Organizations face significant threats when it comes to cybersecurity. Well-funded bad actors are upping the ante by increasing the frequency and sophistication of cyberattacks. At the same time, work-from-home models and large-scale digital transformation efforts are escalating companies’ exposure to cyber risks. In an attempt to counter these threats, organizations are investing heavily to ensure they’re adequately protected. These investments have driven an explosion in the demand for cybersecurity talent.
The cyber talent shortage directly impacts risk exposure
Cybersecurity is one of the most in-demand skills in the marketplace, with thousands of unfilled positions as organizations struggle to find talent. Understaffed cyber teams are stretched too thin, leading to burnout, one of the top reasons for resignations. Employee churn in cyber is high at 44 percent, twice that of other IT professionals. Instability in the cyber workforce heightens an organization’s cyber risk in two critical ways:
• The loss of institutional knowledge when tenured cyber employees leave,
• Missed cyber control checks due to understaffed and inexperienced cyber teams.
The result: Cyber leaders are poaching talent from each other. They are all going to the same well and that well is drying up.
CISOs need to take the long view in stabilizing their cyber workforce
For organizations in this environment of increased risk and limited talent pool, a top priority should be to build a strong cyber employee value proposition—the best match between what cyber talent wants and what your organization has to offer.
Some aspects of this value proposition have become a baseline: remote/flexible work opportunities and competitive compensation. Employers instead need to focus on those aspects of their value proposition that are unique and enhance their brand in cyber circles. Examples include a collaborative culture, commitment to learning and innovation, large investments in talent, etc. These take time to build and require dedicated effort from cyber leadership. But once in place, they provide a sustainable competitive advantage.
With talent in short supply, leaders should focus on building cyber workforce resilience through an approach designed to:
• Reskill non-cyber talent to do cyber work, and
• Optimize how work gets done through build/bot/borrow strategies.
We frequently hear from CISOs that some of their best cyber talent came from backgrounds as varied as investigative journalism, insurance and first responders. Creating a steady pipeline from nontraditional sources requires investment in programs such as internships, mentoring and training. Even then, these investments only yield results if they have strong and consistent support from cyber leadership and the commitment to building talent becomes part of the cyber team’s culture.
Optimizing how cyber work gets done requires three critical components:
• Deconstructing the work into tasks and activities;
• Redeploying tasks into the optimal work model; and
• Reconstructing work into cyber roles within the organization, automation tools or outsourced to service providers.
Taking this long view to cyber workforce resilience requires commitment and investment. But, once accomplished, it creates a cycle that can help companies gain and maintain a competitive edge.
Board support is critical
Finally, support from the board can be critical to helping CISOs stabilize their cybersecurity workforce. This means getting cyber workforce strategy issues on the board agenda so that they:
• Have visibility to the talent issues the CISO is facing: cyber talent churn, employee satisfaction, talent development and succession planning efforts.
• Can understand the roadblocks to achieving cyber workforce resilience and how they can help to remove those roadblocks.
Getting your cybersecurity function right isn’t a mandate for the future—it’s a mandate for today. Organizations that are successful can build a culture and brand to drive cyber workforce resilience and reduce risks.