “So systemic barriers hindering gender disparity issues must be addressed.” She nominates mentoring, coaching and more role models as the means to achieve this. “It’s up to my generation of
security experts to encourage and support aspiring generations to give this career option serious consideration and have a crack.”
ADAPT’s Singh believes senior executives should also support better diversity and inclusion initiatives including gender outreach programs to encourage women to kick-start their cybersecurity careers. She says building better pipelines designed for greater inclusion will not only grow the talent pool but also offer increased access to the problem-solving skills available from greater neurodiversity and a mix of experiences, demographics and vision.
For the time being, organisations are looking to cross-training as well as tapping consultants and contractors to help fill the gaps, according to ISACA’s survey. However, MassMutual CISO, Ariel Weintraub, warns this approach requires focused efforts on “comprehensive risk assessments and risk quantification to ensure resources are allocated to addressing the most important threats.” Over the longer term, Weintraub recommends building a strong bench of talent by leveraging an early career pipeline and recruiting from a wider pool of applicants with a variety of educational backgrounds, rather than focusing specifically on cybersecurity and computer science. “Candidates with degrees in areas such as political science or economics bring a unique perspective on problem solving and critical thinking; cybersecurity concepts can be learned on the job,” says Weintraub.
Another avenue to boost participation, suggests Weintraub, is partnering with non-profit organisations to sponsor scholarships “for potential students who come from underrepresented communities, especially those who are first in their families to attend college.”
www.linkedin.com/in/rosalyn-page
rosalynpage.com
