People create paradigms. In every industry and job function, employees are one of the most important success factors, as they operationalize any strategy established by leadership. The security industry is no exception.
It stands to reason, then, that one of the most important elements of any organization's cybersecurity program is its people. To elevate one's security strategy, leaders must take a two-pronged approach to building their workforce: hire skilled security talent, while establishing a security-centric culture among employees.
Let's discuss how that's done, including how to find and retain talent in a changing recruitment landscape, and what it takes to instill training as a foundational piece of company culture.
An Evolving Recruitment Landscape
Cybersecurity roles require a unique set of skills, which can be challenging when it comes to recruitment. Faced with a persistent skills shortage, our industry is grappling with a small talent pool all the while working to address today's advanced threats. To find the right talent — let alone sustain it — organizations must broaden their existing perspective on recruitment.
I recommend thinking beyond the usual computer science programs and majors and consider connecting with those with a strong interest in cybersecurity. English, philosophy, and business majors can do very well in this field. Those in creative pursuits can bring a new perspective and critical thinking skills to your team. Being a strong collaborator and communicator is essential because security spans every part of an organization. For example, I made it a priority to build relationships with our engineering team, joining their team meetings. I’ve often found that somebody who can build these relationships is far more valuable than someone who has a long list of certifications.
By keeping an open mind, you'll form a diverse team of problem solvers. As you search, look for "multipliers" — which is a term I use for people who help everyone else get even better. These are employees who not only deliver value within their own work, but also improve the output of those around them.
But it's one thing to identify talent, and another to attract it. Leaders need to understand what motivates workers these days, which is more nuanced than ever before. The workforce has evolved dramatically, so it's only natural that the recruitment process needs to adapt as well.
With millennials and Generation Z making up more than half of the workforce in 2020, according to research by ManpowerGroup, organizations should speak to what these groups inherently look for in a work environment. Millennial and Gen Z employees appreciate flexibility, mobility, culture, and a sense of purpose — position these value propositions at the forefront of your recruitment strategy to attract top talent and avoid churn.
Training As a Pillar of Company Culture
A security-centric culture isn't built overnight. It requires consistent and meaningful training and education that help employees understand the role they play in the security posture of an organization.
The IBM 2021 X-Force Threat Intelligence Index reports 95% of cybersecurity breaches are due to human error. Training employees isn't just important, it's essential for a business's survival.
To combat today's complex threats, training has to go beyond the basics. Annual security training needs to be complemented by regular security awareness communications and ongoing employee education.
IT leaders need to also tailor their programming to the unique needs of the hybrid workforce — building in situational training that prepares employees for any unique threats they'll face during this new phase of work. This education should cover scenarios that will be prevalent in this flexible landscape, speaking to the potential risks that come with using personal devices, public Wi-Fi networks, and more.
At my company, we conduct annual security training with our employees, and have broadened our efforts to encompass situational training as well. We've introduced monthly phishing simulations for employees along with follow-up education, so they may practice identifying and reporting suspicious emails in a safe environment.
Training should also expand to a company's developer teams, which can undergo continuous learning via secure code training. Through capture-the-flag competitions and other gamification techniques, this type of training helps upskill existing talent and makes security integral to any innovation the team creates.
By instilling security in employees' day-to-day routines, all parties feel invested in the protection of an organization. Security becomes second nature.
The Power of Human Potential
By harnessing the power of human potential, leaders can instill security into the fabric of their organization — an investment that will pay dividends. With talent and training acting as the foundation for your strategy, you can create a security program designed for the future. A security-centric culture will become your new paradigm, thanks to your people.