How Can CISOS Solve the Cybersecurity Talent Shortfall?
By Shalom Bublil, Chief Product Officer at Kovrr
As cybersecurity threats grow larger, organizations struggle to hire enough staff to stay secure. Not only do companies often lack talent with the skills to meet existing risks, but they also need to add and train staff with the ability to handle new threats in areas like cloud security.
“Because there are so many specialty areas in cybersecurity, and because the field is evolving so quickly, basic cybersecurity know-how no longer cuts it,” notes The University of Tulsa.
Yet finding this talent is easier said than done, leaving many organizations short-staffed. A survey by Cobalt finds that 94% of security teams face talent shortages. Plus, existing talent are often unsatisfied, with 54% in the Cobalt survey saying that challenges like it being “harder to monitor for vulnerabilities” make them want to leave their jobs. That could lead to more turnover and exacerbate the shortage.
But all hope is not lost. In this series on “what keeps a CISO up at night,” we’re examining some of the top issues that CISOs and other IT leaders face. Here, we’ll take a closer look at how to solve the cybersecurity talent shortfall.
To start closing the cybersecurity talent gap, CISOs can push to reframe how cybersecurity is viewed within their organizations.
Rather than making cybersecurity seem overly technical and operational, CISOs can reposition cybersecurity as being more strategic, creative and business-oriented. That can help attract employees. It can also get other leaders on board so you have the budget and overall organizational support to ramp up hiring.
“In today’s environment, cyber is not a cost center, it is a strategic component of enterprise risk management and a business enabler. When it is positioned as such to employees, they will understand that the company values cyber and see a career ladder to scale,” says Deloitte.
Similarly, CISOs can work with HR teams to reframe job descriptions and search for soft skills too, rather than strictly looking for IT skills.
“These characteristics might include curiosity, commitment for problem-solving, and strong work ethic — all of which can help shape future professionals with the right corporate guidance and training,” notes the Computing Technology Industry Association (CompTIA).
Broaden Talent Pools
Another important aspect of closing the cybersecurity talent gap is broadening the talent pools you search in. If your existing searches aren’t yielding enough candidates — such as if you’re mainly sourcing talent from the alma maters of current employees — perhaps you’re not reaching a diverse enough audience.
Recruiting more women, BIPOC individuals, neurodivergent candidates and others who might be underrepresented in your organization can be a great way to add cybersecurity talent while tapping into the power of diversity.
“A growing body of research shows organizations that embrace diversity and establish an inclusive industry and workplace culture perform at higher levels, which means a safer and more secure cyber world.,” says (ISC)², a nonprofit association for information security leaders.
To find more diverse candidates, CISOs can take steps like working with HR teams to find partners like educational institutions and nonprofits that get you outside of your existing talent pools.
You also might find that you’re overlooking your internal talent pool. Upskilling and reskilling existing employees to move into cyber roles, especially when staff come from other positions that might typically be easier to fill, can help you reduce cybersecurity staff shortages.
Leverage Technology Where Possible
As important as it is to change how organizations position cybersecurity and how they source employees, that doesn’t mean that the cybersecurity talent shortfall can immediately be solved. Organizations will likely have to deal with some gaps in the near term, but they can turn to technology to ease shortages.
For example, technology that automates areas like threat detection might help short-staffed cybersecurity teams stay ahead of attacks. Other types of cybersecurity technology like Kovrr’s Quantum cyber risk quantification platform can help CISOs get the most out of existing cybersecurity resources.
By modeling the financial impact of potential cyber events, you can understand where the largest risks exist and direct employees to focus on those areas.
Suppose you want to roll out a company-wide cyber awareness program, as well as improve data recovery capabilities. If you’re short-staffed, you might not have the bandwidth to do both at the same time. But by leveraging Kovrr’s financial quantification capabilities, you can determine the financial impact that these two activities would have on your business. From there, you can prioritize the one that would provide the most financial risk reduction.
Overall, the cybersecurity talent shortfall isn’t necessarily a quick or easy fix, but CISOs can rest easier at night by following these steps. Repositioning how your organization and candidates think about cybersecurity, expanding your talent pools, and maximizing your existing staff by leveraging technology can go a long way toward building a more secure organization.
About the Author: Shalom is chief product officer at Kovrr and a cyber data science expert. Throughout his career, Shalom has acquired unique expertise in cyber intelligence, threat modeling, risk modeling, machine learning and artificial intelligence. Shalom joined an elite Israeli intelligence unit and served for four years specializing in cyber. Following his military service, he joined Lacoon Mobile Security where he led the threat intelligence and threat modeling initiatives. In his last position before founding Kovrr, he led cyber threat intelligence and modeling efforts at Deep Instinct, developing a commercial detection engine product from scratch based on advanced artificial intelligence technology. Shalom holds a B.A. from the Open University of Israel.