Originally published in ITProPortal on July 13, 2019
Scarcity in talent means there is a critical deficit in developer security training
Organisations across the globe are suffering a cybersecurity workforce “gap” of around 2.9 million employees today, according to the latest estimates from (ISC)², the world’s leading cybersecurity and IT security professional organisation. This gap is putting all organisations at greater risk of attack.
People from under-represented demographics must be hired to help overcome this shortage. The current artificially limited talent pool of “people who look like the people already doing the job” is not working, and is terribly unfair. In fact, when organisations employ a more diverse group of people, the variety of experiences and perspectives they bring can tangibly enhance organisational defences.
If you all think the same way, then you all miss the same things.
Hiring and recognising
Broadly speaking, there has been an increase in the amount of overall investment in the recruitment and retention of information security talent. This is happening throughout organisations, which is a positive step. As organisations work to improve their ability to manage information risk, the importance of having a Chief Information Security Officer (CISO) is also being recognised. The person in this role needs to be part of board room discussions to successfully implement organisational change.
There remains the question, however, of whether people who are from a different ethnicity, gender or background to the stereotype “standard IT/infosec professional” are actually being treated equally in the cybersecurity industry.
I believe that organisations today, while they are aware of the issue, still fundamentally make inaccurate assumptions about the innate skills and interest of people, by grouping them by various irrelevant characteristics. However, the fact that the question of equality is actually being asked in this way at least means that the first step- that of admitting that there is a problem- has been taken.
It’s about transparency and challenging the “comfortable choice”.
To pick a specific area, unconscious bias in recruitment and promotion is well recognised as a contributing factor to inconsistent treatment of different groups of people. When we create processes to enable recruiters to transcend their biases, including anonymised applications and standardised questions and rating schemes, we are better able to realise the enormous untapped potential in our existing potential workforce. And when we hold ourselves accountable at board level for promoting equal numbers of women to board level, and more people from different groups than a “token person” from each group, we are able to actually retain the people we have recruited.
It’s a war zone
New research has stated that the UK alone could lose £1 billion this year as a result of just Distributed Denial of Service (DDoS) attacks, a type of attack that can crash a website with an overwhelming amount of fake traffic. If just this one type of attack can cost so much, it’s worth investing in prevention; and in people.
We are in the midst of a partially acknowledged cyberwar that is escalating by the day; the bad guys are well organised and do not have to abide by any rules. Alarmingly, a third of small businesses have no cybersecurity strategy in place, according to YouGov; these organisations act as trial grounds for attacks, as easy targets (which often do not survive) and as springboards for attacks on larger targets.
Hackers have developed a plethora of sophisticated methods including phishing attacks, software hacks and password theft to name a few. These attacks are being used by a very sophisticated network of illegal “organisations” to make a significant profit from other people’s organisations and assets. As cybercriminals are becoming more advanced, so the cyber skills shortage in the legitimate world is ironically also increasing.
It’s not about tech
As organisations begin to readjust their strategies to include automation in their cyber defences, they also need to understand that adding more technology is not a silver bullet. There is actually a worrying potential for staff in age groups which did not grow up in this changing landscape to be left behind as organisations adopt new shiny tools; people may avoid the new technology and adopt work-around instead, which expose the company to more, not less, risk. We must encourage organisations to take innovative approaches to make industries more inclusive, even with the implementation of technology. We now rely heavily on technology, and humans need to be able to engage with this technology to engage with it successfully.
No matter what type of attack takes place, employees play a large role in securing an organisation. To better prepare staff, organisations can ensure employees at all levels are actively engaged and trained to make informed decisions. This will put them in a stronger position when the next inevitable attack takes place. Providing employees with supplementary courses of action, as well as training, will also keep teams up to date with the current trends they need to be aware of.
Every time an organisation invests in technical tools to provide more intelligence around threats, or higher levels of protection, permanent staffing resources are required to configure it, manage it, analyse it and respond to its findings. Organisations will start growing their teams to address these issues. Individuals who come from different backgrounds offer better potential to understand, anticipate and combat cyberattacks in new ways that can help prevent attacks from happening sooner- or at all.
Diversity comes in many forms and is, of course, not just about gender. Organisations should also look to people from other disciplines, with skills that are less obviously relevant, such as logistics, marketing and sales. They can also build a talent pipeline for the future in-house, through internship and apprenticeship programs for existing staff in other departments who have relevant potential, and for new hires.
There is prejudice in this world. When I think about inequality, I contemplate why there are so few women in the cybersecurity industry, why women are paid less than men, and why there are more women in low-skilled jobs. This prejudice has distilled an inaccurate belief that your gender, age and education should dictate your career choices and future.
A person’s skills or experience are always more important than their ethnicity, age, gender identity or background. Each individual is unique and has competencies that should be valued and managed. Being able to tackle the cybersecurity skills gap by sourcing talent from this wide pool of potential is vital in making sure we are able to keep national infrastructure secure and stable.