The cybersecurity workforce vs. cyber threats: building your A-Team

In brief:

• The doors opened to organizations by technological innovation simultaneously serve as pathways for cybercriminals, and the demand for cybersecurity experts is greater than the current talent market can supply.
• Analytics can give you great insights into the future of work and the future workforce, casting light on the supply and demand of cybersecurity skills within your organization and allowing you to identify talent gaps.
• Upskilling your team using modern methods is an excellent way to fill existing talent gaps.
• Reimagining your talent sources to include an adaptive workforce and machines will further enhance your ability to address these gaps.

<<< Start >>>

<<< End >>>

When Bill Gates, Kanye West, and Barack Obama offered their Twitter followers a too-good-to-be-true return on their bitcoin investments amidst the pandemic, the world was not shocked to find out that the tweets were a result of a breach in Twitter’s infrastructure. The shock, however, came that the ‘masterminds’ were two teenagers and a 22-year-old. Are a bunch of students capable of hacking into one of the leading social media platforms? The answer, unfortunately, is yes. Now the question is for you: is your cybersecurity workforce ready?

As part of our advocacy for European Cybersecurity Month, we’re writing a three-part series that examines the pillars of building a cyber-resilient organization. This article is the second in the series.

1. Leadership & culture: the cornerstones of cybersecurity.
2. A future-ready cybersecurity workforce.
3. Adoption of secure behaviors and accountability.

<<< Start >>>

<<< End >>>

Upgrading your workforce to build cyber resilience

As hackers become more audacious and the scale and scope of data breaches continue to increase, modern businesses must take a proactive approach toward addressing and identifying potential cybersecurity threats. Mitigating the risks requires a robust cybersecurity strategy. And to develop and implement such a strategy, you need the right people guarding the doors to your business.

Now, these issues are not unique to your business. They are relevant for all businesses alike, which has driven up the demand for cybersecurity talent beyond that which the market can supply. Research shows that 47 percent of the interviewed organizations suffer from a lack of skills that limits both their ability to learn and use cybersecurity technologies to their full potential. Not surprisingly, 65 percent of the cybersecurity professionals interviewed stated that their organization should provide 'a bit more' or 'significantly more' cybersecurity training.

<<< Start >>>

<<< End >>>

Knowing your cybersecurity work and workforce helps you build the future

CISOs are scouring the marketplace for cybersecurity talent who bring more to the table than core functional skills. Armed with business acumen, digital technology prowess, and human skills and these professionals combine a holistic understanding of the cyber-threat impact on business with data-optimized decision-making and the ability to work across siloes.

Using key insights into the potential vulnerabilities inherent in where your business is going, you will be able to figure out what it will take to safeguard your organization. In the meantime, conducting a thorough scenario-based analysis of workforce trends and skill-level inventory will allow you to identify the talent gaps you’ll be faced with and start filling them. After all, bridging these talent gaps will bring you the cybersecurity A-team you need to bring the security strategy, in line with your business strategy, to life.

<<< Start >>>

<<< End >>>

When a leading financial services company decided to transform its IT landscape, it also identified a way to upgrade its workforce that would not merely equip them with the necessary security knowledge and techniques, but also upskill their teams to be more agile, collaborative, and business-oriented.

Starting by examining and breaking down the skills required for each job along with scales of proficiency, they assessed their current workforce to produce a detailed skill-level analysis. These insights later enabled them to design personalized learning journeys that, when aggregated, allowed them to shape a rapidly upskilled, highly engaged workforce alongside a culture that stimulates collaboration and continuous learning.

<<< Start >>>

<<< End >>>

Only through creating a thorough inventory of your existing jobs and skills can you create an actionable topography of your cybersecurity capabilities. Organizations must learn from this data to take deliberate steps to build the teams that help you elevate your cyber resilience.

<<< Start >>>

<<< End >>>

Reskilling your existing cybersecurity workforce

Your Cybersecurity A-Team must be able to interpret cybersecurity impact into the language of your business, while also translating business risk appetites back into the requisite security controls. In this sense, building cyber resilience is a continuous journey of change; an endless adjusting of your security posture to address the evolution of your business strategy, market conditions, and the technological landscape within your company and your ecosystem. Therefore, it takes a combination of technical, functional, business, and behavioral skills to be successful.

