Closing the skills gap in a pandemic: What can CISOs do now

Closing the skills gap in a pandemic: What can CISOs do now

It might be considered an understatement that this year has been a difficult one for most if not all businesses, with economies being negatively affected due to the adverse nature of COVID-19. Theresa Lanowitz, Director of Cybersecurity Communications at AT&T Cybersecurity, discusses how CISOs can still find cyber talent amid the global situation to ensure security is not forgotten.

This year has been challenging for many businesses due to the disruption caused by COVID-19. Employers have had to make cuts or place workers on furlough and many companies across various industry sectors are suffering from staff shortages. From a cybersecurity perspective, security professionals have been doing their utmost to ensure protection of businesses while trying to weather this storm. However, given the financial restraints, businesses of all sizes are seeking to optimise investments and the workforce is an area where difficult decisions are being made.

While our economy has seen ups and downs over the past several months, cybersecurity professionals are faring better than most. The need for cybersecurity professionals continues to trend up. Uncertainty has always been a constant factor for business operations but mix in a pandemic and a recession, and you’re dealing with an entirely different set of unknowns and business risks. As leadership considers the changing business environment to return and recovery, they should also think about how teams can utilise internal talent throughout various departments, specifically filling in cybersecurity roles at a time when IT security defences are needed most.

We’re already seeing the implications of these difficult changes. According to the US Department of Labor, 44 million Americans have filed for unemployment benefits since mid-March, 2020, when COVID-19 unemployment tracking began. Furthermore, in June, The Guardian reported a 126% rise in job centre claimants up to 2.8 million people. With fear and uncertainty driving businesses to reduce the size of the workforce, the expectation for other employees to help pick up the slack is now a reality. And recent figures show that more than one in four UK workers – some 8.9 million – having to use the government’s furlough scheme. But how can CISOs provide that their organisations’ security is still being effectively managed?

Look within: Repurpose internal talent

Infosecurity practices, policies and professionals are a must for the future of any business, regardless of size, especially during a time when business operations have gone virtual on a worldwide scale. Despite its importance, the massive skills gap in cybersecurity continues. It is widely reported and acknowledged that there is a global need for security professionals, with the International Information System Security Certification Consortium (ISC2) recently estimating that there are 4.07 million global security positions open and unfilled. 

Instead of rushing to hire and onboard new talent during an unpredictable economy, organisations should first look at their internal talent and determine what skills can be repurposed to assist with the need for stronger cybersecurity.

When searching from within, consider those that have a deep understanding of the business – sometimes this can be even more effective than hiring new talent. An example of a role that is highly skilled for these purposes are quality assurance (QA) professionals. The parallels in the type of work and synergy of skills between QA and infosecurity pros are strong. Members of both groups are intellectually curious, understand externalities and are highly collaborative. Communication is also a critical component of both roles. Before outsourcing new talent, it’s possible a QA professional could become your next top security performer.

The resurgence of outsourced technology

Historically, enterprises have used technology to progress as economic needs have dictated – it’s a natural development that ultimately creates more resilient businesses. Examining significant events of the past 20 years, specifically, September 11, 2001 (9/11) and the 2008 global financial crisis (GFC) it is important to realise that both major events accelerated technology shifts. In the aftermath of 9/11, organisations achieved labour arbitrage through the use of offshore business partners. With the GFC, two technology categories clearly emerged as a need to manage and control CAPEX; open source software and server virtualisation in the data centre.

Fast forward to today’s COVID-19 pandemic and it has become clear that many businesses can’t keep up with fighting against cybercrime — both from an infosecurity headcount and financial perspective. As a result, we can expect to see more organisations make the move to outsourced technology, specifically, to managed security services (MSS) as an effective way to help attain cybersecurity efficiency within budget. In fact, a recent report found that organisations that had a higher rate of cybersecurity maturity were more likely to use an MSSP to operate any aspect of its information security environment when compared to companies that were less mature in cybersecurity risk posture.

Organisations of all types want and need to be able to innovate safely and deliver value for their customers. As business models shift and change due to the pandemic, this need for innovation of core competencies will become a mandate. Another will be the need to reduce the complexity and cost of fighting cybercrime. Marrying these two mandates means that security practices and functions will have to move to an MSS model in order to remain competitive.

As businesses move to focus on core competencies, a move to MSS is logical and practical. The need for infosecurity professionals will remain strong, the difference is the company they will work for. In the future, MSSPs will employ the majority of infosecurity professionals because it will be a trusted solution to decreasing the skills gap.

As technology shifts occur during times of need, we are on the verge of such a transition. It serves as a forcing function for issues that have yet to be solved, such as addressing the cybersecurity skills gap or looking at which services can be outsourced to experienced and trusted external professionals.

In these unprecedented times, companies should be creative, such as repurposing pre-existing roles or seeking the benefits of an MSSP. It may seem uncertain now, but we will make it out of this together and stronger – we are resilient.

Browse our latest issue

Intelligent CISO

View Magazine Archive