The interdependency of people, policy and products amid a cybersecurity talent shortage

Several CISOs I’ve spoken recently have lamented, while cybersecurity assurance stands on three legs – people, policy and products – the industry is weighted down by one overarching problem: a shortage of talent with the right skills.

It’s true of course, but it’s also a little more involved because a decision about any one of the three legs has a relational effect on the others.  A skills shortage isn’t just a human resources problem, it also has implications for policy and products too.  

Navigating alternative sources of talent

Few sectors in the economy can claim zero or near-zero, unemployment.  That security does has forced the industry to find creative ways to navigate the talent shortage. 

Consequently, many organizations have opted to hire individuals with an aptitude to acquire the necessary skills on the job rather than demonstrated experience.  Today, it is not uncommon to find people hired with little more than a degree in epidemiology, linguistics or music – and an eagerness to learn cybersecurity. 

For example, there are many senior leaders that have pointed to the similarities between music composition and cybersecurity. Both technology and music involve learning a new language and understanding how to manipulate new concepts, like words, phrases, musical notes, and software code, into meaning.

While this talent acquisition strategy has proven successful in some organizations, it also introduces complications when things go horribly wrong.  We all remember the criticism leveled at Equifax when it was discovered a key employee had a music degree. 

Indeed, the optics look bad to the casual observer, but my thesis is such that when things go wrong in this way, it’s because the pillars of policy and products are out of alignment with the people strategy.

Effects of policy in a skill shortage

Security policy is one of the most difficult challenges for CISOs.  It is often considered a balancing act between security and business efficacy. Yet the talent acquisition strategy should also be a factor in the policy consideration.

The traditional password policy is a simple but solid example.  It was once considered best practice to make users create unique and long passwords – and then force a change regularly.  The concept sounds logical, but such policy adversely affects security for two important reasons.

First, the inability to remember complex passwords spurs users to simply write them down.  This was often rendered in the form of brightly colored sticky notes placed un-surreptitiously under a mouse pad.   

Second, those that didn’t write passwords down, were prone to contribute to the volume of reset calls to the IT department. This is a systemic taxation on resources that also introduces a new way for adversaries to gain access through social engineering. 

Aptitude and enthusiasm cannot hold their own against experience if the policy is working against them.

Impact of products on talent

Many of us learned to ride a bike that was matched to our skill level.  If you had a bike, chances are your first one was modest in size and came with training wheels.  In this context, it’s easy to see potential pitfalls had we been invited to learn on a bike designed for competitive or professional races.

Technology clearly has an impact on talent and policy – and vice versa. If you accept the premise that people, policies and products in cybersecurity are interdependent, then the security technology choices must complement the policies and personnel strategies amid the skills constraints in the market today.

To be clear, vendors are not immune from criticism.  In fact, more than ever, they have an obligation to reduce complexity, rally around standards, and support interoperability.  

Aligning people, policy and products

For most CISOs, recruiting, staffing and professional development will be a primary leadership challenge for the foreseeable future.  Whether an organization chooses to pursue alternative sources of talent or not, the dependent relationship between people, policy and products should not be overlooked.