IDG’s 2020 Cloud Computing Study states 30% of executives cite a lack of cloud security skills as a top challenge in migrating to public cloud and operating in cloud. Competition makes it hard to hire and retain staff. Furthermore, with 82% of IT security and C-level executives believing they experienced at least one data breach on implementing new technologies and expanding their supply chains, talent shortages will increasingly make it hard to maintain a cutting-edge security posture and a cutting-edge technology posture.
So as the industry faces an increasingly complex landscape of technologies, compliance, operational models and evolving threats, let’s dig into how you can attract and retain talent, while making the best use of resources you already have. I spoke with Owen Winn from Rackspace Cloud Academy, Rackspace Technology Chief Security Officer Karen O’Reilly-Smith and Ryan Smith, Product Evangelist at Armor Cloud Security, to learn more about the cybersecurity skills gap and how to overcome it.
Be creative in recruitment
When looking for the ideal profile in a cybersecurity hire, Owen Winn provides a useful reality check: “It’s not realistic to hire the perfect security professional.” He believes companies should prize a “strong base of technical fundamentals backed by a realistic expectation of practical experience,” and “prioritize hands-on experience supported by training and mentorship.”
But competition makes obvious choices scarce, and so Rackspace Technology Chief Security Officer Karen O’Reilly-Smith recommends thinking outside the box when recruiting. Whether considering internal resources or new hires, she increasingly looks for talent “across the industry” — someone who’s technically savvy, but not necessarily a hardcore techie.
For Karen, personality types are an important factor: “Do they have a love for research, analytics and digging in deep? We’re fighting invisible adversaries every day, so I’m looking for someone who’s not interested in the status quo — someone who wants to shake things up!” Rather than avoiding people from different industries, then, Karen says to embrace them, as diversity brings new perspectives, which can lead to agility and creativity. Such hires are rarely regimented, unlike some people who’ve been in security for a long time.
Also, be honest about your talent need and experience. “I’ve seen job postings demanding eight years of experience when a technology’s only been out for five,” says Ryan Smith. Creating false standards is, according to the ISSA and ESG’s 2021 strategy report, not uncommon. But it and other key factors — such as uncompetitive compensation and HR not understanding cybersecurity skill requirements, thereby excluding strong candidates — hamper recruitment efforts before they even start.
Keep existing talent keen
Along with sourcing new talent to expand your team, Ryan Smith from Armor reminds us “skills are in high demand” and so you “cannot turn a blind eye to the fact recruiters are coming after your talent.”
Salaries and remote work options must form part of the conversation in keeping existing talent, but Ryan says to not overlook the key driver of providing work staff consider valuable and find interesting: “If someone doesn’t feel challenged, they’re going to get another job.”
Growth doesn’t always need to be skill-based — it can involve figuring out which parts of your security program people can take over. And with security people tending to be mission-focused, identifying those aligned with your values, vision and mission during recruitment will pay dividends later. But from entry-level to senior level, people need to feel like they’re making an impact to that mission. And in order for them to feel empowered, they must feel like their ideas and diversity of thoughts will make a difference.
This goes back to an earlier point about varying perspectives benefiting an organization. The important thing is to allow that to happen, rather than suppressing new ideas because you’ve always done something in a certain way. For example, a new hire might identify ways in which authentication doesn’t align well with real-world user experience. This must be met with an improvement plan, not a technical counterpoint about how things should work. “We need people with that real-world experience to kind of check security folks a little bit in that regard,” adds Ryan.
Use automation wisely
Automation is a useful way to solve for retaining existing talent, through automating mundane tasks. In other words, as Karen puts it: “Automate the noise.” Once you use AI to rid your team of grind work, your people can “spend time using their curiosity, being creative, working on the next thing that’ll get you closer to an adversary.”
Ryan notes we’re already seeing this in detection and response solutions, where technology is used to quicken the time it takes to get us to actionable responses. But he warns organizations considering automation must not leap to the wrong conclusion: “These new tools are supposed to scale security programs, security, lives and teams. But when we talk about automation, we run the risk of assuming that means people will be replaced — or that we don’t need talent. That’s not true. Security will always be a human element conversation.”
The important part is what we focus humans on. “By automating incident triage and evidence gathering — things entry-level people might once have had to wade through — teams can focus on higher orders of thinking, such as playbook responses, threat hunting and threat intelligence, and bringing new security technologies to market,” explains Ryan. “This will keep them engaged and retained because they’re working on interesting things, rather than trawling through log files that a computer could do instead.”
Know when to not go it alone
A final aspect of bridging the talent shortage gap is to be more strategic in terms of investments. Make an honest assessment of where gaps lie and resources you have for ever-growing, ever-scaling challenges. You’ll then understand where you can home-grow talent, along with ancillary job roles and skill-sets that could apply themselves well to security operations. You’ll discover where you need to recruit. Technology platforms and managed service providers can help bridge remaining gaps.
You won’t be alone there. Nearly 70% of organizations are turning to MSPs to help solve the skills gap. Money also plays a part, adds Karen, frankly noting you “can’t spend money everywhere.” Instead, she says to look at what’s core to your organization. That could be the architecture of your security program, say, which you could choose to keep in-house while outsourcing things that are easier to outsource to a partner. However, organizations must not buy the cheapest option, or they might not get the skills they need. “As when evaluating talent you want to hire, assess where a partner’s expertise lies in the market,” recommends Ryan. “Part of the reason we have a skills gap is because new technology has accelerated faster than we can train even people at the cutting-edge of these technologies to secure them. So you must evaluate partners to ensure they’re keeping pace.”
Above all, Karen suggests honesty must sit at the core of every decision. “CSOs want to mature an organization’s security program and leave a mark,” she says. “But you need to be realistic today in terms of talent, resource crunches and skill sets and recognize a partner is just an extension of your team.”