Companies Look to Retain Cyber Talent
The economy grows. Companies create more jobs. A music artist tops the charts for the fifth week in a row. Wi-Fi speed increases. But a trend on the rise is not always a good thing, and that’s currently what’s happening with the cybersecurity workforce.
(ISC)² revealed in its latest workforce survey that the cybersecurity workforce gap increased to more than 2.9 million globally in 2018—surpassing earlier estimates that 1.8 million cybersecurity positions would be unfilled by 2020.
“Despite increases in tech spending, this imbalance between supply and demand of skilled professionals continues to leave companies vulnerable,” according to the survey. “It’s no surprise that research shows the shortage of cybersecurity professionals is now the number one job concern among those who already work in the field.”
To reach that conclusion, (ISC)² surveyed nearly 1,500 cybersecurity and IT professionals who spend at least 25 percent of their time working on cybersecurity activities as part of their employment. These professionals were from North America, Latin America, Asia-Pacific (APAC), and Europe.
The survey found that while there is a global shortage of more than 2.9 million workers, the APAC region has been impacted the most.
“APAC is experiencing the highest shortage, at around 2.15 million, in part thanks to its growing economies and new cybersecurity and data privacy legislation being enacted throughout the region,” the survey found.
For instance, many nations—such as China—have created new requirements to store citizens’ data within their borders. This has put pressure on businesses to hire new talent to stand up these operations to be compliant with the new regulations.
North America follows APAC with roughly 498,000 unfilled jobs; then Europe, the Middle East, and Africa with 142,000; and Latin America with 136,000.
While the workforce shortage is impacting regions at different rates, some of the overall effects of the shortage are the same. For example, 59 percent of survey respondents said their companies were at a “moderate or extreme risk of cybersecurity attacks” because of the lack of personnel.
The shortage also has an impact on existing cybersecurity staff. Many reported that they lacked the resources to do their jobs effectively (29 percent), had an inadequate budget for key security initiatives (28 percent), and lacked the time to do their jobs effectively (27 percent).
To address the shortage, some companies are planning to devote more resources toward cybersecurity and hiring new staff.
Areas that respondents identified as being most critical to their continued development in the field included security awareness, risk assessment and analysis management, security administration, network monitoring, and incident investigation and response.
Cybersecurity workers also stressed in the survey that while they spend time on incident response and endpoint security management, they would prefer to devote more energy to high-value tasks like threat intelligence analysis, penetration testing, and forensics.
Despite these findings, most cybersecurity professionals (68 percent) said they were somewhat or very satisfied with their positions and are thinking about the long-term trajectory of their careers and professional development.
“Whether companies are supporting training and certification efforts, or cybersecurity pros are pursuing them independently, one obstacle rises to the top,” the survey found. “They all report that they need more time carved out for professional development. Again, companies have an opportunity to step up in ways that have a meaningful influence on cybersecurity operations.”
To address the cyber workforce shortage, employers are taking a variety of approaches. Some are changing their recruitment strategies to look at factors beyond degrees, instead focusing on experience and the ability of individuals to learn on the job, said Jeffrey Dodson, global chief information security officer and vice president of cybersecurity at BAE Systems, in a panel at ISC West in Las Vegas.
BAE’s approach mirrors what the survey found is happening elsewhere: organizations are paying less attention to the degrees candidates have and giving more credence to experience.
For instance, (ISC)² survey respondents said the most important qualifications for employment in cybersecurity are relevant work experience (49 percent), knowledge of advanced cybersecurity concepts (47 percent), and certifications (43 percent). Just 20 percent of respondents said a cybersecurity, or related, undergraduate degree was an important qualification for employment.
“As professionals gain on-the-job cybersecurity work experience, organizations can help close the gap by providing more training opportunities—and focusing on the types of training that those already in the cybersecurity field find the most helpful,” according to the survey.
Dodson said BAE is embracing this approach, and while the initiative has received some pushback from human resources personnel, it has also helped with recruiting the millennial workforce—which now represents a majority of the overall workforce—and, with Generation X, 35 percent of the existing cyber workforce.
Other changes that organizations can make to recruit talent, and retain it, include creating flexible work schedules for improved work–life balance, the opportunity to work on meaningful projects, and regular check-ins with supervisors for feedback. These efforts help employees feel engaged in the workplace and are more likely to encourage them to stay in their positions, said Dodson’s copanelists and ASIS International Young Professionals Council members Angela Osborne, PCI, regional director at Guidepost Solutions, and Michael Brzozowski, CPP, PSP, risk and compliance manager at Symcor.
Another recruitment strategy that organizations are taking is more of a grassroots approach to reach segments of the population that might otherwise be overlooked or unengaged.
One company that’s embracing this philosophy in a unique way is Bugcrowd. Founded in 2013, Bugcrowd is a crowdsourced security testing company that provides bug bounty services to clients, including Mastercard, iJet, Motorola Mobility, and more (See “Most Wanted: Computer Bugs,” Security Management, August 2015).
Bugcrowd, however, doesn’t hire traditional employees. Instead, it relies on a crowd of researchers to sign up to participate in its public and private bug bounty operations. These researchers come from a variety of backgrounds, including cybersecurity professionals already employed elsewhere looking for some extra cash and researchers who make their livings off bug bounties.
To recruit new researchers, the company created the Ambassador Program. It hosts small events and security meetups—often one-day conferences where Bugcrowd ambassadors identify potential researchers with valuable skill sets. Ambassadors then offer to introduce the recruit to the vice president of researcher growth or point him or her towards additional Bugcrowd training material, says CSO and Vice President of Operations David Baker.
Some recruits are also encouraged to participate in Bugcrowd’s competition events—such as a capture the flag cybersecurity competition.
“Those who do well at the game are recruited into our platform,” Baker says. “We help you get onboarded and into the public programs. Then when they do well in the public programs, they get recruited into the private programs—which are more lucrative for the researcher because there’s less competition within them.”
Bugcrowd also attempts to match researchers with bug bounty programs that cater to their skill sets. For instance, the company built a taxonomy of cyber vulnerabilities. It looks at the area a researcher tends to gravitate towards—such as configuration bugs—to match with a client that is looking to test its resilience to that vulnerability.
“It’s important for the researcher because it takes advantage of their unique skills, and by taking advantage of what they’re good at, it’s going to ensure that they earn money,” Baker says. “On the flip side with our customers, it makes for a much more positive experience for them.”
For instance, being well-matched means researchers are more likely to identify vulnerabilities in clients’ systems that can be addressed to enhance their overall security. And, in some instances, developing a strong relationship with a researcher can lead to hiring that individual for an internal cybersecurity role.
Bugcrowd is also taking the initiative to educate its workforce based on feedback from researchers who want to learn more about new threats to increase their skill sets, says Casey Ellis, chief technology officer and cofounder of Bugcrowd.
To do this, in 2018, the company launched Bugcrowd University, which provides free education and training modules to its researcher community. The education is developed in-house and consists primarily of webinars that researchers can work their way through at their own pace.
And Baker says that both the recruitment and education efforts are helping increase researcher engagement. While he did not specify how many active researchers there were when the company was created in 2013, Baker did say that as of April 2019 there were 4,000 active researchers—1,000 of which were added within the last year.
“We are a marketplace,” he explains. “… routinely we need to grow our research community. That means that we’re making sure we’re identifying talent at the grassroots level to get researchers and smart people who want to be part of our community.”