Leave it to a global pandemic to disrupt industries many of us have assumed to be stalwart. Companies fortunate enough not to traffic in hard goods are realizing they can survive (and cut significant costs) by moving to work-from-home workforces. This shift, with an estimated 62% of the workforce now working from home, demonstrates the increased need in hiring for cybersecurity personnel required to manage these new business models. At first, this sounds great for the resilience of the cybersecurity sector — but this means the already existent skills shortage for security professionals is about to get a lot worse.
The result is that the lines between what have been considered "pure" cybersecurity roles and, well, everything else are becoming blurred. A recent (ISC)² survey shows that many security professionals are being leveraged to support general IT requirements to accommodate different needs for work at home amid the pandemic. That makes sense. Companies need to have the infrastructure in place to support these new remote workers logging in from their home ISPs while also ensuring the security of sensitive data and intellectual property.
Enter the Cyber-Enabled Workforce
According to a Ponemon study, 88% of employees said their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, confidential business documents, or other sensitive data. Based on this projection, the cyber-enabled workforce within the United States exceeds 75 million personnel, and that number could be significantly larger if it included companies of fewer than 100 employees.
For example, threat hunting is a critical cyber role in many companies. But the personnel required is relatively small compared with the other defense and security functions in the organization. And even smaller relative to IT, network, and cloud roles.
The biggest role needs in security teams are, in fact, not what we would traditionally classify as cybersecurity roles — they're cyber-enabled roles. A cyber-enabled employee should have an above-average understanding of cybersecurity, but does not need the breadth and depth of knowledge that a dedicated cybersecurity practitioner has.
The most common cyber-enabled roles are in IT and are relevant to organizations of all sizes, not just limited to large enterprises with mature cybersecurity teams.
- Network architecture: Designing and deploying a computer network is a traditional IT role that increasingly requires a solid understanding of security to ensure corporate systems are configured securely and reduce the risk of external attacks.
- Cloud architecture and deployment: The move to the cloud has created a similar role for cloud-based networks, their design, and their security.
- Identity and access management: Solutions that verify and authenticate users on a network must be deployed in a way that still complies with organizational security requirements and minimizes data loss.
Security development and DevSecOps have been reigning buzzwords for a few years. Whether you believe that developers need to acquire security experience or security practitioners need to learn to write code, most organizations have made a direct effort to infuse cybersecurity best practices into each stage of the software development life cycle (SDLC), rather than after the finished product is released..
- Application software developers: Computer and mobile applications are used by corporate and individual consumers for all kinds of things (cars, video games, online shopping, social media, you name it). Not only does that mean an application developer needs to understand user’s needs to design and write the code to create a solution, but also do so securely to minimize the risk of data or code within the application from being stolen or hijacked.
- Systems software developers: These professionals' creed operating systems-level software, more geared towards designing enterprise solutions (medical, industrial, military, business, etc.). The industry focus of their work makes it imperative that these systems are designed securely to minimize vulnerabilities.
Governance, Risk, and Compliance (GRC)
GRC team members are also considered cyber-enabled based on their need to understand all areas of the organization that could present meaningful risk. In this light, their understanding of cyber-risk needs to go well beyond traditional awareness training.
- Risk manager: A traditional risk analyst or manager examines a series of activities or initiatives and analyzes the risk involved in those associated decisions. Given almost every action and activity in business today takes place over a network or technology system, knowledge of cybersecurity is imperative to appropriately apply it to the decision-making process.
- GRC analysts: Policies, processes, and controls are necessary parts of all businesses. Cybersecurity is no exception, and there's growing demand for people with regulatory and business backgrounds to apply that knowledge in the development of security GRC programs.
- Privacy analysts: Since most organizations store data on computer networks and databases, a privacy analyst needs to understand those systems and applications in addition to business processes and the privacy regulations of specific industries.
Healthcare Professionals and Medical Device Professionals
Healthcare organizations employ large numbers of employees that manage or have access to sensitive data and medical devices on a day-to-day basis. Compared with other industries, such as financial services, healthcare organizations do not as frequently create discrete cybersecurity positions and are more likely to create cyber-enabled roles.
- Data security administrator/analysts: Ensuring that information, and in particular protected health information, is properly handled and stored is a priority for healthcare organizations. Preventing data security violations, especially those protected by HIPAA, GDPR, and a growing number of other regulations, is a primary business concern for the healthcare sector.
- Clinical engineers: As medical devices become increasingly connected (by 2025, it's estimated 68% will be connected to the Internet), there's an even greater need for security given the sensitivity of health data. And that's not a traditional security role — that's often the engineers building the devices, although medical device manufacturers have a critical role when it comes to cybersecurity as well.
It's About the Skills, Not the Roles
While these lines between security and other jobs are blurred, there's a secondary shift in play (also thanks to COVID-19): Our traditional education model has been turned on its head. Degree programs are costly and not turning out job-ready graduates. The market, students and employers alike, are now considering faster, more cost-effective, and efficient ways to align talent to job requirements. And this isn't specific to the private sector. The White House issued an executive order on June 26 that directs the federal government to de-emphasize degree requirements and instead focus on skill, competency, and knowledge.
Companies also need to invest in their workforce strategies and training instead of relying on the external market. It's important to create, tailor, and deliver upskilling solutions to employers based on their unique workforce requirements and roles. That means a need for modular, skill-focused education that allows employees to acquire new knowledge in shorter chunks of time without sacrificing workplace productivity. When an employer defines the roles in their own organization companies can then be more discriminating in selecting and deploying upskilling strategies.
A skills-based approach provides an efficient way to upskill and prepare for the cyber-enabled jobs of the future (and today) without leaving positions unfilled or waiting for a pipeline of candidates through lengthy degree programs. Skills are transferable from position to position and are cumulative, meaning the workforce of the future will be more likely to have cybersecurity knowledge and abilities despite not being in a cybersecurity position.