As the technological landscape continues to expand, many leaders have been forced to grapple with the skills gap in the cybersecurity environment. In June 2019, the International Information System Security Certification Consortium (ISC)2 published a study that revealed a three-million-person deficit in the cybersecurity space, which is particularly startling amid the rise in penetrable threats and the increased criticality of the function. Further exacerbating the issue, many IT leaders are coupling an already hard to find skillset with a number of extraneous, impossibly-combined skill requirements. Applicants, for instance, are expected to have thirty years of experience in the field, be Python certified, a C++ Programmer, have a CCIE Certification in Security and an MBA. As a result, these job requisitions linger, often indefinitely.
It’s become increasingly clear to me that many leaders simply aren’t clear what it is they’re looking for. They’ve found themselves entangled in ambiguous webs with vast skillset disparities, and pad their job requisitions with all of the proficiencies they think are pertinent at any one given time.
I’d argue a different approach. As leaders, we must be more intentional.
A skill or competency matrix can help provide that level of intentionality. This tool helps leaders to more intricately understand their teams by critically assessing the skill sets they have, need and/ or require for their team’s particular security environment. And its completion provides a clearer view of the team’s weaknesses or what they may be susceptible to. Leaders can then more appropriately determine areas for investment, whether in hiring professionals with specific skills and certifications or providing continuing education for their teams based on competencies they may be interested in learning more about.
Although it’s essential for leaders to understand there’s no one-size-fits-all approach, today, many teams are prioritizing skills in automation, artificial intelligence (AI), cloud and data security, risk management and IoT. Colleges and universities are beginning to teach these skills, but in many cases the learnings haven’t yet been paired with the rigorous application necessary to be proficient in the cybersecurity environment simply due to the cost associated with the hands-on components, equipment and solutions. It’s critical for leaders, therefore, to encourage and offer IT training and certification opportunities to existing staff, and when hiring, require credible security-related certifications that validate that skills have not only been taught, but also tested, in real-world environments.
Each company will have its own unique perspective and set of challenges that will influence what types of skillsets will be necessary for their environment. An online retailer, for example, will have pervasively different needs than an international bank. And from a security perspective, their training, hiring and continuing education plans would be quite different, therefore, their matrices would be different.
Taking part in training opportunities and remaining thoroughly versed in the threat landscape should be an integral part of IT teams’ jobs. Unfortunately, many leaders see it as something teams should do on their own time and invest in often with their own funds. But leaders need to reconsider: if teams aren’t up-to-date on the latest trends and happenings on the threat landscape, they can’t appropriately innovate. And if they can’t innovate, they will not be able to evolve with our customers and address their changing needs. The fact of the matter is the more we adapt and change our systems, the more susceptible our teams and customers become to vulnerabilities.
As leaders, we have to understand that nothing is secure, and that threats will constantly put us on the defensive. The only way to preempt and combat these threats, should they occur, is to regularly assess skillsets, ensure teams are versed on the evolving threat landscape and become intentional with our training and hiring requirements.
James Risler, Senior Manager of Security Content Engineering, Cisco
James is passionate about helping organizations understand the impact that security events can have on business and how to mitigate that risk. That’s why he works to educate individuals and organizations in cybersecurity. He has more than 25 years of experience in the IT industry; he’s started and managed several of his own firms and has worked for major corporations, including Walt Disney World. Prior to joining Cisco, he taught security courses as a Certified Cisco Systems Instructor (CCSI) and consulted with Fortune 500 companies and government agencies.