Growth in tech workforce not reflective of every sector

Today’s modern and digital organisations require different technologies and often involve long and complex supply chains. As such we ideally need a near-equivalent number of skilled cybersecurity professionals to protect them. The problem is, this can get expensive.

For many years, we focused on securing the gates — the ingress and egress points of information only — but now we need to be talking about resilience. Cybersecurity professionals can no longer be expected to be paid to prevent attacks. Attacks happen, even to the best of us. It is now about preventing for sure, but also about investigating, responding, and recovering operations to reduce impact and ensure business continuity. Unsurprisingly, this takes a village.

Not only is it costly but the effort to find and retain the right skills is significant in what seems to be an increasingly scarce professional pool. From your own security team to leveraging security professionals employed by your vendors, organisations need to think holistically about their security workforce and make smarter cybersecurity talent investments.

A new cybersecurity workforce framework

The National Initiative for Cybersecurity Education (NICE) has established a workforce framework that categorises and standardises cybersecurity work and workers’ titles across the public, private and academic sectors in an effort to help organisations understand the skills and resources they need to increase their cyber resilience.

NICE analysed current and future workforce needs to establish seven cybersecurity workforce categories: Analyse; Collect and Operate; Operate and Maintain; Protect and Defend; Investigate; Oversee and Govern; and Securely Provision. It lists a total of 33 distinct areas of cybersecurity and 52 work roles.

To most organisations, hiring 52 cybersecurity professionals (assuming you could find them) is completely unrealistic. So, what should organisations be doing to build resilience with minimal resources?

Choosing wisely

Cyber risks are escalating far more quickly than we can train cybersecurity professionals. As cybersecurity becomes more and more business-critical, cybersecurity professionals are more and more in demand and expensive. It’s incredibly costly to keep a full panel of cybersecurity skills in-house.

This means organisations need to prioritise. Here are the two roles I’d prioritise:

• The hands-on expert: Every organisation needs a hands-on security operations professional who is able to implement and manage security controls. If we’re thinking about the NICE framework, try to find someone who has the skills outlined under the Operate and Maintain category. Being a technology role, this resource can sit under the CTO.
• The cybersecurity leader: Secondly, you’ll want somebody who has the skills to embed cybersecurity into the fabric of the organisation and ‘bake it into’ its operations. This is most likely to be a CISO or a business-influencing position and is preferably someone with a governance and risk background. Their job is to be a change advocate and to make cybersecurity a business problem, not a technology one. It’s much cheaper to embed cybersecurity into the DNA of an organisation than to pile up cyber resources to fix a lack of security in everyday operations. This is particularly important in a tight job market where resources are limited and costly. This role should report directly to the CEO or COO to ensure their influence is felt at a business-wide level.
   

Overall, look for candidates with strong decision-making skills, experience in stakeholder engagement, good attention to detail and who have a strong sense of initiative and autonomy.

Another way to look at cybersecurity resourcing is by seeing your supply chain as an extension of your own security posture. Unless you have the money to invest in cyber skills that target emerging technology (which most organisations will not), the best thing to do is to select your technology vendors carefully. If you can’t hire the skills yourself, you need to make sure your supply chain can. For example, if you want to buy an AI or cloud tool, you need to select a vendor that is well-funded and invests more in its security than you can afford to. I can think of several vendors in our market that can outspend in a single month on security what their customers make in a year.

Lastly, outsourcing cybersecurity to trusted consulting partners can be a great way to upskill your organisation without the costs of recruitment, training and high salaries. It will also ensure you have the most up-to-date resiliency and technology knowledge at your fingertips and on-demand, without taking up your own valuable resources.

We are fortunate to have a government investing in research and development for the workforce of tomorrow. Organisations should lean on government resources and supply chain opportunities to design their operations and get the most out of their in-house roles.

Image credit: iStock.com/portishead1