The demand for cybersecurity skills has been on the rise for some considerable time, but in so many cases, supply has not kept up with demand. With many security managers seeking a quick fix for their problems, the shortage of qualified IT workers at a time of high demand has put many leaders in a difficult situation. Whatever the motivation, it is clear that the topic is intriguing, and with the rising importance of the CISO in many organizations, the question is certain to be a part of the discussions with senior management.
Thom began with the emphatic statement that he is “resolutely against this talk of there being a skills gap”. Thom sees the problem as more of an “attitude gap” when it comes to hiring and recruitment. His approach uses the philosophy that is used in the military, whereby an untrained individual is placed into positions based on aptitude. If corporations looked internally, they could find people who demonstrate a proclivity towards security, and those people could be trained to be part of the security workforce.
On this point, I agree with Thom. At Thales, for example, we seek people with broad technology, as well as communication skills as part of the hiring criteria. Security is such a broad field, so it is important to cultivate the right people within the organization, and tailor the training to what is needed for the business.
Thom and I take a wide-eyed view of the problem. Rather than blaming everyone else, a lot of the problem originates from technology managers who throw general job descriptions at the Human Resources (HR) team, expecting a perfect fit. One solution is to better engage with the HR process, and beyond that, it’s also beneficial to engage outside of organizations to encourage people with divergent backgrounds to take an interest in security.
Is it possible that the security profession needs better branding? Some people shy away from anything in technology because the impression is that it requires specialized technical skills, but there are other jobs, such as project management, and communication expertise.
What is needed is people who can adapt to change, since the technology field is so dynamic. Also, people are needed who “understand the context in the overall security of the organization, because there are many aspects to security.” However, knowledge of technology is also required to function effectively in the profession. The foundational aspects are technology-driven, and a person who doesn’t understand concepts about data, or identity management, may not be well-equipped to fully understand some of the auditing, privacy, and certification requirements and regulations.
Thom did not entirely agree with the idea that technological knowledge is required to hold these positions. He expressed his point, emphasizing that information security is not just about technology. There are roles around risk management, disaster recovery, certification, and audit that are not technology focused. These have to be better publicized to bring more interest into the field. Thom maintained a strong position on the matter, and it made for a lively, thought-provoking discourse about these disparate thoughts.
This discussion expanded to examine how the role of the CISO has changed over the years, and how this can be a contributing factor in the skills-gap debate. The question that emerged is: What is the actual role of the CISO? Is it to make the organization as secure as possible, or to be more profitable while being the steward of security?
Thom and I concur that the CISOs role is more than security. The CISO needs to understand the business; how risk, legal frameworks, people, and compliance, as well as security all impact the business. Without that acumen, a CISO will be ineffective. As digital transformation continues, the CISO also has to be closely aligned with development teams.
The conversation continued, covering the importance and need for diversity in the information security profession, and how to better engage to create more inclusion in the field. What is the best way to reach the greatest number of possible future cybersecurity professionals? Will Thom and I disagree? Or will we agree, but each see a different approach to the answer? Tune in to this edition of the Thales Security Sessions Podcast to find out!