Solving The Cybersecurity Skills Gap Through Employee “Crosswalking”

It is no shock to those in the cyber community that cybersecurity has become a board-level issue for many enterprises. A PwC survey showed a 20% increase in CEO’s concern over cyber threats. With more and more eyes on CISO’s and their teams, the cybersecurity skills gap has continued to widen a current estimated 350,000 open cybersecurity positions in the US, and a predicted global shortfall of 3.5 million cybersecurity jobs by 2021, reports CSOOnline . The primary shift occurring is the fact that IT is integrating with almost every aspect of the business, where security for years was a siloed function it is now necessary to permeate the entire organization.

Every IT position is also a cybersecurity position now. Every IT worker, every technology worker, needs to be involved with protecting and defending apps, data, devices, infrastructure, and people. The cybersecurity workforce shortage is even worse than what the jobs numbers suggest. ( Source )

“Gone are the days of siloed IT and security teams. All IT professionals need to know security full stop. Given the complexity of today’s interconnected world, we all have to work together to support the protection of the enterprise.” Robert Herjavec

Two factors put the cybersecurity industry on a course for this job shortage with the massive wave of outsourcing 10 years ago, we lost a massive body of knowledge as those industry veterans are now leaving altogether. Combined with the state of flux that enterprises and the security organizations specifically find themselves in as a result of digitization has left many leaders questioning what skills are necessary to set their organization up for success in the future. According to the most recent Gartner security and risk survey, 86% of respondents say the digital world is creating new business risk.

The immediate solution

First, begin by recognizing that building a security organization for tomorrow starts now. To ensure that your team can support the necessary functions that a digitized enterprise needs, you will need to begin investing in transitioning your teams into those roles. Through 2019, 20% of enterprises will build a security skills management program including experimental recruiting and talent retention practices, up from less than 2% today. (Gartner)

The fastest way to begin is looking internally. This is not a new practice for many senior-level executives, however, in order to support innovative roles you will need innovative hiring practices: widen your scope. Arguably, the cybersecurity skills gap exists because members of the industry don’t know what to prioritize. To transition your organization into the digital age will require new roles and innovative hiring practices.

Security roles of the future: tackling digital risk Digital risk officer

The Digital Risk Officer (DRO) take a holistic view of risk across the entire enterprise. This includes traditional areas of focus such as IT as well as non-technical organizations leveraging digital technology where they are not aware of the risks associated. This individual will also work closely with more advanced technologies that the enterprise is working with including operational technology (OT), industrial internet of things (IIoT), IoT and mobile.

What to look for

This role requires technology business leader with experience leading innovative projects, brings strong connections across the enterprise to facilitate buy-in, and has a rich background in program management.

Where to look

Mid- to senior-level IT management from a team that has exposure to cybersecurity. This individual is going to be working closely with the CISO as a peer but working primarily to ensure that risk is managed and mitigated throughout the organization. They will also be working with new forms of technology as they make their way into the enterprise. Therefore, they must be an effective communicator with a strong background in technology. As the hiring manager, be prepared to invest in an understanding of the regulatory environment and developing their knowledge of security specifically.

Security Ombudsman

Much like a newspaper ombudsman reconciling coverage with the public good, this individual ensures that the clients ― often line-of-business customers ― are supported by security measures (Gartner). This position can be defined as a stakeholder security advocate. They act as a conduit between the core security team and the rest of the enterprise representing and relaying the concerns of non-technical stakeholders and interpreting the strategy of the security team to the rest of the enterprise.

What to look for

A successful individual in this role will bring strong communication skills (written, oral, and interpersonal) and a rich understanding of cybersecurity at a functional and granular level.

Where to look

Start with your auditing committee and internal auditors. These individuals have the rich background in security and compliance that this position will require. Be prepared, however, to invest in their ability to solicit buy-in and hype the organization’s security program. Starting with a technical individual and helping them develop soft skills will require that you support them with mentorship and incentivize the development of those skills.

Data Security Scientist

As the name suggests, this position sits at the intersection of data science and data security. Data science, a more attractive discipline in today’s market, uses advanced mathematical models to manipulate large volumes of data and supplement business decisions. Data security works with large volumes of data to predict, prioritize, and mitigate risk mainly through advanced anomaly detection.

What to looks for

A strong candidate will bring a background in data science (bonus points for projects that cross disciplines). As well as an understanding of the data collected by security teams.

Where to look

Start with your organization’s data analysts. Since this role is a narrower scope than a broad spectrum business analytics position, the probability you will find the right fit from that talent pool is significantly higher. Furthermore, as data science is the baseline skillset necessary, you will need to invest some time in their knowledge of the security space which is significantly less than training a security professional in data science.

