Closing the Gap

Building a Robust Cybersecurity Team and Program for the Current Crisis and Beyond

As the coronavirus pandemic continues its rollercoaster across the globe, companies of all sizes must scramble to cope with the onslaught of cybersecurity issues that are rapidly changing the security landscape. And the end still seems like a very distant light at the end of a very long tunnel. One thing that doesn’t seem to be changing is the demand for cybersecurity professionals to protect the increasingly digital organizational infrastructure that is needed to cope with the pandemic—and likely post-pandemic—world.

Despite skyrocketing unemployment and a job market that continues to be volatile, cybersecurity jobs are still on the rise, and, according to several surveys, cybersecurity budgets are some of the few not being slashed. In April, during the height of the shutdown, LinkedIn listed 261,545 available cybersecurity jobs. These numbers follow a pre-pandemic Department of Labor trend that cybersecurity jobs would grow by 32% between 2018 and 2028. It seems even the disruption of a global pandemic won’t stall the industry—it may ultimately increase the demand even more.

So, what does this mean for a CIO or CISO who was already trying to fill positions while now managing an onslaught of new threats and a still remote workforce? Organizations must remain agile and creative in managing their security systems and teams.

Hiring Creatively

One of the top Google search trends in information technology in June was for cybersecurity bootcamps and degree programs. This trend could suggest that unemployed workers have caught on to the demand in the industry and are attempting to take advantage of it.

Although bootcamps can push out individuals with basic skills within a couple of months, many jobs are open now and have already been open for a while. Can you really wait for a person to acquire the skills you already need, and will they have what you want even at the end of crash courses? Perhaps it’s expectations that need to adjust more than the candidates.

According to an article on CyberVista, “Counter to common belief, a cybersecurity expert need not originate from a decorated computer science major and hardened penetration tester. Instead, evidence and experience has shown that some of the best cybersecurity profiles start out with the same skills that would lead to success across a myriad of positions: self-motivation, critical thinking, interpersonal communication, and other ‘soft” skills.’”

It’s true that many cybersecurity professionals didn’t go the route of a formal college education or left that track before finishing to take a lucrative position in the field, even before the pandemic. And if you are seeking to fill roles fast, you may have to spend some time analyzing what you really need in an employee position versus what you can automate or streamline with processes or programs. In other words, you may not be able to find the people with the experience you would like at the price you can pay right now. The real question becomes whether you can train a person to do the tasks that need done and if you have the systems in place (ticketing software, reporting tools, etc.) to support newbies in being able to contribute while learning on the job.

In a recent blog post, FireEye suggests a hiring method by which you “determine which capabilities are only available through direct experience and which can be adapted from a skill set that the individual may possess from another industry or background, or that can be learned in a reasonable amount of time with the right motivation, coaching, training or mentoring.” If the tasks don’t require direct experience, don’t spend the money investing in someone who may end up working under their skill level anyway. And don’t wait to hire that perfect unicorn if a hardworking stock horse can do the job.

It may be time to think more creatively about what it takes to get key tasks accomplished. Maybe two less experienced hires—at a much more reasonable starting wage—can do more of the grunt work so you or your more experienced professionals can spend time on the work that requires expertise? Maybe you don’t even have to look outside your organization to get the help you need to make sure your security program isn’t overextended.

Repurposing Professionals

Even though cybersecurity remains a priority for most organizations despite the COVID-19 pandemic, budgets are still universally tight and the demands much greater. CIOs and CISOs will have to stretch every resource to maintain or build a robust cybersecurity program up to the task of protecting their organizations in a post-pandemic world.

In short, everyone has to get creative about how they fill positions and where to spend money. CyberVista suggests, “One of the most efficient ways for organizations to keep up with shifting personnel profiles is to turn their talent hunt inward and upskill or reskill existing employees. This is an ideal opportunity for these organizations to identify alternative sources of talent that could be reskilled into cybersecurity roles.”

Chances are you’ve been doing tasks outside your position description and priority list during this time. According to a survey by (ISC)², 47% of cybersecurity workers reported being assigned to other IT tasks in response to the pandemic. While not ideal for the security team, this ability to shift roles demonstrates the versatility of people in a crisis. If cybersecurity specialists can adjust, chances are you have other individuals already in your organization—with valuable knowledge of organizational policy and culture and skill adjacencies—that could be cultivated into IT or cybersecurity workers given the right support.

Streamlining Systems

Appropriately supporting new team members wherever they are coming and especially if they are lacking direct experience requires a cybersecurity program that is systematic. Individuals or teams that have simply been running from one fire to the next are going to struggle even with more people on board.

A 2018 (ISC)² study describes some of the pain experienced professionals face when it comes to prioritizing time and in light of a lack of skilled support: “While many cybersecurity tasks are simply necessary evils, there are some tasks that they would like to spend less time on and others that they would like to focus more on. Security administration, incident response and endpoint security management fall in the first category. They’re time-consuming activities that cybersecurity pros would like to do less of. They’d rather be spending time on more high-value cybersecurity tasks such as threat intelligence analysis, penetration testing and forensics.” The inability to focus necessary time on the most critical tasks still rings true.

Sure, everyone has to do work that isn’t a priority regardless of their role—and especially in a crisis. But if the C-suite is beginning to understand the value of robust cybersecurity program and continuing to support it despite the pandemic, now is the time to get the help needed and work towards the most efficient use of every team member’s skill.

Even if new or less experienced people are capable of doing the more menial work, they need systems in place that help them track, report, and identify tasks and data so that they can function independently. Exchanging doing the tasks yourself for micromanaging someone else doing them isn’t a very lucrative trade off in time or money.

The (ISC)² study goes on to conclude, “Finally, as they increase their security budgets, companies must portion out those funds mindfully, combining investments in personnel, training and security solutions to create a comprehensive cybersecurity approach that can shrink their piece of the gap.” A comprehensive approach means finding the right people to fill roles but also investing in the tools to help them function effectively.

Now may be the time to find the platforms or services that can make the most of whatever human resources you have or can acquire by automating processes and improving communication. New purchases and contracts may seem like a stretch in the current environment, but right now is probably when you need the help most.

Companies that are able to think beyond the present crisis and embrace the changes to doing business—and the consequential security support—the new normal will require are the most likely to survive and thrive. Building an effective cybersecurity program now by hiring creatively, looking for talent within, and building or acquiring systems to help everyone be successful will reap dividends well beyond the craziness of 2020.