Security

How to Overcome the Cybersecurity Talent Shortage and Keep Your Business Safe

Enterprises are just now starting to take security as seriously as it deserves to be, says ISC2 CEO Clar Rosso.

Bob is the managing editor of BizTech magazine.

The security threat landscape is changing fast, especially as attackers and defenders alike take advantage of generative artificial intelligence (AI) to do everything from write code to automate repetitive tasks. That means that for organizations of all sizes, the need for cybersecurity professionals — in-house or via managed services — has never been greater.

That’s a problem, says Clar Rosso, CEO of ISC2, which trains and certifies cybersecurity specialists. The sector suffers from both an acute shortage of trained talent and a growing skills gap among existing professionals as the landscape evolves. BizTech Managing Editor Bob Keaveney spoke with Rosso about how businesses are responding, and what needs to happen next.

Click the banner to learn how to assess your zero-trust maturity level.

BIZTECH: What’s the current state of security for businesses?

In the business world, especially with the slew of new regulations related to security and privacy, businesses are now saying, “Oh, wow, we have another area where we have a lot of new compliance requirements.”

It’s evolving to a point where boards and C-suites are understanding that to successfully manage risk, they need to think about information security risk as much as they think about financial risk. I don’t think we’re all the way there yet, but that’s the path we’re on, where organizations understand that data security is not just a compliance risk but is also at the forefront of achieving their strategic objectives.

Something boards have historically thought of as a back-room function, as simply a business expense, is now a strategic imperative. Business leaders need to build their cyber literacy so they understand the risks their businesses face, and security professionals need to articulate the business risk in business terms and not just technical terms.

BIZTECH: What are those organizations dealing with right now that is especially vexing?

We’ve been talking for years about the cybersecurity workforce shortage, and that remains front and center in businesses globally. The smaller the business, the more acutely it’s felt. At the same time, we’ve noticed a distinction between the workforce gap and the skills gap, and we now have 92 percent of organizations saying, “Hey, we actually have a skills gap here.”

So, you have understaffed security teams not getting the attention they need from the C-suite. They don’t have the skills they need to keep up with the technology and threat landscape that they face. And while they’re currently identifying cloud as their biggest area of gap, they fully expect that within two years, AI will be at the top of the list in terms of the skills gaps within their organizations.

BIZTECH: What are organizations not doing that they should be?

With technology implementations within organizations, leaders usually wait for security to come in at the end and tell them what they think. And they often ignore the advice of the security folks and go live anyway. They will charge ahead with tech that is not secure. If security just has a seat at the table in the initial conversations around technology transformation, that would improve organizations’ risk postures.

In our organization, the CISO reports to me. And if we are developing strategy, the CISO is in the room, and not just to tell us what all of our security problems are but as someone to think holistically about the business.

There’s a perception that as much as AI will help support things like the automation of repetitive tasks for cybersecurity professionals, it’s going to actually help the threat actors more."

Clar Rosso CEO, ISC2

BIZTECH: How is AI complicating the security picture?

There’s a perception that as much as AI will help support things like the automation of repetitive tasks for cybersecurity professionals, it’s going to actually help the threat actors more. We did a survey on AI recently and found that 28 percent of cyber professionals believe they will benefit more than threat actors from AI advancement, but 37 percent said the threat actors will.

That said, there is a strong belief that AI will help security professionals with some of the problems they currently face. Specifically, 40 percent say it will help with automation, and 34 percent say it will help with their zero-trust efforts.

DISCOVER: How to build a zero trust model for your network.

BIZTECH: Are security professionals prepared for AI?

Well, the original research we did in this space found that 84 percent of respondents say they know nothing or almost nothing about AI. So, that’s not super encouraging!

But then we hit pause and said, “We’re not asking you to build an AI model, we’re just asking you to secure technology within an AI use case and then work with the outputs of that.”

So, when you break the problem down, people say, “Oh, wait, I do know how to secure technology through its lifecycle, I just need to apply that to this AI use case.”

BIZTECH: How are organizations staffing up security teams given the emerging landscape?

Historically, a clear plurality of people working in security had to have jobs in IT first, and then hop the fence. Today, 61 percent of organizations tell us they’re starting to hire people first for their nontechnical skills and then training them for technical skills.

I think that’s fantastic news. In 2020, that’s not what people were doing. But now, there is an increasing willingness to think differently about how you hire.

The nontechnical skills organizations are looking for are project management, communications, and analytical and critical thinking. Also, they’re looking for people who have a commitment to lifelong learning, because that’s essential when you have an evolving threat landscape. Those are the same skills that will help people navigate a world where AI is leading in certain spots.

Photograph courtesy of ISC2