Technological & functional skills

Organizations are increasingly adopting new technologies, focusing on cloud, big data, and applied intelligence. As such, the cybersecurity teams manning your walls will have an increasingly longer wall to defend. They’ll need to keep their skill sets up to date as challenges in cloud computing and testing, data management, mobile security, and IoT come into play. They’ll also need to take a proactive approach to vulnerability management, learning how to generate accurate, actionable insights from enormous data sets while simultaneously decreasing your incident response times.

Business & behavioral skills

Technical and functional skills won’t flourish without a good understanding of industry and business knowledge and essential soft skills. This will allow them to identify your business’ pain points, helping them better address security issues and align stakeholders on priorities. In today’s digital world, companies need security talent that understands their goals and can easily weave themselves into the heart of their business. Cybersecurity implementation needs to follow the same Agile approach the business is advocating. To achieve this, behavioral skills such as problem solving, creativity, communication and collaboration are essential.

As what’s expected from security professionals is advancing with the accelerated footsteps of digitization, they will need to accelerate their learning paths. A transparent and personalized approach to reskilling and upskilling will better engage and motivate them and result in greater effectiveness of learning.

<<< Start >>>

<<< End >>>

A leading global bank trained their workforce to adopt new, Agile work methods using collaborative learning strategies, personalized design, and digital tools. They not only developed new learning materials but devoted their efforts to understanding the needs and preferences of their workforce, which were summarized into a set of personas. By customizing and matching unique learning experiences to fit these personas, they saw time-to-market decrease by 50 percent, while errors fell by 30 percent. Furthermore, the autonomy in learning and growth left employees highly engaged and motivated.

<<< Start >>>

<<< End >>>

Arguing that these skills are not only among the top in-demand skills—they are also scarce in today’s hypercompetitive hiring markets. Businesses must realize that upskilling and reskilling, while essential, might not completely satisfy future demand.

<<< Start >>>

<<< End >>>

Fostering the workforce of the future

Building tomorrow’s cybersecurity workforce will require you to recognize new challenges and create positions within your organization to address them. For example, filling these new roles within your cybersecurity team will be key to your success.

Cybersecurity data scientists and machine learning specialists

Data is currency, and regardless of the sector you operate in, it is a currency your organization must learn to leverage. The ability to use and automate your data analytics will provide you with a significant advantage in dealing with cyber threats, while simultaneously speeding up your threat detection.

Internet of Things architects and engineers

As we transition to a work-from-home world and our environment becomes increasingly connected, the potential attack surface visible to cybercriminals has expanded massively. This means that more devices are accessing your corporate data, possibly through unprotected networks, which leaves more doors ajar for would-be hackers.

The shifting nature of the cyber threat landscape demands that you consider every potential vulnerability and install a provision for it. Internet of Things architects and engineers can map out these interconnected devices and create a secure scaffolding under which these processes can continue to be used safely.

Social and behavioral scientists

Even with the most innovative and up-to-date information technology infrastructure conceivable, an organization must acknowledge that human behavior remains the most potent threat to its cyber resilience. Social and behavioral scientists will not only provide you with innovative, statistically validated methods to foster better practices—they will also help you identify exactly which practices and behaviors are destabilizing your security.

<<< Start >>>

<<< End >>>

Other key cybersecurity roles

Furthermore, you will also want to have AI engineers, DevSecOps engineers, and cloud enablement specialists to make the best use of state-of-art practices and technologies for cybersecurity.

Filling these roles might sound straightforward on paper if you have the budget, but in practice, there are major supply shortages. While these skills are scarce and not even only specific for cybersecurity, every organization is looking to strengthen their cyber resilience; luring top talents for these positions from all kinds of talent-war-competitors including cool start-ups and leading technology giants will rarely be easy.

