Is the shortage of cybersecurity talent a problem or a crisis? "It's a  very serious problem with the ­potential to become a crisis," says ISACA's Frank Downs.

May 24 2019

Q&A: ISACA's Frank Downs on How to Find and Keep Cybersecurity Talent

The group's "State of Cybersecurity 2019" report is a wakeup call for businesses striving to find and retain qualified talent. Downs has ideas on how they can do better.

It’s no secret that great tech talent is hard to find, and cybersecurity talent may be hardest of all. Still, the numbers are shocking: 69 percent of respondents to a recent survey by ISACA, a national professional association for IT governance professionals, aid their cybersecurity teams are understaffed.

In a conversation with BizTech, Frank Downs, head of  ISACA’s cybersecurity practice, discussed its "State of Cybersecurity 2019" report in detail and explained what businesses must do to attract and retain talent against heavy competition.

BIZTECH: It seems like the shortage of cybersecurity talent has been with us for many years, and we’re not making much progress solving it. What’s driving it?

There are a couple of factors. First, only 10 years ago, cybersecurity was still kind of a novelty term. Cybersecurity wasn’t considered much beyond what you’d glamorize in media and politics. Then fast-forward a little, and once this becomes a real issue in the private sector, where do you get the talent from? So, what’s been getting built, especially over the past eight years, is the instructional, professional and academic infrastructure that’s necessary to meet this need.

What’s interesting is that you can’t handle these types of topics in the traditional way that other subjects are handled: Read the book, go to the class, listen to the instructor, study and then answer the multiple-choice exam. People have applied this method in cybersecurity in order to quickly fill the ranks. But then those people don’t have the hands-on experience. So, you’re seeing a shift toward practical instruction: We’ll put you in real situations with real attacks. But we still don’t have enough of that real, practical experience. And within companies, you don’t have enough of the cultural mindset around security because it’s still growing and it’s a scary subject, and you’re combating a growing need. We are doing better at training people, but the need is continuing to get much, much worse.

CDW Cybersecurity Insight Report

BIZTECH: How do you train anyone when attackers change their tactics so quickly?

In the study we did, we found that while the method of exploitation — like the actual toolset — may be changing, the attacks themselves really haven’t changed. You still have the top three: phishing, malware and the nonmalicious insider. Those three threat vectors have remained the same. It’s all the stuff within those that has changed.

There are a couple of things to consider when you approach this: One, these are the same problems and they’re still there, and we know where a lot of the issues lie. But to get to the core of the problem, you have to consider a wildly dynamic training solution. The training has to be constantly ongoing. At ISACA, for example, every quarter we put up updated labs and training modules so that people can work with the kinds of threats that happened that quarter. Now, not all organizations can do that, but not all organizations need to do that because there are still those big three that need to be focused on.

BIZTECH: What are you seeing organizations do while they wait for more available talent to hire?

Theft! Not in the traditional sense, but they’re stealing people they find from other organizations. And that’s compounded the problem. They keep pulling from the same pool, taking from other companies and then losing them to other companies because they don’t have a solid retention plan in place. This is not the same as in other fields. When you have such short supply and high demand, you have to think somewhat unconventionally about what will help keep people in your organization. Consider that in cybersecurity, you have an inherently younger workforce with different expectations who can just move somewhere else on a whim. So, it’s not effective for an employer to say, “Well, we hired you and gave you a little bit of training. Why are you angry?” They’re creating a retention issue, making a lot of workers frustrated and then wondering why there’s an issue.

BIZTECH: What should they do from a retention perspective?

In addition to appropriate compensation, the big thing people want is a workplace that feels comfortable and where they have a place to grow. With cybersecurity in such high demand, if employees are not happy, they can just leave. So, providing them an environment where they know they can grow — where they see a path they can develop on — is something they’re really looking for.

BIZTECH: What can smaller businesses struggling to retain talent do? They don’t necessarily have the resources for gold-plated retention programs.

One of the happiest times in my life professionally was at a small company. It created an environment, by design, where you didn’t want to leave. They understood what my goals were and would give me a plan for how my goals fit into their plans as a business.

Every business should have a management and leadership structure in place where they make it a point to take the time to sit down and talk. They should be saying to these employees, “What do you want to do here? Let’s discuss it.” And that can happen in a business of tens of thousands or in a business of 10.

MORE FROM BIZTECH: Find out how businesses can simplify authentication procedures for their users.

BIZTECH: Do you have an opinion on using managed service providers to help handle the cybersecurity challenge?

Third parties are here to stay, and they can help some businesses depending on their budgets. But careful management of those third-party vendors is what’s most important.

Think of the Target hack: They had a third party and the third party was notifying them of the issue, but no one was reading those emails. Third parties are great as long as they’re managed the way they should be.

Photography: Bob Stefko

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.