Creativity and Diversity Needed to Close the Cybersecurity Skills Gap
At the end of May, security company Fortinet released a report with the following worrisome title: Fortinet Survey Finds Widespread Impact from Cybersecurity Skills Shortage. Shortly thereafter (May 29) it was my pleasure to speak with Ms. Sandra Wheatley, Senior Vice President for Threat Intelligence and Influencer Communications at Fortinet, about that survey.
The conversation proved both far-ranging and illuminating, as we discussed numerous options to help address the widely reported and well-documented security skills gap. The problem is undermining organizations and companies both here in the United States and around the globe.
More About Focus and Questions
While some of its numbers are real eye-openers, there's nothing in the Fortinet Survey Report that comes out of nowhere. The survey is based on interviews with cybersecurity leaders across North America, both to document the cybersecurity skills shortage and to seek out ways in which that gap might be addressed (and hopefully, closed).
According to the report's executive summary, "(T)he skills gap is very real, impacts a wide variety of companies, and has been at least partly responsible for one or more intrusions or breaches in the past year at a majority of organizations" (page 3). To me, the most interesting and thought-provoking statement in that summary is as follows:
"Organizations can do more to recruit nontraditional candidates to the cybersecurity field, if they are to address the shortage of skilled professionals."
The survey was conducted in the United States and Canada in early March. It focused on organizations with 2,500 employees or more, and targeted indivduals with job titles from director to C-level executives, including security-specific titles such as CISO and CSO, as well as CIO, COO, Vice President or Director of IT, and executives (Director or Vice President level) working in security operations centers (SOCs) and network operations centers (NOCs).
The questions in the survey focused on the extent and impact of a shortage of skilled cybersecurity personnel at the surveyed organizations. The questions also probed respondents for their thoughts on recruiting cybersecurity talent from unconventional sources, including promoting related cert programs and recruiting military veterans.
Taking the Temperature of Execs on the Skills Gap
It's no surprise that the shortage of qualified cybersecurity personnel impacts organizations, but the impact is more direct and severe than conventional wisdom might indicate. More than two-thirds (68 percent) of all respondents reported that their organizations struggle to recruit, hire and retain cybersecurity staff.
The problem is even more serious in Canada, where 78 percent of respondents concur with this finding. There's also widespread agreement that the shortage of skilled cybersecurity staff can pose problems for those organizations, with 76 percentof respondents reporting that such shortages pose additional risks to their finances and reputations.
Nor are these risks purely hypothetical: 73 percent of respondents admitted that their organizations had experienced at least one intrusion or breach in the past year (March 2019 to February 2020) that could be at least partially attributed to the skills gap.
When asked about job roles that are difficult to hire into, respondents cited "cloud security architect" as the most pressing need. Given that other surveys report that 85 percent of organizations now use multiple clouds, integrating security across them is a serious priority.
In the same vein, the role of security architect is also among the top three security jobs where good candidates are hard to find (and hire). Other key positions often unoccupied or open include lower- and entry-level roles such as security administration, security operations center specialist, and compliance specialist.
The Fortinet report observes that because such positions are so widely and frequently advertised on job sites, organizations would "do well to be deliberate about employee retention by offering the highest salaries possible, maximizing opportunities for advancement, and providing a healthy work culture."
What About Cybersecurity Certification?
This is where my conversation with Ms. Wheatley really got interesting. Among the survey respondents, I was fascinated to learn that, even among such senior staff, 81 percent have earned cybersecurity certifications themselves, and say that 85 percent of the members of their teams have earned such certifications.
In fact, 94 percent of respondents with certifications assert that those certs have made them better prepared and able to do their jobs, with more than half also reporting that certification boosted their cybersecurity awareness and understanding, and helps them perform their duties more effectively. More than one-third (39 percent) believe that cybersecurity certification accelerated their career growth.
On the hiring side of things, 82 percent of organizations prefer to hire certified candidates for cybersecurity positions. That's because they believe that such certifications let IT professionals update their skills and knowledge to keep current with industry trends and evolving threats.
It's also because certs expose those who earn them to new knowledge and skills that can help them transition into cybersecurity jobs and roles. This is why organizations were nearly unanimous in endorsing the idea that they could (and probably should) broaden recruitment efforts beyond those with traditional bachelor's degrees (or higher) in computing, MIS, informatics, and so forth.
Military Veterans and Other Underserved Populations
As a long-time proponent of transitioning military personnel into IT jobs of all kinds, I've reported on many and various programs that seek to help servicepeople returning to civilian life find meaningful, useful work as civilians. I am an Army brat (my Dad retired from the U.S. Army in 1970 as a Lieutenant Colonel) and the Army paid for my National Merit Scholarship.
Thus, I feel very strongly that we owe these people, combat veterans in particular, not just our gratitude and respect. We also owe them our assistance in helping them rejoin the regular workforce when their tours of duty come to an end.
Cybersecurity makes a natural fit for many separating servicepeople, because their training and experience teaches them a security mindset. What they already know or have learned helps them to understand the ins and outs of threats and exploits, and attack and defense.
Though nearly half (49 percent) of the Fortinet survey respondents reported that they have a hiring program that targets veterans, only 22 percent have a hiring program for military spouses. Just 24 percent offer a Military Occupational Speciality (MOS) Translator to help servicepeople transition more effectively back into civilian life and work. There are significant opportunities here for organizations to get access to a largely untapped pool of potential cybersecurity talent.
My conversation with Ms. Wheatley did not, however, end with the survey and its attendant report. We both agreed that more efforts to recruit ethnic minorities and women into cybersecurity could do a great deal to develop more (and more diverse) sources of cybersecurity talent to help fill the skills gap.
In fact, I'm of the opinion that it would be worthwhile for cybersecurity companies, and security-focused U.S. government agencies (including the Department of Defense and the "three-letter" agencies) to develop and deliver a free online cybersecurity curriculum, with no- or low-cost testing and certification to follow, that directly targets these specific population groups.
This is the most benign form of enlightened self-interest, because it will do a great deal of social good while also being good for the companies and organizations that could get together to sponsor such a program. In fact, I would be happy to participate in such an effort myself.