This is a story about supply and demand. It’s a story about how to address critical resource imbalances in the face of mounting global pressures, complexities, and impacts. I’m not talking about the supply and demand of economic commodities, but rather the supply and demand of the next generation of cybersecurity talent.
Almost anyone reading this book knows something about the gigantic chasm between the needs of organizations’ in-house teams compared to cybersecurity service providers, and the availability of smart, creative, talented men and women to fill the more than two million–person global cybersecurity talent gap estimated over the next few years.
Undoubtedly, your CISO has pled their case for a larger budget to identify, recruit, hire, and train cybersecurity staff. You’ve probably listened attentively to their arguments, and you’ve more than likely approved at least some of their requests. However, current attempts by the cybersecurity industry to fill this gap are simply not working, and the issue is not going to be remedied by ramping up what we’ve been doing to date.
There are two sides to the problem: To solve our growing cybersecurity challenges and to bolster personnel resources, we need increased talent on both the supply side and the demand side. In cybersecurity circles, the supply side is made up of the third-party cybersecurity firms that provide for-hire expertise in such roles as forensic analysis, digital investigations, third-party tools development, cyber risk assessment, and threat intelligence. Across the ledger is the demand side of cybersecurity, which is made up of the consumers of those capabilities and other security tools and services, including on-staff security experts who team with both internal business stakeholders and outside cybersecurity suppliers. Both sides need to evolve the ways they define, identify, and attract sought-after talent.
Now, in the interest of full disclosure, our firm is one of those supply-side cybersecurity service providers. But I won’t kid you. Despite our solid track record, it’s getting harder for us to keep up with the demand for talent, and we like to think we’ve been pretty clever in where we look for new people and the process we go through to ready them for prime time. So we’ve had to update what we do, how we do it, and the kinds of people we target.
Just 20 years ago, cybersecurity was a pretty immature field. A single cybersecurity practitioner could do quite a bit to help their clients because the state of the art wasn’t that advanced. Maybe you had some digital forensics training, perhaps you gave expert testimony at a trial; for many supply-side firms, that was the pinnacle of their skill set, and it didn’t require that big a net to find the right people.
Today, cybersecurity is a whole different ballgame. I don’t have to tell you about the expanding threat vectors, increased vulnerabilities, intensified risk management, and the need to turn cybersecurity from a cost center into a competitive differentiator for your entire enterprise. We’ve had to hire more specialists, in much the same way law firms and medical practices had to diversify across different areas of unique requirements. That has meant that organizations like ours have had to create and build methodically planned approaches to bringing new skills into the organization so we can deliver more value to our customers.
But that does not mean we’re just looking for more college graduates with degrees in cybersecurity or the equivalent. That approach simply won’t close the gap in an era of increased cyber risk. We need new and different types of people.
That’s not to say we don’t need people with deep technical skills; obviously, our clients rightly expect us to have the technology chops necessary to solve a wider array of problems faster than ever. But it’s not enough.
We’ve supplemented and expanded our traditional mindset to recruit people who have studied in fields such as business, economics, or law. Even college students not studying technical disciplines have all taken courses in technology, and let’s face it: The millennial generation is far more technology-savvy and aware of cyber risks than those of us who graduated college in the last century.
Of course, we have a detailed training plan that not only covers the technology issues, but also our clients’ business challenges. I can’t stress how important training is for firms like ours—and for those of you on the demand side, as well. After all, you don’t take a recent Yale Law graduate, as talented as well-educated as they may be, and have them argue a case before the U.S. Supreme Court.
Naturally, we want to hire people whose skills and expertise put them in the bulls-eye of our recruiting target. But there’s a lot to be said for hiring people who may be found in the ring or two just outside dead-center.
On the demand side—from global corporations across different industries to smaller organizations with mounting cybersecurity risks—recruiting and training the next generation of talent is just as hard, for all the reasons I cited on the supply side. In many ways, a lot of internal security organizations have been set up like in-house security service providers, treating their business users as “customers.” Things like internal charge-backs and restrictive security policies and procedures further promote the idea that the cybersecurity staff is somehow “different” from the business side of the organization.
We need to get away from traditional definitions of internal security operations teams as the techie people, or the “security police” who make it harder for business teams to do their jobs because we’re always putting limits on what they can and can’t do. Instead, we have to position these people as business peers and colleagues charged with achieving business goals. And we have to look for new types of people whose prioritized skills include business acumen, a problem-solving mindset, an ability to balance risk and opportunity, and just really sound judgement.
Similar to what’s happening on the supply side, the demand-side cybersecurity gap should be filled with more businesspeople. Having technical skills is, of course, great and necessary. But it shouldn’t be a bar to limit the potential talent pool. Demand-side organizations should place a higher emphasis on identifying and recruiting problem solvers with business expertise; you can always backstop them with people who can break down botnets or use automated monitoring tools to spot advanced persistent threats.
Remember what I said earlier about supply-side firms such as ours broadening our target audiences a ring or two away from the bulls-eye? The applicable rings can and should be expanded a bit further on the demand side. In fact, real-world experiences tell us that being too immersed on the technical side of a solution can prevent you from seeing the real enterprise-level issues.
I also talked about the growing specialization in cybersecurity, just as the case has been in fields like medicine and law. And while that’s true on the supply side, I think we need more generalists on the demand side. When I say generalists, I obviously don’t mean people who are technical Luddites, but I do mean people who focus more on finding new ways to spot and solve problems, typically in close collaboration with business colleagues and technical specialists.
As business leaders, you can’t just sit back and wait for your CISO to come in with yet another request for bigger college recruiting budgets or authorization to increase staff salaries. Whether you’re on the demand side or the supply side, it’s time to rethink the kinds of people you seek to fill your yawning cybersecurity talent gap, or how to identify and retrain non-cyber-specialists to take on new roles.
Ed Stroz is founder and co-President of Stroz Friedberg, an Aon company. This article has been adapted from Navigating the Digital Age, Second Edition