Digital ecosystem manager

As the enterprise continues to outsource peripheral functions and integrate automation technologies, they become less like an entity and more like an ecosystem. The Digital ecosystem manager ensures that the enterprise ecosystem stays secure. Where the DRO is focused on the internal risk within the organization, the digital ecosystem manager is concerned with the other players that interact with the enterprise.

What to look for

Think of this role as vendor risk management expanded. As a result, a successful ecosystem manager will bring the skills necessary for that role as well as an effective communication style and a background capable of managing the expansive supply chain and vendor risk for the enterprise.

Where to look

Prioritize security professionals with experience assessing your supply chain. This role hinges on the individual’s ability to communicate effectively with many parties outside of your organization and experience working with third-parties is key. As you may find that this role is the most security specific (and hardest to fill), consider using tools to augment their ability. Specifically, an AI backed IRM solution like CyberStrong that provides automated risk quantification which eases the need for this in hiring an individual with that experience.

Chief of staff for security

As the role of the CISO shifts from the periphery of the c-suite to a critical business function and their organization expands, the definition of their role needs to be altered as well. The chief of staff for security works to alleviate the administrative burden that the CISO could previously manage themselves.

What to look for

This individual has remarkable communication abilities working with both technical and non-technical stakeholders. They also have reasonable program management experience and ability to translate strategic vision into action.

Where to look

This role hinges more on the individuals experience managing a staff than it does on their experience in security. Look closely at senior level staff leads at IT-related organizations within your enterprise that may touch security in some way. The skills that have taken them years to develop are worth prioritizing. Be prepared to invest in developing their knowledge of cybersecurity specifically as they may bring a background in tech ops but potentially limited knowledge in security specifically.

Supplement your teams today with powerful tools

As security moves into the spotlight in the enterprise, the need to grow the function only gets stronger. To date, traditional talent acquisition practices have failed and as a result security leaders need to reassess these practices in order to ensure their teams are prepared for the future.

As security teams change, though, so do the tools available to them. As you begin to scale your organization into a fully fledged business function, take the opportunity to reassess your software stack. Examine the tools your teams are using and question whether newer tools can augment these new practices. Specifically, look at how integrated risk management and AI backed systems like CyberStrong are about to supplement skillsets and help you fill in the gaps in your organization.

It is no shock to those in the cyber community that cybersecurity has become a board-level issue for many enterprises. A PwC survey showed a 20% increase in CEO’s concern over cyber threats. With more and more eyes on CISO’s and their teams, the cybersecurity skills gap has continued to widen a current estimated 350,000 open cybersecurity positions in the US, and a predicted global shortfall of 3.5 million cybersecurity jobs by 2021, reports CSOOnline . The primary shift occurring is the fact that IT is integrating with almost every aspect of the business, where security for years was a siloed function it is now necessary to permeate the entire organization.

Every IT position is also a cybersecurity position now. Every IT worker, every technology worker, needs to be involved with protecting and defending apps, data, devices, infrastructure, and people. The cybersecurity workforce shortage is even worse than what the jobs numbers suggest. ( Source )

“Gone are the days of siloed IT and security teams. All IT professionals need to know security full stop. Given the complexity of today’s interconnected world, we all have to work together to support the protection of the enterprise.” Robert Herjavec

Two factors put the cybersecurity industry on a course for this job shortage with the massive wave of outsourcing 10 years ago, we lost a massive body of knowledge as those industry veterans are now leaving altogether. Combined with the state of flux that enterprises and the security organizations specifically find themselves in as a result of digitization has left many leaders questioning what skills are necessary to set their organization up for success in the future. According to the most recent Gartner security and risk survey, 86% of respondents say the digital world is creating new business risk.

The immediate solution

First, begin by recognizing that building a security organization for tomorrow starts now. To ensure that your team can support the necessary functions that a digitized enterprise needs, you will need to begin investing in transitioning your teams into those roles. Through 2019, 20% of enterprises will build a security skills management program including experimental recruiting and talent retention practices, up from less than 2% today. (Gartner)

The fastest way to begin is looking internally. This is not a new practice for many senior-level executives, however, in order to support innovative roles you will need innovative hiring practices: widen your scope. Arguably, the cybersecurity skills gap exists because members of the industry don’t know what to prioritize. To transition your organization into the digital age will require new roles and innovative hiring practices.

Security roles of the future: tackling digital risk Digital risk officer

The Digital Risk Officer (DRO) take a holistic view of risk across the entire enterprise. This includes traditional areas of focus such as IT as well as non-technical organizations leveraging digital technology where they are not aware of the risks associated. This individual will also work closely with more advanced technologies that the enterprise is working with including operational technology (OT), industrial internet of things (IIoT), IoT and mobile.

