Leave it to a global pandemic to disrupt industries many of us have assumed to be stalwart. Companies fortunate enough not to traffic in hard goods are realizing they can survive (and cut significant costs) by moving to work-from-home workforces. This shift, with an estimated 62% of the workforce now working from home, demonstrates the increased need in hiring for cybersecurity personnel required to manage these new business models. At first, this sounds great for the resilience of the cybersecurity sector — but this means the already existent skills shortage for security professionals is about to get a lot worse.
The result is that the lines between what have been considered "pure" cybersecurity roles and, well, everything else are becoming blurred. A recent (ISC)² survey shows that many security professionals are being leveraged to support general IT requirements to accommodate different needs for work at home amid the pandemic. That makes sense. Companies need to have the infrastructure in place to support these new remote workers logging in from their home ISPs while also ensuring the security of sensitive data and intellectual property.
Enter the Cyber-Enabled Workforce
According to a Ponemon study, 88% of employees said their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, confidential business documents, or other sensitive data. Based on this projection, the cyber-enabled workforce within the United States exceeds 75 million personnel, and that number could be significantly larger if it included companies of fewer than 100 employees.
For example, threat hunting is a critical cyber role in many companies. But the personnel required is relatively small compared with the other defense and security functions in the organization. And even smaller relative to IT, network, and cloud roles.
The biggest role needs in security teams are, in fact, not what we would traditionally classify as cybersecurity roles — they're cyber-enabled roles. A cyber-enabled employee should have an above-average understanding of cybersecurity, but does not need the breadth and depth of knowledge that a dedicated cybersecurity practitioner has.
The most common cyber-enabled roles are in IT and are relevant to organizations of all sizes, not just limited to large enterprises with mature cybersecurity teams.
Security development and DevSecOps have been reigning buzzwords for a few years. Whether you believe that developers need to acquire security experience or security practitioners need to learn to write code, most organizations have made a direct effort to infuse cybersecurity best practices into each stage of the software development life cycle (SDLC), rather than after the finished product is released..
Governance, Risk, and Compliance (GRC)
GRC team members are also considered cyber-enabled based on their need to understand all areas of the organization that could present meaningful risk. In this light, their understanding of cyber-risk needs to go well beyond traditional awareness training.
Healthcare Professionals and Medical Device Professionals
Healthcare organizations employ large numbers of employees that manage or have access to sensitive data and medical devices on a day-to-day basis. Compared with other industries, such as financial services, healthcare organizations do not as frequently create discrete cybersecurity positions and are more likely to create cyber-enabled roles.
It's About the Skills, Not the Roles
While these lines between security and other jobs are blurred, there's a secondary shift in play (also thanks to COVID-19): Our traditional education model has been turned on its head. Degree programs are costly and not turning out job-ready graduates. The market, students and employers alike, are now considering faster, more cost-effective, and efficient ways to align talent to job requirements. And this isn't specific to the private sector. The White House issued an executive order on June 26 that directs the federal government to de-emphasize degree requirements and instead focus on skill, competency, and knowledge.
Companies also need to invest in their workforce strategies and training instead of relying on the external market. It's important to create, tailor, and deliver upskilling solutions to employers based on their unique workforce requirements and roles. That means a need for modular, skill-focused education that allows employees to acquire new knowledge in shorter chunks of time without sacrificing workplace productivity. When an employer defines the roles in their own organization companies can then be more discriminating in selecting and deploying upskilling strategies.
A skills-based approach provides an efficient way to upskill and prepare for the cyber-enabled jobs of the future (and today) without leaving positions unfilled or waiting for a pipeline of candidates through lengthy degree programs. Skills are transferable from position to position and are cumulative, meaning the workforce of the future will be more likely to have cybersecurity knowledge and abilities despite not being in a cybersecurity position.Simone is chief executive officer at CyberVista where she leads product development and delivery of cybersecurity training and education curriculums as well as workforce initiatives for executives, cyber practitioners, and continuing education. Previously, Simone was a senior ... View Full Bio