Security Workforce 2019: Closing the Gap Builds a Bridge to the Future

The recent government shutdown in the US brought worries about the shortage of cybersecurity workers into stark relief.

In the normal day-to-day, it's easy to get busy "making it work" by making money and keeping the lights on. Seeing the furlough of federal workers and disruption of government functions immediately and visibly impact critical commercial, transportation and public services is an eye-opening and timely reminder of our interconnectedness. It also underlines the danger of understaffing critical cybersecurity programs. The more we transform our businesses, governments, and public and personal lives through digital technology and connectivity, the more we share the accompanying risks. The ancient adage seems timely once again: we're only as strong as the weakest link in the chain. And the security skills gap represents an alarmingly weak link.

In short, as the cyber threat landscape continues to grow more varied and intense in sophistication and strategic intent, the pressure on information security teams continues to mount. When a company doesn't have enough personnel to contain and understand the growing risks it faces, the struggle to hire and retain skilled security professionals becomes a risk not only for that company, but also for any other entity connected to it.

Shortfalls in skills and capabilities have surely contributed to many of the major security incidents, data breaches and ransomware attacks that have filled the headlines and resulted in widespread exposure of sensitive information, damage to brands and reputations, erosion of public trust, increased regulation, fraud and financial loss. Building tomorrow's security workforce is critical if we ever hope to see the day robust, efficient and long-term enterprise security is normal and expected.

We've been talking about this skills shortage for many years now, at many levels of government, industry and higher education. And yet the gap persists. Organizations must commit to changing their attitude and approach to hiring and training, and step up their participation in "joint pipeline" development efforts. The traditional approach to identifying candidates is overly rigid. When combined with over-stressed and under-staffed work environments -- not exactly appealing to the best candidates -- this approach creates a funnel that is too narrow at the top. It's time to apply the creativity and passion for innovation that drove the meteoric rise of the digital economy to meeting this crucial challenge.

Filling the pipeline will require finding a way to channel the vast untapped pools of talent we know are out there. If only 20% of the global cybersecurity workforce is composed of women, there are obviously lessons to be learned about how to attract bright prospects from a wider spectrum of education, experience and expertise. It goes way beyond gender diversity -- organizations must commit to developing initiatives aimed at fostering talent from younger and older age groups, underprivileged school districts, liberal arts colleges and other "outside the box" options.

Organizations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures (e.g. security software platforms, patching and configuration practices, analytics and machine learning initiatives) become more complex.

Past: Security in silos
The security workforce, typically defined as the personnel responsible for an organization's information security activities, has evolved rapidly since its inception. The information security function often exists only as part of another associated business function, such as risk, technical IT operations, legal or audit, and it might be called information, cyber, assurance or operational security. It can also report into various business units, including finance, risk, governance or IT.

Over time, the lack of a consensus definition or integrated structure has allowed numerous, disparate components to form the typical enterprise security workforce. It's shocking how rarely essential infosec contributors -- employees working within threat intelligence, business continuity and security operations -- convene in one distinct function under a designated leader.

Present: Supply and demand are imbalanced
To have any hope of maintaining an effective security posture, enterprise executives must close the gap between supply and demand within their organization through a dynamic combination of workplace culture and appeal, strong processes and policies, and integrated, automated technology support. The scope of the challenge means it needs to be addressed from both sides: widening the funnel and filling the pipeline to fill demand from one direction, and from the other side, reducing the amount of work and the level of expertise required to maintain robust defenses, intelligent monitoring and agile incident response. However it is achieved, closing the gap between supply and demand is imperative for an enterprise to develop an effective security posture -- and on a larger scale, critical to maintaining public trust and reliable public and commercial services.

If the pool of applicants at a certain level of skill, qualification and experience is so small that most organizations (including SMEs, government agencies, and municipal services) can't afford to hire any of the available candidates, something must give. Moreover, talented security staff are in such high demand that even if you manage to hire a choice candidate, they may soon be lured away by better perks and projects at a more prestigious organization. Hence the gridlock we find ourselves in at present. By making reasonable adjustments to requirements for levels of education, certifications and years of experience, companies and industries can loosen the jam and fill up their talent pool.

The delta between security job openings and qualified candidates isn't inevitable. For many organizations, it could be as simple as encouraging those doing the hiring to be more flexible and developing more informed and imaginative recruitment and apprenticeship practices.

Future: Working toward human-centric security
Many promising candidates, including recent graduates, are interested in high-tech companies and careers, but information security is perceived as deeply technical (and let's be honest, also tedious and high stress), leaving recruiters struggling to connect with candidates from less specialized backgrounds.

Smart leaders are swiftly recognizing that bright, diligent, inquisitive individuals are among the most valuable security assets an enterprise can leverage. A human-centric approach to information security will foster a workforce that can meet the challenges presented by digital risk -- not to mention technology solutions that free up human resources and reduce tedium and complexity.

A human-centric approach provides the framework for building a balanced, fully staffed security workforce of proficient and satisfied information security professionals. Of course, this approach requires leadership commitment and budget allocation -- but it's a crucial investment in the future. And in cybersecurity, the future comes at you fast.

The imperative of a sustainable security workforce
Our deepening reliance on connected digital systems, and our subsequent vulnerability to a shifting array of cyber threats, has made the security workforce core to enterprise profitability and survival. But for many enterprises, developing a sustainable security workforce is out of reach because attracting and retaining experienced, certified security experts is a constant battle. To break this impasse, governments, industries and companies need to establish strategic objectives that prioritize transformative investments in developing a stronger workforce and a bigger, more accessible talent pool.

With clear direction and sustained HR efforts, organizations can formalize the structure of security teams, reporting and leadership to bring them into better alignment with the organization's security objectives. An integrated, agile security function can be a powerful partner to the business.

In the bigger picture, the more stakeholders work together towards the common goal of diversifying, growing and advancing the security workforce, the safer shared cyberspace will be. In large part, our digital world runs on shared data and networks and relies on the public trust. Security professionals are the guardians of these assets. In the year ahead, rise above the hiring fray and focus on fresh, strategic, long-term approaches to building, supporting and integrating your security workforce.

Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.