For all the difficulties that modern threat actors throw at them, IT security leaders’ biggest challenge may be a simple human one: how to hire and retain enough qualified professionals to maintain secure networks.
According to the 2017 Global Information Security Workforce Study, two-thirds of organizations said they lack the number of cybersecurity professionals needed for today’s threat climate. By another estimate, 74 percent of organizations say the cybersecurity skills shortage has impacted them to some degree.
Part of the challenge is that the speed of technological advancement is difficult to keep up with, said Bob Bragdon, publisher of CSO and moderator of the CDW Protect SummIT in Philadelphia.
“We’re adopting these technologies in organizations where our skill sets in using them are very limited,” he said. “We talk about blockchain. We talk about zero trust. Where are the people who know how to use this stuff?”
What’s the State of Cybersecurity Staffing?
Some have described the state of staffing for cybersecurity as a crisis. But Alyssa Miller, manager of CDW’s Information Security Solutions practice, said it “depends on whom you ask.”
“You ask a lot of people in the security community who are looking, and they say they can’t get in. They’re wondering how they get a job,” Miller said. “So what’s the state of things? I’d say it’s really confused.”
Yet most businesses continue to struggle with hiring and retention. So Bragdon moderated a panel to discuss solutions with Miller; Mark Leary, CISO of Tarrytown, N.Y.-based Regeneron Pharmaceuticals; and Ken Weirman, CIO of Berwyn, Pa.-based manufacturer Ametek.
Retaining employees may be even more challenging than hiring them in the first place, panelists said. The era of the 30-year employee is “over, definitely,” Weirman said, because employees find it impossible to meet all of their career-growth objectives within a single organization.
“Keeping people motivated is a big issue,” he said. “After about two years, an employee has typically mastered the role they were hired for, and if you don’t have something that’s next for them to move into, you’ll lose them.”
That means it’s incumbent up employers to try to retain top workers for as long as possible by helping to create a career path.
“We have something called 30/30s,” Weirman said. “That’s 30 minutes every days for 30 days with your managers, where you don’t talk about your job. You talk about your career.”
Make Work More Interesting for Cyber Pros
It’s no surprise that employees who are engaged in their work stay longer. Yet in security, too many young employees spend all day in security operations centers, staring at a screen and working their way through one alert after another, Leary said. It can be dreary.
“We have to find ways to make work meaningful,” Miller argued. “Things like that can be automated, so we should do that. We need to ask: How can we enable that person so that when they have something they can react to, they can really see change?”
Miller said that many employers struggle with misperceptions about technical workers that limit their careers, leading to dissatisfied employees. The perception is that people with strong technical backgrounds are unsuited to the kinds of management tasks that business leaders must perform.
“It’s kind of dumbfounding to me because these people are incredibly intelligent and well-educated,” Miller said.
Money is another impediment to retention, the panelists said. It’s possible to hire a young security analyst for, say, $60,000 a year, but within a couple of years that analyst will have developed the skills necessary to land a six-figure job. Employers who can’t move that employee up will lose him or her.
Think Differently to Increase Cyber Hires
The panelists had several suggestions for organizations looking to add to their cybersecurity teams but struggling to find qualified professionals:
- Change your perceptions of what a cybersecurity professional looks like. Miller said that employers should be aware of their “subconscious bias” that IT teams will be mostly men, white and straitlaced, and they should actively recruit women, people of color and people whose personal styles are a little different. “Understand that you’re going to see tattoos, you’re going to see colored hair and mohawks,” she said. “We have to challenge those visions of what it is we think we’re looking for.”
- Get out in the community. Employers should be active in Twitter’s information security communities, should be sponsoring IT security events and sending current employees to them, and working with local universities and public schools.
- Rethink job descriptions. It’s common for employers to make unrealistically high demands when drafting job descriptions, then wonder why they’re not getting many applicants, panelists said. It’s important to remember that cybersecurity pros often lack decades of experience because the profession itself is relatively young and constantly in flux
Check out our event page for more articles and videos from the CDW Protect SummIT.