It’s no secret that great tech talent is hard to find, and cybersecurity talent may be hardest of all. Still, the numbers are shocking: 69 percent of respondents to a recent survey by ISACA, a national professional association for IT governance professionals, aid their cybersecurity teams are understaffed.
In a conversation with BizTech, Frank Downs, head of ISACA’s cybersecurity practice, discussed its "State of Cybersecurity 2019" report in detail and explained what businesses must do to attract and retain talent against heavy competition.
BIZTECH: It seems like the shortage of cybersecurity talent has been with us for many years, and we’re not making much progress solving it. What’s driving it?
There are a couple of factors. First, only 10 years ago, cybersecurity was still kind of a novelty term. Cybersecurity wasn’t considered much beyond what you’d glamorize in media and politics. Then fast-forward a little, and once this becomes a real issue in the private sector, where do you get the talent from? So, what’s been getting built, especially over the past eight years, is the instructional, professional and academic infrastructure that’s necessary to meet this need.
What’s interesting is that you can’t handle these types of topics in the traditional way that other subjects are handled: Read the book, go to the class, listen to the instructor, study and then answer the multiple-choice exam. People have applied this method in cybersecurity in order to quickly fill the ranks. But then those people don’t have the hands-on experience. So, you’re seeing a shift toward practical instruction: We’ll put you in real situations with real attacks. But we still don’t have enough of that real, practical experience. And within companies, you don’t have enough of the cultural mindset around security because it’s still growing and it’s a scary subject, and you’re combating a growing need. We are doing better at training people, but the need is continuing to get much, much worse.
BIZTECH: How do you train anyone when attackers change their tactics so quickly?
In the study we did, we found that while the method of exploitation — like the actual toolset — may be changing, the attacks themselves really haven’t changed. You still have the top three: phishing, malware and the nonmalicious insider. Those three threat vectors have remained the same. It’s all the stuff within those that has changed.
There are a couple of things to consider when you approach this: One, these are the same problems and they’re still there, and we know where a lot of the issues lie. But to get to the core of the problem, you have to consider a wildly dynamic training solution. The training has to be constantly ongoing. At ISACA, for example, every quarter we put up updated labs and training modules so that people can work with the kinds of threats that happened that quarter. Now, not all organizations can do that, but not all organizations need to do that because there are still those big three that need to be focused on.
BIZTECH: What are you seeing organizations do while they wait for more available talent to hire?
Theft! Not in the traditional sense, but they’re stealing people they find from other organizations. And that’s compounded the problem. They keep pulling from the same pool, taking from other companies and then losing them to other companies because they don’t have a solid retention plan in place. This is not the same as in other fields. When you have such short supply and high demand, you have to think somewhat unconventionally about what will help keep people in your organization. Consider that in cybersecurity, you have an inherently younger workforce with different expectations who can just move somewhere else on a whim. So, it’s not effective for an employer to say, “Well, we hired you and gave you a little bit of training. Why are you angry?” They’re creating a retention issue, making a lot of workers frustrated and then wondering why there’s an issue.