Ad Image

Home Grown: How to Fill the Cybersecurity Talent Gap from the Inside

Cybersecurity Talent Gap

Cybersecurity Talent Gap

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise technology. Pieter Danhieux of Secure Code Warrior discusses how filling the cybersecurity talent gap starts with getting everyone on board with security familiarity.

Like other senior executives across the board, chief information security officers (CISOs) are feeling a sense of urgency to hire the right candidates– right now: The number of global cybersecurity job vacancies has grown to 3.5 million, up from 1 million in 2013.

At the same time, the number of weekly cyber-attacks per organization increased to just under 1,200 last year, or 38 percent more than in 2021. With the average cost of a data breach reaching a record high of $4.35 million, it should come as no surprise that three of five U.S. CISOs say stress poses the largest personal risk they face, followed by burnout (as cited by 53 percent of CISOs). Traditionally, we invest in recruitment to close skills gaps. But we should instead commit to upskilling our current workforce as a much more affordable response: Talent management and development company E.L. Goldberg & Associates estimates that the total cost to hire a new worker can amount to three to four times the position’s salary– or $240,000 or more to fill an opening with a starting salary of $80,000 a year. When CISOs focus solely on hiring outside talent, they compete against other companies for those candidates, and that only drives up recruitment expenses and efforts.

The universal corporate culture still generally believes that outside hiring represents the primary way to fill in talent gaps. However, given the mounting hiring costs and the severe consequences of cyber threats, CISOs would greatly benefit from re-evaluating how they address the situation by looking within. Instead of the traditional recruitment of outside candidates, we should leverage proven, internal performers. Those performers may not be highly skilled security professionals. But by providing proper learning pathways and support, leaders can empower them to take on critical roles in cyber defense.

Download Link to Data Integration Buyers Guide

Filling in the Cybersecurity Talent Gap from the Inside

In our research, for example, we’ve found that a large number of software developers say they lack the knowledge to address security vulnerabilities, or aren’t aware of what makes code vulnerable. The majority say more extensive training in secure code best practices would eliminate both common vulnerabilities and future patching.

Historically, we fail to invest in existing inside talent adequately. However, this creates additional issues, as 58 percent of professionals are likely to leave their organization due to a lack of development. So how can CISOs enrich the protection of cyber assets, bottom-line results, and team improvement by retraining from the inside?

Here are four best practices to consider:

  1. Debunk the myth. Managers often get trapped into thinking, “If we give employees more training and tools, we’ll raise the risk of them leaving us for our competitors.” This, however, is a myth. Elevating knowledge through training only enhances an organization. It improves needed skill sets, of course, but also engagement, morale, and company loyalty.
  2. Bring the entire C-suite on board. This effort can’t be limited to the CISO and chief human resources officer (CHRO). You have to get a sense of the role cyber defense plays in every facet of the business, and then collaborate with all top officers to identify which skills best support essential security requirements.
  3. Focus on top-priority needs. There are obviously different security skills to fit different security needs, so you should customize curriculums accordingly. To cite our developer example, you could conclude that poor coding may be your biggest concern. As our research shows, developers need to know how to identify and fix vulnerable code. When they spend time upskilling with security-side team members, they learn how to use the right tools for protection from the very start of the coding process.
  4. Get immersive. Candidates thrive with hands-on, interactive experiences as opposed to static solutions. They benefit by solving problems that exist in the real world, using agile learning methods that can deliver them the right lessons at the most beneficial, relevant times, in “microbursts” that greatly improve the chances of information retention and engagement.

The uncomfortable truth is that our adversaries don’t suffer from the same talent issues as we do– there’s no shortage of threat actors out there finding new and, unfortunately, effective ways to compromise us. That’s why we need to come up with impactful ways to build the workforce strength required to counter these threats. By focusing on upskilling existing, internal staffers, we open up a significant, yet still relatively untapped resource. And this will better position us to thwart our adversaries for now, and the indefinite future.

Download Link to Data Integration Buyers Guide

Pieter Danhieux
Follow Him
Latest posts by Pieter Danhieux (see all)

Share This

This article was written by Pieter Danhieux on August 25, 2023

Pieter Danhieux

Pieter Danhieux

Pieter Danhieux is the Co-Founder/CEO of Secure Code Warrior, a global security company that makes software development better and more secure. In 2016, he was No. 80 on the list of Coolest Tech people in Australia (Business Insider) and awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association). Pieter is also a Principal instructor for the SANS Institute, teaching military, government, and private organizations offensive techniques on how to target and assess organizations, systems, and individuals for security weaknesses. He also serves as an advisory board member of NVISO, a cybersecurity security consulting company. Before starting his own company, Pieter worked at Ernst & Young and BAE Systems. He is also one of the Co-Founders of BruCON, one of the most awesome hacking conferences on this planet. He started his information security career early in life and obtained the Certified Information Systems Security Professional (CISSP) certification as one of the youngest persons ever in Belgium. On his way, he collected a whole range of cybersecurity certificates (CISA, GCFA, GCIH, GPEN, GWAP) and is currently one of the select few people worldwide to hold the top certification GIAC Security Expert (GSE).

Related Posts

Network Monitoring Best Practices
Communications Surveillance: A Company-Wide Consideration
Threat Intelligence
Featured
Finding Business Value in the Vast Sea of Threat Intelligence
Endpoint Security and Network Monitoring News for the Week of August 25
Featured
Endpoint Security and Network Monitoring News for the Week of Augus...

Follow Solutions Review