The macro-economic consequences of COVID-19 have reached cybersecurity and the talented people who keep us secure. In some sense, invisibility is a hallmark of good cybersecurity, back-end operations running smoothly and keeping the assets, operations and reputation of an organization from harm. But this invisibility is built on proper resourcing, and in the last 18 months, we’ve seen a progressive erosion of the human resources behind successful organizational cybersecurity.
Let’s Call This the Great Talent Migration
At any given time, there are a limited number of top cybersecurity professionals. When you add border closures, data sovereignty concerns, reduced student numbers in the pipeline and the incredible systemic network stressors of work-from-home, you basically create a situation in which burn-out is high and talent demand is even higher.
The consequence is a large number of organizations fighting for a very limited number of professionals. On the surface, an organization might look like its business-as-usual, but behind the scenes, it is scrambling for critical resources, with the end result being both short- and long-term consequences for the organization’s security and our society’s collective security.
Moreover, business confidence is rising in Australia and globally, accelerating the trend because job availability increases even more. Then there are record levels of employee fatigue. Worldwide Gartner research this Sept showed 34% of human resources leaders are significantly concerned about employee turnover, rising to 91% increasingly concerned as the economy improves in the coming months.
At the same time, some cybersecurity experts are opting to leave their career due to the aforementioned burn-out, a reprioritization of their personal goals due to the pandemic (the “great resignation” anyone?), or a shift in participation due to life stages. From recruitment to internal development, incentives and culture, what levers have the most significant impact?
So How Do You Attract and Retain Talent in this Environment?
Cyber specialists will search for employers that support remote work, have interesting projects that enrich their life experience, and organizations that actively appreciate their efforts. And not just through financial bonuses, but as a culture that supports them and their growth. Creating a culture that fosters inclusivity, openness, diversity along with creating a fun environment will be essential to retain your current staff.
Locally and now globally, Trustwave has set up a Diversity Network Initiative (DNI) designed to drive diversity and inclusion awareness through education and programs to make our organization a great place to work and a great team with which to conduct business. Our DNI has five streams of focus:
- Well-being & Mental Health
Trustwave currently has a laser-like focus on gender within the business, and I’m proud that 50% of our local leadership team are women. DNI has also run mental health sessions, including gathering stress release tips from an organization that offers therapy dogs.
A critical element of retaining talent is openness. Fostering a culture of open dialogue between all levels of the business ensures staff knows the mission and how we’re going to get there is critical. Our “Ask Us Anything” open forums give employees a chance to ask leaders anything. It is often business-related, but not always so.
We’re celebrating big wins and small ones along the way. Recognizing contribution is not just monetary - Trustwave has a Cheers portal where anyone can call out a teammate or a far-flung employee who makes a difference to their task, day, or experience. This shout-out helps connect us all.
How To Minimize the Impact of the Cybersecurity Skills Shortage
Organizations across the world have unfilled cybersecurity vacancies, and the cybersecurity professionals already on staff are pushed to their limits. Something must change to address the staff shortages that are limiting organizations’ ability to erect and maintain strong defenses. This paper examines the cybersecurity skills shortage and advocates for the use of advanced security services and technologies that more effectively leverage the time of current professionals. The paper references data from an in-depth survey of 130 cybersecurity professionals in mid-sized and large organizations.
Offloading or Reframing?
As people leave jobs, the remaining staff might be asked to take up the slack left by those who have moved on. This activity generally includes shouldering new duties, but organizational knowledge retention is also becoming a significant issue.
Many organizations are looking to take advantage of outsourced service vendors who add human intelligence (not just AI and automation) to the tasks left behind by those who have left. For example, cybersecurity risk management requires analytics and then assessment based on a human view of how the risk impacts an organization, taking in the needs of the business and the potential effects to understand the necessary actions.
One method is enticing people who stepped out of the industry to return and asking them to handle those fixed scope engagements. If done successfully, this can convince these folks that they can have their side gig on the coast/semi-retirement/time with children and explore new challenges and project goals they’d like to get their teeth into -- help them.
Bring in the Experts; Recycle Knowledge
Engaging specialized experts for scoped tasks or gigs can meet the business needs for compliance or significant projects and get the job done faster and with greater effectiveness. And maybe at the same time skill up your existing employees. More cyber departments are using services to remove the burden of low- and high-level threat detection and response. This action frees up resources for security analytics, specific threat prevention initiatives, and key projects that uplift an organization’s cyber posture. I expect organizations are reconsidering their need for data sovereignty for some aspects of cybersecurity and using global talent and services to fill the gap.
The fastest way to adopt best practices, and one that reduces the burden on staff, is to re-use what others have done before. Our business shares the work we’ve done with clients via a portal that anyone can download mostly for free. The work derived from major Australian and global clients on topics such as presenting to the board or incident response guidelines and metrics we’ve seen work in an industry like theirs. Why build from scratch?
Look Beyond the IT Silo for Talent
Smart organizations are also looking inward and turning to staffers already on board to grow cyber talent – John in Legal? Sally in Marketing? Well-rounded humans have thrived in cybersecurity from the beginning because while coding is literally binary, cybersecurity is not. In the face of a cyber degree explosion, we’re still hiring humanities grads, lawyers and those told they must learn to code but never did because the optimal cybersecurity team is a truly diverse one.
There’s no doubt a great cybersecurity migration is underway, but if you tackle it head-on, there’s plenty you can do to emerge more robust and more secure as an organization.