Cultivating Cybersecurity Talent in Your Organization [VIDEO]

by Brad Garland


Cybersecurity, as an industry, is where the technology industry was as a whole 25 years ago. Businesses were struggling to understand how much or how little technology resources they needed to deploy in their organizations and often tried to do it as cheaply as possible. Organizations that realized investing in technology resources and people could create much more scalable and efficient businesses won the day.

The same is happening in cybersecurity. 

The cybersecurity industry as a whole is still in its infancy but the demand for strong employees is high. Organizations that can afford a dedicated cybersecurity resource need be clear on what their responsibilities are and what their goals are to help the business manage risk. Otherwise, there are many other ways to outsource portions of the job or to share the role across qualified people in-house that could deliver some of those same skills.

Thinking ahead 25 years, I see the CSO position being at the same executive tables with the CEO and CFOs. That happens by the CSO learning the right soft skills and business skills to translate everything they know in technology and cyber risks and communicate it at a business levels to any other C-Level.

 Video Transcript:  

So I wanted to provide a video today that just posts a little commentary on some of these articles that are poppin' up recently. This is one here from Tech Crunch, just talking about the shortage of cybersecurity professionals, and how it's such a gigantic problem in 2019. You know, this is something that we, obviously, experience quite a bit, because we're in the space. You know, the article goes on and states that globally there is going to be a need in 2019 for three million positions to fulfill the cybersecurtiy needs across the world. That's a 40% increase over August of last year. And, you know, I just wanted to talk a little bit on why is that the case? Why do we have those shortages? And are there some ideas that we could start incorporating within our organizations that may actually help, you know, at minimum, protect your organization, or help gain more cybersecurity professionals within your organization, too? So, one of those is that the organizations are a part of the problem themselves, because they still believe that information security professionals, or the cybersecurtiy topic, can just be handled by the IT guy that's been employed there for the last 10, 20 years. Well this, information security, what I like to say is, saying that you're in information security today, is like saying that you're in the IT space 20 years ago. Cybersecurity can mean so many different things. There are so many different disciplines and roles, and things that you can specialize in, that they weren't even here, or even a real job 10, 15 years ago. So it's just something that, it's not a fair ask to ask your IT guy, hey, can you handle all this cybersecurity stuff, too? 'Cause there's hardware, there's software, there're certifications that you need to get, there's the whole policy side, the government side, the risk management side, it just goes on, and on, and on, it's just so big, and it's impossible to give it to just one, or even two people. You know, secondly, you gotta look at the schools, you gotta look at what the schools do, and what the schools don't do. Thankfully, I've been encouraged the last five or ten years that they're getting better. You do see some programs coming out that actually offer a cybersecurity certification. Back in the day, in the early 2000s, when I was going to college, they just had computer science degrees. And cybersecurity wasn't even really a topic, today they actually have some of those degrees, but students are going through the universities, and actually looking at, you know, what's gonna get me the most money? And there's some other IT-related certifications, or I should say diplomas, that people would rather go down. And one of the big challenges, and this article states it, too, is that there's not enough prereqs, or at least a part of other degrees, that include cybersecurity underneath it. So you could be a programmer without taking a whole lot of cybersecurity classes, and I think that that's a misstep. So there needs to be more of those prereqs of cybersecurity within a degree, whether it's computer science, or engineering, or whatever the case may be. There are certification bodies, like the ISC2, or CompTIA, for example. They're starting to better provide a cybersecurity roadmap for these certifications. Before, there were just one or two, that all you could really take. And now they have multiple different types of certifications, whether you wanna go down the forensics path, you wanna go down the information security auditor path. You could take different paths, depending on what your interests are. So it's encouraging to see that at least we have some of these certification bodies that are helping in the specialty of it all. Lastly, I would say, you still need to think of your organization, and your employees, you can't just give it to an IT guy. You really need to look for ways to train up your employees, as well. And so there's a concept of democratizing some of this cybersecurity information. And so I would encourage both IT and non-IT people alike, to attend some of these free groups that are together, cyber bootcamps, there's various meetups around your local area, hackathons. And encourage folks, and incentivize folks, potentially, to do more of that. And it's the concept of tides rise all ships, right? So, even if it's a non-IT guy going to one of these, and they take one, two, three nuggets away from it, that's a win for your organization, that they can come back, they can communicate what they learned, and hopefully raise the awareness of cybersecurity within your organization. So, you might give that a shot. And sometimes when it comes to these roles, on-the-job training is necessary. It's one of those that they may not be perfectly positioned, you have the role you need to fill, the candidates are coming in, they're not exact candidates, or you can't afford 'em, potentially. So finding somebody that has the interest, that has a little fire in their belly to learn, might be the good next solution. So, on-the-job training's not the end of the world either. And, again, because of these certifications and these various groups, this might be a good way for them to start learning. So, hope this is helpful. You know, we're gonna try to do more of these in the future, of just putting some commentary around some of these articles, and our take on where we feel like it needs to go. And hope it's been encouraging to you, and love to hear your feedback. And hope you have a good day, thanks.