Could The Cyber Sec. Talent Crisis Come Down To Perception, Biases?

It’s no mystery that the cyber security industry is a double-edged sword. A lucrative endeavor, there is virtually no unemployment in it, and salaries are quite high. But it is fleet-footed and understaffed.

While security awareness is growing in the enterprise – at all levels, from the workforce to management – it remains dynamic and tough to document. It also faces “cultural” problems stemming from “unconscious bias” and preconceived notions about the job.

According to Cybersecurity Ventures, there will be 3.5 million unfilled industry jobs by 2021. Conversely, according to the same outlet, cyber-crime will cost the world $6 trillion annually by 2021 (up from $3 trillion in 2015). What’s more, 57.2% of respondents to a Cyber Security Hub audience poll said their enterprise is affected by the shortfall.

And therein lies the dilemma: the space is growing meteorically, yet it is understaffed and arguably underrepresented at grassroots levels, including middle and high schools. STEM programs are often overlooked by students by 16 years old, especially females made to think that cyber security is a siloed job for tech-savvy men.

How do these many parts coalesce? CISOs are charged with everything from awareness to network defense, and numerous groups, nonprofits, organizations, etc., are raising their voices about the importance of security, and diversity at its workstations.

‘Building Talent From Within’

Brian Ahern, CEO of Threat Stack, recently told the Cyber Security Hub that “too many organizations are reacting to the skills shortage by throwing money at the few qualified candidates rather than building talent from within.”

He continued: “Most businesses are buying tech or point solutions to cover this gap rather than building security into their organizational culture by mapping solutions back to people and processes. In order to combat this, vendors need to be consultative and think about more than just their products. Every organization needs to prioritize security as a value driver so it can serve as a competitive differentiator rather than a roadblock to innovation.”

See Related: Incident Of The Week: Indian Bank Loses $13.5M In Costly Cyber-Attack

There must also be cultural shifts (tectonic ones at that) within the enterprise that facilitate this growth.

Management Style

For example, Alain Espinosa, Director of Security Operations, Online Business Systems, recently said on an episode of “Task Force 7 Radio” that, “The days are gone of sitting in a cubicle, and simply getting an assignment. I’m glad for that.” It’s more engaging now.

Espinosa said the upper-level security role comes down to empowering others and not micromanaging every behavior. He also said he meets with staff, one on one, at least every two weeks. This helps retain staff, praise their efforts and reinforce business objectives.

If today’s security practitioners depend on a similar strategy, they may be able to retain staffers and boost their ranks. But again, “it takes a village” and that means the aforementioned grassroots efforts (partnerships, mentorships, etc. at the middle and high school levels).

‘Can’t Do It Alone’

Similarly, Shelley Westman, Principal and Partner, Ernst & Young (EY) Cyber Security Practice, recently told “Task Force 7 Radio” host George Rettas: “Men are four times more likely to hold C-Suite and executive positions than women. Why? There has been discussion and effort, and women have been speaking up for change.”

But women cannot do it alone. The industry needs to spearhead concerted efforts to fill the ranks, and do so properly, with women and minorities.

See Related: 'Demonstrating Business Value': Communicating Cyber Security ROI

“I can stand on every rooftop (and shout about it), but I’m still not going to really drive change,” Westman said. “We need men, or 90% of the cyber interest, to talk about this. Diversity is a business imperative. Diverse teams drive better results across the organization. Diverse teams are more innovative, objective and collaborative. That’s critical in cyber security.”

An appropriately built staff remains both productive and tenured. Yet, that can only take hold once the preconceived notions about cyber security are altered and demystified. For example, Westman suggested a total revamp of the visualization of a hacker. It can no longer be a sweatshirt-wearing male in silhouette. She said efforts like that will bring clarity, and perhaps engage different audiences earlier on (so, in effect, gradually build the cyber ranks).

Attention To Cyber

Elsewhere, the industry is firmly dependent on awareness campaigns, overall visibility and initiatives to stake its claim in the enterprise and the global marketplace.

Some companies and governments are taking matters into their own hands, crafting tools to ease the transition into cyber (for students, or professionals with diverse backgrounds, etc.). For one, Popular Science’s “Bootcamp Bundle” becomes a helpful starting point for students and professionals. With dozens of courses and video training (with certification), the bundle is an interesting way to engage audiences and cover many facets of digital security.

Elsewhere, governments are investing in cyber security – to improve visibility, perception and operations. According to Haaretz, this month the Israeli government decided to invest 90 million shekels ($24 million) to “shore up the country’s cyber security industry as a global leader.” A three-year program allows companies dealing with high-risk research and development to receive up to 5 million shekels per year. Investments such as this are key in drawing attention to cyber and allowing for organic growth (in turn, it is likely job candidates will follow suit).

The U.S. is engaged is some helpful initiatives as well – which could reemphasize the importance of cyber and even nurture its up-and-coming talent.

According to GCN, on Aug. 12, the DOD and HackerOne took part in the “Hack the Marine Corps” program. A bug bounty event, it allows hackers to try to crack the Corps’ public-facing websites and services, to “harden defenses.”

The more activity and brainpower falling into cyber security, then, the more likely it is that moderately interested candidates might pursue the craft.

Of course, there is no one-size-fits-all solution, but various initiatives and cultural shifts should direct attention to the space in the coming years. In the meantime, that double-edged sword remains sharp.

Be Sure To Check Out: Industrial IoT Concerns Worsen As More Devices Connect To The Web