The Cybersecurity Talent Shortage is BS!!!

The final COSO point under the guiding principle of Governance and Culture is Attract, Develop and Retain Capable Individuals.

The notion that there is a colossal cybersecurity talent gap has been beaten into us through various studies and publications. Depending on the study du jour, there are anywhere from 2M – 4M individuals needed to close the skills gap.

I’m here to tell you that is BS. Do I think there is a skills gap? Certainly, but I also believe that we shoot ourselves in the foot with ridiculous requirements, such as needing 5-7 years of experience and 3 certifications for an “entry-level” analyst role in a Security Operations Center. Yes, some of the problems are due to misaligned Human Resource departments, but the burden of the problem lies on US!

The cyber threat landscape evolves daily and even hourly in some cases.

Attackers seem to get smarter and more efficient through increasingly simple, yet sophisticated attacks.

How do we keep up?

We can’t afford to continue with “We are cybersecurity special snowflakes, and our stuff don’t stink” type of job requirements, such as the one mentioned above. 

It is vital to have a strategy to attract, develop and retain the talent that is right for your organization. Doing so will require an investment in time and money, so it is crucial to create a business case that describes how your strategy around cybersecurity talent supports your organization’s goals. 

You may decide to keep your governance, risk, and compliance (GRC) functions in-house, but outsource security operations and incident response to a Managed Services Security Provider. Whatever mix of in-house vs. outsourced talent you choose, you have to create an environment that will attract top talent, develop that talent and retain that talent. It’s also critical to expand the pool of potential candidates to help you close that skills gap. Here are 3 things to focus on:

1. Think outside the box and expand the talent pool.

   o   Hire marketers and educators to develop and run your cybersecurity awareness program.

   o   Consider leveraging former accountants to work in your governance, risk, and compliance programs. Accountants tend to have exceptional analytical and organizational skills, along with attention to detail and problem-solving skills that are critical in a GRC role.

   o   You may choose to hire someone with a law enforcement background for digital forensics and incident response roles since they have experience in investigation techniques and understand the importance of maintaining a chain of custody for evidence. 

   o   Retain a lawyer to design and operate your third-party risk management function since many of your liabilities will be determined in contracts.

2. Invest in your people.

   o   This seems obvious, but what is the typically the first thing that gets cut when a budget needs to be reduced? Training. This is absolutely ridiculous in our field where the threat landscape and the tactics, techniques and procedures of attackers constantly evolve.

   o   Get creative and develop a plan to encourage continuous learning. The plan can involve formal training, like a SANS Institute course or a certification bootcamp, but it can also involve a more cost effective paid subscription to an online platform like Cybint, Pluralsight, or Cybrary. 

   o   Of course, some of the accountability for continuous learning lands on the employee, but the rest resides with the employer. Yes, making money is great, but there are plenty of studies that show intrinsic motivation tends to have a greater effect on employee satisfaction and retention than extrinsic motivation. In other words, learning, growth and job satisfaction outweigh pay in motivating employees of the 21st century.

3. Invest in new technologies such as (buzzword alert), automation, machine learning, and artificial intelligence.

   o   Cybersecurity solutions leveraging these technologies have matured over the years and can be tremendous force-multipliers for a constrained and stretched workforce.

   o   This also frees up your people from doing low-level boring work to performing more interesting and complex things such as helping to mature security architecture, or to perform red teaming and threat hunting exercises.

That’s it. We finally got through he first COSO guiding principle of Governance and Culture. To review, COSO has 5 guiding principles:

1. Governance and Culture

2. Strategy and Objective-Setting

3. Performance

4. Review and Revision

5. Information, Communication and Reporting

We wrapped up the first guiding principle of Governance and Culture, which has 5 points:

1. Exercise Board Risk Oversight

2. Establish Operating Structures

3. Define Desired Culture

4. Demonstrate Commitment to Core Values

5. Attract, Develop and Retain Capable Individuals

Next week, we’ll move on to the 2nd COSO guiding principle of Strategy and Objective-Setting.

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up. Have a great week.