How to Unlock Cybersecurity Talent
By Daniel Conroy
Synchrony Financial CISO
Today the cybersecurity sector is fraught with the challenge of a diminished talent pool. Cisco’s report, “Mitigating the Cybersecurity Skills Shortage,” highlights the worldwide shortage of one million information security professionals. It sends out a disturbing warning to the cybersecurity industry to bridge this gap immediately or face consequences with significant costs.
There is no doubt that the number, scale, and sophistication of operational technology attacks will continue to increase thereby putting connected transportation, health, energy and financial systems at risk.
A recent report published by Accenture puts the success ratio of cyberattacks at one out of every three. The threat is clear. The security sector needs to immediately mobilize resources for bridging the gap in numbers without compromising the quality in talent.
Improvements in security technology may offer a partial solution, but ultimately, it’s the people on the frontlines—and in the back office—who are responsible for building and protecting information technology systems.
Unfortunately, there just aren’t enough qualified cybersecurity professionals. The only way for companies and government organizations to fill this talent gap is to comprehensively groom and nourish future cyber warriors.
Three Keys to unlocking the next generation of cybersecurity talent
Research & Development
The first step in increasing the supply of cybersecurity professionals is investing heavily in the field. The investment needs to be directed towards development of hard and soft infrastructure for professional cybersecurity courses, promoting collaboration between universities and the private sector, and providing grants for cybersecurity research.
These steps will serve as push factors for the people already in the cybersecurity domain and pull factors for the students in high school and university to boost the cybersecurity talent pool supply chain.
When it comes to the education sector, it is important to understand that cybersecurity should not be treated as a secondary domain of which students are taught little in other professional courses. Given the emergence of cyberspace as the fifth domain of geopolitical engagement (land, air, water and space being the other four), it rightly deserves to be taught as an independent subject.
Unless dedicated professional security courses are taught in colleges and universities, cybersecurity policy could remain disjointed and disconnected. The private sector needs to step forward and shape the content of these professional courses.
The onus lies on all of us to correct the disjointedness in what is being taught and what is required. A cue can be taken from the recent partnership between Synchrony Financial and the University of Connecticut (UConn) to establish a Center of Excellence in Cybersecurity at UConn.
Recruitment & Hiring
Companies looking to hire cybersecurity professionals may need to rethink their approach. While recruiting, the candidates’ skills and certifications should not be considered in silos but assessed against different attack situations and how they can be utilized.
For example, consider a situation in which hackers have succeeded in raiding your organizational network and breaching it. In these situations, there is a natural tendency to focus on making sure similar incidents don’t take place in the future. Now consider the candidates you are evaluating for recruitment. The focus should be on how effectively the candidates can learn from the breaches and put in fool proof systems to prevent any future attacks from succeeding.
In simple terms, the talent pool you are assessing should be having proactive traits and not just reactive responses that are focused more on following standard practices and less on innovation and improvisation through experience and learning.
That’s why when hiring, it is important to focus more on attitude, passion for learning, and self-reflectiveness than purely technical skills. For a top-notch security team, the team members should be able to solve complex problems. To do so, they need to be able to step back and take an honest look at what is and isn’t working so they can quickly identify the best path to make fixes and move forward. This ability to reflect, learn and adjust is the only way to respond in real-time to an unprecedented attack.
Recruiters should look beyond their usual hunting grounds and consider professionals with diverse backgrounds, from mathematics and computer science to psychology and data science. Companies should also reach out to high-profile hacker conferences like BlackHat and DefCon that may feature talent that bypassed the secondary education system. Diversity of teams leads to diversity of thought, which is essential when trying to solve problems that may not even exist yet.
Training & Mentorship
Businesses need to give their entire IT department the resources and opportunities necessary to stay prepared and up-to-date on the latest cybersecurity defenses. Challenges that may not affect your business or sector today could easily migrate tomorrow. That’s why it is critical to continually train IT and network operations staff on cybersecurity practices.
This can include sending team members to major national and international conferences, providing ongoing certification courses, implementing analyst exchange programs so that cybersecurity professionals can be exposed to different systems, and helping employees build their networks so they can learn from their peers.
Companies should also try to nurture the natural hacker mentality of many cybersecurity professionals to make sure that they stay engaged. For example, organize ‘Capture the Flag’ tournaments, pitting security analysts against each other in a safe, competitive environment that challenges them to solve a complex problem. The security battle can’t be fought single-handedly. Success is dependent on the best cybersecurity professionals working together and helping develop the next generation of talent.
Disclaimer: The opinions expressed in this post are those of Daniel Conroy and do not necessarily represent those of Synchrony Financial or Security Current.