That’s why it is important to reimagine where the talents come from and foster your future workforce strategy around “Buy-Borrow-Build-Bot” which gives you the opportunity to stay flexible and relevant:

• Giving your employees part-time opportunities to build their skill set with “+1 tasks” can be a win-win between them and your organization. It’s an autonomous way to develop flexible skills and progress within the business and their field which is also likely to increase motivation among employees.
• Universities provide a large pool of young, curious, and energetic talent that can be employed to create a developmental path. Also, as interns, students can leverage their research skills to provide new insights and perspectives on your processes and perform key tasks, even if they are only with your company temporarily.
• Upon consultation with your in-house cybersecurity experts, you might also find managed service providers to be a lucrative option. They can supplement the missing skills you cannot build in a day and give you time to build the same capabilities internally in a progressive and gradual way. They can also take care of certain tasks while allowing your workforce to focus on those tasks that are core to your business.
• Tapping into the power of artificial intelligence to seek for automation opportunities is also an option you need to keep in mind. Combining the capabilities of both human and machine will unlock more potential in your team.

<<< Start >>>

<<< End >>>

<<< Start >>>

Activating leadership to build a cyber-resilient culture

Why does leadership play such a vital role in cybersecurity? How will you conduct as a leader to strengthen the cyber resilience of your organization? Read more in part one of the series.

READ THIS ARTICLE

<<< End >>>

<<< Start >>>

<<< End >>>

Evaluating your talent strategy to make better choices

Any talent strategy must be developed with the specifications of its application in mind, building from the knowledge of your business and industry. This can, however, lead to subjective errors where decisions are over-justified. The following questions can provide practical and objective guidelines to lean on while developing your personalized strategy:

1. Is this skill a core aspect of your business?

If so, you will generally want to build it internally and maintain control over it.

2. Are you good at it right now?

If you have no existing expertise in the area you want to develop, it will be extremely difficult to upskill existing employees into those roles.

3. How long does it take to train the skills?

Some skills might take too much time and money to train for them to be worth the immediate outcome. As such, it is important to consider the opportunity cost of such a decision, both in the short- and long-term.

4. Is the skill rare in the market now?

Hunting for unicorns can be a waste of time and resources which might be better off channeled into developing your existing workforce or turning to external experts.

5. Is it standard, repeatable, and rule-based?

Machines might perform better than humans at processing such tasks. Assigning them to people will also deteriorate your employee motivation, as most of them might not find such tasks rewarding.

6. Can you attract and retain top talents for it?

In some cases, you might not have the experience to take on certain positions in your organization yet. You still need to account for these roles, which can be done through outsourcing and internship programs.

An effective approach, for instance, is a phased strategy, that allows you to build up the most sought-after capabilities internally with the help of a specialized partner, allowing you to bring knowledge and skills into your organization at a measured pace. This is a good way of balancing short-term needs and long-term sustainability that clearly illustrates the importance of making wise choices within your talent strategies.

<<< Start >>>

<<< End >>>

<<< Start >>>

<<< End >>>

A leading high-technology company determined that they needed data analytics as one of their key skills – not just in IT, but across the entire organization. However, building those skills from scratch would be costly and not achievable in a time frame short enough to meet their business needs. To solve this challenge, they chose to start by hiring managed services to meet their short-term needs while also embarking on a journey to build up the desired capability internally with the help of their managed services partner, transferring the desired knowledge and skills to their workforce in a progressive way.

<<< Start >>>

<<< End >>>

Putting the 3 steps to success into practice

Using the three steps we’ve outlined—Knowing, Reskilling, and Fostering—will allow you to fully realize that strategy and build your Cybersecurity A-Team. Remember: your employees are, for better or worse, the first line of defense against cyber threats. And we can't decide for you but we love it when a plan comes together.

If you enjoyed reading about developing a strong cybersecurity workforce, you might like to further your knowledge with our other articles on activating leadership and our last article of this series on driving security behavior change across the organization.

<<< Start >>>

<<< End >>>

The authors wish to give special thanks to Kim Bremer and Wesley Altman who helped a lot in making this article as well as to Helen Schedeler and Maurits van Heusden who initiated this series. They also want to thank Channon Tian, Jasper van Gelderen and Lisa Kuo for their contribution.