The talent shortage across cybersecurity is no secret. Among the myriad of challenges faced by IT departments today, hiring and retaining qualified cyber professionals remains a critical issue. The number of unfilled positions globally grew by 350% over the past eight years, reaching 3.5 million in 2021 according to data from CybersecurityVentures. That’s enough empty seats to fill 50 NFL stadiums.
The series of major attacks in 2021 highlighted the need for a more targeted focus on alleviating cybersecurity’s labor issue. Colonial Pipeline, for example, was openly searching for a cybersecurity manager just weeks before a massive ransomware attack forced the utility provider to temporarily shut off its fuel pipeline -- the largest fuel pipeline in the United States -- and pay $4.4 million in ransom to restore network access. Hackers stole data from a traditional file share using a virtual private network account with a compromised password that had been leaked on the dark web. The VPN account did not have multi-factor authentication (MFA) access controls in place.
In hindsight, the Colonial Pipeline attack showed that without the right amount of people in place, it’s rather difficult to defend data from highly skilled and sophisticated threat actors. All the best-in-class technologies in the world are essentially useless without employees who can operate them effectively. In a race against cybercrime, modernized security tools and proactive approaches are the F1 racecars that enable you to win. Your employees are what gets them over the finish line.
A Work in Progress
There isn’t a quick fix to the talent shortage problem, but progress is beginning to arise on several fronts -- the first being diversity, equity, and inclusion. In an effort to grow a more diverse workforce, the Biden Administration announced last year that IBM will partner with 20 historically Black colleges and universities (HBCUs) to establish cybersecurity leadership centers that aim to train more than 150,000 people over the next three years. According to the Aspen Institute, only 13% of the US cybersecurity workforce identifies as Hispanic or Black.
Deloitte created a global awareness and recruitment campaign, Women in Cyber, promoting female leaders across cybersecurity in an effort to narrow the profession’s clear gender gap. The appointment of Jen Easterly as Director of the Cybersecurity and Infrastructure Agency (CISA) also will undoubtedly inspire more women to pursue cybersecurity careers. In Easterly’s keynote address at Black Hat USA 2021, she spoke about the importance of developing more diverse cybersecurity organizations.
Microsoft is partnering with US community colleges in a national campaign to recruit 250,000 professionals into the workforce by 2025. And, Code.org, a nonprofit dedicated to expanding access to computer science in underrepresented schools, has committed to teaching cybersecurity concepts to more than two million K-12 students over the next three years.
An enhanced focus on diversity, equity, and inclusion (DE&I) coupled with developing higher levels of cybersecurity expertise across all fields will continue to be critical. For example, more organizations are beginning to understand that every IT job has a cybersecurity component to it. With a personal responsibility to safeguard their customers’ sensitive data, infrastructure operations jobs are requiring more advanced security training -- such as CompTIA Security+ certifications -- to ensure IT professionals without extensive cybersecurity backgrounds still possess the foundational knowledge to protect their organization.
The Engagement Factor
Employee engagement directly correlates to organizational success in any industry, but in cybersecurity, the importance of engagement takes up a different meaning. It’s critical to ensure employees understand “the why” behind the work they do every day. It shouldn’t be rooted in helping the organization generate record-high annual earnings or steady returns on investment. It shouldn’t be about selling the best solution on the market at the most affordable rate. It shouldn’t revolve around beating industry competitors or winning awards.
The real value of working in cybersecurity is the positive impact on the world around us. As cyber professionals, we’re at the frontlines of a societal crisis with a lot at stake. It’s our job to prevent the next ransomware attack against a hospital that puts patient lives at risk. It’s on us to protect the small business owner from a data breach that would force him to file for bankruptcy and destroy his life’s work. It’s our responsibility to stop nation-state threat actors from stealing sensitive data files on matters of national security.
When employees know the real-world impact of their roles, it’s far easier to foster high levels of engagement across your staff. To retain talent in today’s Great Resignation economy, organizations must provide a meaningful opportunity to make an impact on the world in a positive way.