How CISOs can better manage an emerging risk: unfilled roles

When Colonial Pipeline suffered a massive ransomware attack in early 2021, an internal vulnerability added to the crisis: The company was operating without its top cybersecurity manager.

The global security workforce needs to grow by 65% to become fully staffed, according to a new study by (ISC)², the world’s largest organization for cybersecurity pros. While modern IT platforms and tools can certainly automate many low-level tasks to help relieve overburdened security teams, chief information security officers must still find better ways to retain existing workers and recruit new ones.

If they don’t, those unfilled positions represent a significant source of risk, security leaders say. Staff shortages are causing misconfigured systems, oversights in following security procedures, rushed deployments, and an inability to recognize new threats — the very kind of lapses that often lead to breaches.

“It really does leave organizations more vulnerable if they don’t have adequately staffed cybersecurity teams,” says Clar Rosso, chief executive of(ISC)².

Moreover, the COVID-19 pandemic has made the problem especially acute. More than a quarter of security staffers temporarily left their jobs or worked reduced hours during the pandemic, according to the (ISC)² report.

In response, leading CISOs are adopting new strategies to fill open positions, and to keep their most valuable existing workers from jumping ship.

Recruit outside of IT

Because there aren’t enough highly skilled cybersecurity professionals to go around, CISOs and HR leaders are increasingly looking outside the traditional IT talent pool to find prospects with the aptitude and adaptable skills. It’s becoming more common for younger cybersecurity workers to start their careers outside of IT. According to the (ISC)² study, just 38% of Gen Z and Millennial security pros started out in IT, compared with 53% of Gen Xers and 55% of Baby Boomers.

“You’re not going to fill a 2.7 million job gap by hiring the same people,” Rosso says.

For people changing careers, cybersecurity is an attractive field: It has open positions in every region of the world with employers in different industries, and holds the promise of steady advancement. Indeed, 77% of cybersecurity pros surveyed by (ISC)² said that they were satisfied or extremely satisfied in their jobs, the highest levels ever reported in the annual study.

CISOs are increasingly considering candidates with problem-solving ability, communication skills, curiosity, and willingness to learn, as well as strong strategic thinking. For those prospects, CISOs “will invest in training for the technical skills,” says Rosso.

The military, government agencies, and trade schools are all rich sources of skills that are “readily transferable to cybersecurity roles,” says a 2020 study from Kudelski Security, a global cybersecurity company. For example, Hiring Our Heroes, a foundation supported by the U.S. Chamber of Commerce, offers 14-week cybersecurity “boot camps” for veterans interested in making a career jump.

Target diversity recruitment

Recruiting from outside the IT universe also presents an opportunity for CISOs to make progress with diversity goals. Women make up just 25% of the global cybersecurity workforce, the (ISC)² reports, and non-white employees hold only 28% of the cybersecurity jobs in North America and in the U.K.

“It’s clear that our industry faces serious future risks if it doesn’t find ways to recruit new talent to its ranks and fill the growing number of vacancies. But more than that, its current lack of diversity poses its own more immediate risks because company systems aren’t homogenous and neither are potential assailants,” says Mandy Andress, chief information security officer at Elastic.

Bringing up those numbers has a potentially greater impact beyond equity; it also supports core security objectives. Broadening the range of educational, geographic, neurodiverse and LGBTQ constituencies in cybersecurity can better equip security teams to assess and manage an ever-widening array of threats.

Andress added that the cybersecurity team she leads as an LGBTQIA+ female CISO includes people who represent the array of human nature when it comes to neurodiversity, sexual orientation, gender identity, race, and age. The picture is just as varied when it comes to background, educational pathway, and industry experience.

“In a multidisciplinary field like this, different perspectives are critical. When threats and tactics change around us daily, the diverse viewpoints on my team help counter complacency by bringing new thinking to situations,” says Andress.

Internally, companies can recruit more diverse candidates by writing job descriptions that aren’t overloaded with technical jargon. “You’ll get a more robust pool of candidates if you write higher-level job descriptions that are general in nature,” Rosso says, “and broaden the places you look for new hires.”

Boost retention with career development

Even after cybersecurity personnel are hired, CISOs often face an uphill battle to keep them. Less than 40% of organizations surveyed in 2021 by Hays, an IT executive search firm, said they could effectively retain the cybersecurity talent they recruited.

Because compensation is so competitive, companies must distinguish themselves in other ways like professional development. Paying for training and certification courses, and helping plot new career paths that promise steady advancement, can be highly effective.

“Will you retrain people? Will you bring people in at a more junior level and give them a mentor or leaders to develop them further? Those are important factors,” says Christine Wright, senior vice president at Hays.

The shift to remote work during the pandemic could ultimately pay dividends by giving employers a new perk to recruit and retain security pros.

“The pandemic has freed me to stop asking people to move to one of a few cities and instead allows me to meet talent where they are in the country or the world,” says Justin Berman, CISO at healthcare company Thirty Madison. “The ability to collaborate, communicate, and function as a team across diverse locations was always critical, but now it’s a strategic differentiator on hiring, because if you won’t let them, someone else will.”

Matt Palmquist is a freelance business journalist and former contributing editor of Strategy+Business magazine.