What to look for

This role requires technology business leader with experience leading innovative projects, brings strong connections across the enterprise to facilitate buy-in, and has a rich background in program management.

Where to look

Mid- to senior-level IT management from a team that has exposure to cybersecurity. This individual is going to be working closely with the CISO as a peer but working primarily to ensure that risk is managed and mitigated throughout the organization. They will also be working with new forms of technology as they make their way into the enterprise. Therefore, they must be an effective communicator with a strong background in technology. As the hiring manager, be prepared to invest in an understanding of the regulatory environment and developing their knowledge of security specifically.

Security Ombudsman

Much like a newspaper ombudsman reconciling coverage with the public good, this individual ensures that the clients ― often line-of-business customers ― are supported by security measures (Gartner). This position can be defined as a stakeholder security advocate. They act as a conduit between the core security team and the rest of the enterprise representing and relaying the concerns of non-technical stakeholders and interpreting the strategy of the security team to the rest of the enterprise.

What to look for

A successful individual in this role will bring strong communication skills (written, oral, and interpersonal) and a rich understanding of cybersecurity at a functional and granular level.

Where to look

Start with your auditing committee and internal auditors. These individuals have the rich background in security and compliance that this position will require. Be prepared, however, to invest in their ability to solicit buy-in and hype the organization’s security program. Starting with a technical individual and helping them develop soft skills will require that you support them with mentorship and incentivize the development of those skills.

Data Security Scientist

As the name suggests, this position sits at the intersection of data science and data security. Data science, a more attractive discipline in today’s market, uses advanced mathematical models to manipulate large volumes of data and supplement business decisions. Data security works with large volumes of data to predict, prioritize, and mitigate risk mainly through advanced anomaly detection.

What to looks for

A strong candidate will bring a background in data science (bonus points for projects that cross disciplines). As well as an understanding of the data collected by security teams.

Where to look

Start with your organization’s data analysts. Since this role is a narrower scope than a broad spectrum business analytics position, the probability you will find the right fit from that talent pool is significantly higher. Furthermore, as data science is the baseline skillset necessary, you will need to invest some time in their knowledge of the security space which is significantly less than training a security professional in data science.

Digital ecosystem manager

As the enterprise continues to outsource peripheral functions and integrate automation technologies, they become less like an entity and more like an ecosystem. The Digital ecosystem manager ensures that the enterprise ecosystem stays secure. Where the DRO is focused on the internal risk within the organization, the digital ecosystem manager is concerned with the other players that interact with the enterprise.

What to look for

Think of this role as vendor risk management expanded. As a result, a successful ecosystem manager will bring the skills necessary for that role as well as an effective communication style and a background capable of managing the expansive supply chain and vendor risk for the enterprise.

Where to look

Prioritize security professionals with experience assessing your supply chain. This role hinges on the individual’s ability to communicate effectively with many parties outside of your organization and experience working with third-parties is key. As you may find that this role is the most security specific (and hardest to fill), consider using tools to augment their ability. Specifically, an AI backed IRM solution like CyberStrong that provides automated risk quantification which eases the need for this in hiring an individual with that experience.

Chief of staff for security

As the role of the CISO shifts from the periphery of the c-suite to a critical business function and their organization expands, the definition of their role needs to be altered as well. The chief of staff for security works to alleviate the administrative burden that the CISO could previously manage themselves.

What to look for

This individual has remarkable communication abilities working with both technical and non-technical stakeholders. They also have reasonable program management experience and ability to translate strategic vision into action.

Where to look

This role hinges more on the individuals experience managing a staff than it does on their experience in security. Look closely at senior level staff leads at IT-related organizations within your enterprise that may touch security in some way. The skills that have taken them years to develop are worth prioritizing. Be prepared to invest in developing their knowledge of cybersecurity specifically as they may bring a background in tech ops but potentially limited knowledge in security specifically.

Supplement your teams today with powerful tools

As security moves into the spotlight in the enterprise, the need to grow the function only gets stronger. To date, traditional talent acquisition practices have failed and as a result security leaders need to reassess these practices in order to ensure their teams are prepared for the future.

As security teams change, though, so do the tools available to them. As you begin to scale your organization into a fully fledged business function, take the opportunity to reassess your software stack. Examine the tools your teams are using and question whether newer tools can augment these new practices. Specifically, look at how integrated risk management and AI backed systems like CyberStrong are about to supplement skillsets and help you fill in the gaps in your organization.