tashatuvango - Fotolia
The cybersecurity skills shortage -- and what CISOs need to do about it -- has received a lot of play in recent years. But the real issue is primarily one of leadership, not skills, according to Gartner research analyst Sam Olyaei. He maintains talented professionals ready to assist with cybersecurity processes are certainly available, if CISOs and other security leaders know where to look.
"If you're a cybersecurity professional with any kind of skill set, you already have a job and multiple offers on the table," Olyaei said during a presentation at the Gartner Security & Risk Management Summit in National Harbor, Md., last month.
Presenters at the Gartner Security conference noted the need for new, and still evolving, cybersecurity skills is compounded by businesses' continued march toward digital business transformation -- defined by Gartner as the process of exploiting digital technologies and supporting capabilities to create a comprehensive new digital business model.
Olyaei listed several cybersecurity roles currently most in demand as digital transformation goals continue to take hold:
- information security/cybersecurity analyst
- security engineer/architect
- vulnerability analyst/pen tester
- cyberthreat analyst
- risk assurance analyst
- information security/cybersecurity manager
Digital transformation has also spurred the development of various new roles, Olyaei said: digital risk officer, data security scientist, security champion, digital ecosystem manager and chief of staff, to name a few.
"We're seeing these roles pop up in organizations today. We're also seeing them as candidates to replace other roles," Olyaei said.
Emerging tech's cybersecurity influence
A variety of emerging technologies and digital strategies have emerged and are influencing hiring decisions: an increased need for analysis of cybersecurity data gathered by machine learning and AI, for example.
"Emerging technologies will change everything," said Beth Schumaecker, director with Gartner's IT practice, during a keynote presentation. "They will impact security and risk directly because rampant adoption of emerging technologies creates new risk."
The role of the CISO has changed quickly as well, to one that manages risk on behalf of the organization. CISOs are increasingly called on to communicate with various lines of business about risk management, privacy and security processes.
This holistic, organizationwide focus on digital risk management changes the entire business ecosystem, with CISOs at the center.
"If you're the chief security officer, digital risk officer or chief continuity leader, you have a lens that is broader than information security," said Gartner VP analyst Katell Thielemann said. "Your risks go way beyond enterprise systems. Risks, vulnerabilities and threats now live on a cyber-physical connected chain."
This digital business transformation, combined with the emerging technologies and processes that come with it, are influencing the types of cybersecurity skills CISOs most value.
"Digital transformation demands even new skills from our security people," Schumaecker said, adding the tight security labor market creates more questions for cybersecurity leaders. "Where are we going to find these skills? How can we implement an adaptive automation strategy that allows us to best utilize the people and skills we already have?"
Some companies have tried to adapt by taking advantage of these new technologies and incorporating automation techniques and augmented intelligence to improve cybersecurity.
"With the right balance of automation and human intervention, enterprises can deliver a great new service without slowing development down," Thielemann said.
Cultivating new cybersecurity skills, talent
But these new and evolving roles still come with a lot of ambiguity. Olyaei pointed to stats showing that, although the information security profession is growing at a rate of 37% through 2022, 62% of these professionals report unclear or only somewhat clear career paths.
Sam OlyaeiResearch analyst, Gartner
With CISOs increasingly asked to deliver business value along with cyberprotection, they'll have to break down silos and make a conscious effort to make all employees understand their cybersecurity role. This may also help identify unexpected assets to the cybersecurity team.
"The skills shortage is a big issue, but it is also an opportunity for us to think differently about how we get people involved in security," said Tom Scholtz, distinguished VP analyst at Gartner, during his session titled "The Leadership Vision for Security and Risk Management."
Instead of being reactionary, companies need to plan ahead for digital business initiatives -- and the disruptions that come with them -- to decide the roles, competencies and skills required to make them successful, Scholtz and other Gartner presenters said.
The exact cybersecurity skills required are different for every company, but companies must shift the mindset from hiring and firing for specific cybersecurity roles to optimizing in-place security functions in order to procure needed cybersecurity competencies, Olyaei said.
When it does come time to hire for cybersecurity skills, it's important to remember that money is certainly a factor, but comfort and flexibility are also valued, he added. He offered the following advice to lure talent and alleviate the cybersecurity skills shortage:
- Use enticing job titles and descriptions.
- Determine which cybersecurity skills and functions can be handled by other individuals or departments.
- Determine what security functions can be outsourced to a managed security service provider or managed detection and response provider.
- Engage and collaborate with local universities and hackathons to find job candidates.
- Determine which security functions can be automated using emerging digital technologies.
- Improve diversity practices to include mentorships and apprenticeships.
It will also be important for CISOs and other cybersecurity leaders to stay flexible and open-minded during the hiring process, Olyaei added.
"These silos have to be torn down and rebuilt with digital competencies in mind," Olyaei said. "Digital business requires a shift in mindset. [It] requires new skill sets and core competencies."