What CISOs can do to bridge their cyber talent gap

Empirical evidence shows that global cyber threats have increased twofold in the past few years. The IMF study, “Rising Cyber Threats Pose Serious Concerns for Financial Stability” (the title itself is ominous), outlined $12 billion dollars of losses from 20,000 malicious cyber incidents against the financial sector alone in the past 20 years.

Unfortunately, this rising cyber threat environment coincides with a well-documented cyber talent gap. The World Economic Forum, for example, estimates that collectively we are nearly 4 million cyber professionals short for global requirements. The ISC2 also quotes this 4 million number in its 2023 Cybersecurity Workforce Study, further explaining that this marks an increase of 12.6% from the year prior — not a rosy picture.

Worse is how the confluence of rising threats and widening talent gaps is playing out for security teams everywhere. And while efforts from vendors and educational institutions to help expand the talent pipeline in the future are welcome, CISOs have practical ramifications they must address here and now.

Luckily, there are some steps worth taking.

The talent gap’s impact on your cyber team

The talent gap’s strain on the workforce is very concerning. As noted by the World Economic Forum, 71% of organizations have vacancies for cybersecurity roles. Worse, thanks to this gap, existing cyber staff have to do more than one person’s job.   

The stress and pressure this creates exacerbates the situation for cyber staff — and makes a career in cybersecurity even less attractive. Yes, salaries are higher than some other areas in IT, but so is the work requirement.

To make matters worse, this shortage is not even, with certain countries and industries further crowded out by the economics of supply and demand. Even within organizations, there are noted gaps in critical skills such as cloud, AI/ML, and zero trust.

But that’s just what generates headlines. From my own experience, I can add a number of key security skills that are hard if not impossible to find, including:

• Cyber architecture
• Identity and privileged access
• DevOps
• Intrusion detection
• Network security
• Threat intelligence
• Cyber regulatory governance

Rolled up together, this is a long list, touching on nearly every corner of cybersecurity operations.

Security strategy danger zone

Because of these gaps, and the strain on existing resources, cyber maturity improvements are often delayed. As a result, your organization’s ability to prepare for cyber threats is immediately impacted, leading to yet another hit to the cyber team’s morale.

What is often impacted are key security activities such as:

• Time to patch vulnerabilities
• Control over configuration of systems
• Focus on risk assessment and management
• Speed to respond to incidents

Moreover, under-resourced security teams often lead to over reliance on third-party support.

For the CISO, this is not welcomed, as it keeps them in the danger zone longer.  We must remember that the average tenure of the CISO is two years, and the present situation can only make these roles even more stressed.

The pipeline problem

So how do we address this issue?

Educating 4 million people in cybersecurity is a big endeavor. This is what vendors such as Google, Microsoft, and others have taken forward with their cybersecurity certificates and training programs. Government agencies across the world have also committed programs to addressing the gap.

But in the workforce, experience trumps education, and while qualifications are useful, they are no substitute for battle scars. As a result, most companies are reluctant to hire new grads into these roles.

In time, this approach will help close the gap, but it will require companies and governments to encourage apprenticeships so that the entry barrier goes away and becomes a non-issue because these graduates would already have three years of experience in cybersecurity roles.

Until then, CISOs will continue to contend with this issue, so it is important to rethink skilling strategies to address the matter head on.

Adjacency is one answer, rethinking hiring is another

How do we upskill existing staff who are working in adjacent fields and can learn cybersecurity? An example is an enterprise cloud architect, who has a base-level understanding of cloud security or applications security and could be further developed into a security professional with more in-depth learning.

Similarly, some DevOps engineers have a great feel for DevSecOps and may be able to shift gears into taking on this role full-time. They already talk the language of engineers, giving them the advantage of not having to learn this.

Specific training and cyber certifications can help bridge some knowledge gaps.  But the trick for CISOs is being able to identify staff in other teams that could make the shift to their team. It requires a certain acumen to pinpoint the experience and behavior that indicate a strong candidate for a cybersecurity role.

Developing a rotational program is one way to address this possibility. I would imagine that the take-up would be high, as cyber is seen as a great career move (by outsiders).

Another point of note: Cybersecurity has long had a diversity issue. CISOs need to think more broadly when considering talent to find new talent pools. Looking to hire women into the team is crucial. Unfortunately, this is still not commonplace, and while the Women in Security movement is growing, there are still not enough women in the security organizations at many companies.

Overall, the CISO and cyber leadership team must try different strategies and make hiring a strong competency for their roles.

Automate what you can

Another way to alleviate the stress on under-resourced teams is to automate wherever possible. Cybersecurity processes involve a lot of manual work. By prioritizing automation, CISOs can free up time for their team to focus on more strategic tasks.

These automation efforts can include data and AI. But these areas may not be natural strengths of the CISO and cyber team. Actualizing the potential of AI and data is a topic in itself, but suffice to say, the average CISO does not have a background in data or AI, so leveraging these elements for automation may require collaboration with other teams — not always an easy fix.

Foster an attitude of success

Finally, to ensure higher morale, attitude is critical. Staff must feel they are making a difference — and that they are valued.

Some years ago, my cyber team at my prompting had T-shirts prepared for an offsite meeting. They were bright pink (not black) and said, “Cyber Rock Star.” We wore our T-shirts proudly, and the team was very successful, as a group and individually. 

To fix issues brought about by the cybersecurity talent gap, we have to lead by taking the challenge on. It simply won’t solve itself, and just by competing for existing talent, we are not helping — or ensuring greater security. We are only driving salaries higher.

Some strong interventions by companies, industries, and, where appropriate, government bodies will assist in accelerating an answer to the gap. In the meantime, as CISO, you must take care of your teams, look inward for talent, establish meaningful upskilling and career development programs, and widen your lens to overlooked talent pools when hiring.