SHORTAGE OR NOT, IT’S ALL ABOUT QUALITY OVER QUANTITY
The cybersecurity industry continues to boom, with market growth from $3.5 Billion in 2004 to $120 Billion in 2017, and spending predicted to exceed $1 Trillion in the next five years.
Influxes of VC funding, increase in security budgets and significant numbers of CISOs joining the boardroom, all contribute to this remarkable growth in a short period. Paired with these industry trends, the role of cybersecurity professionals has evolved to encompass augmented expertise requirements. In his profile, Justin Somaini, the CSO at SAP (pages 6-7) points out, “In 20 years, security teams have evolved from offering simple technical solutions, to addressing compliance requirements, to understanding international law, and now we play a role in the customer purchasing cycle. As an industry, we have a massively increasing expectation of skills every year for our security professionals.”
Ten years from now the market could correct itself. But for now, CISOs are taking action on the lack of talent. Many are relying on their foundational beliefs in quality over quantity. We’ve done this at K logix by building a core team of trusted, hardworking and multi-faceted people. These are the team members who approach any challenge with confidence and an underlying sentiment that aligns with the fundamental values of our organization.
It appears CISOs may be moving away from growing their teams as quickly as possible, with as many people within budget. Regardless of size, an ideal shift for CISOs to make is strongly investing in ‘anchor’ team members who aspire to continually develop and grow as professionals. These people strive to contribute to innovation and progress, and will likely demonstrate clear advancement in their careers. The result of hiring these types of individuals is a nimble, competent, dedicated team, and when the market eventually does adjust, the ability to increase staff size.
Many of the CISOs we interviewed in this issue understand the benefits of building core, quality teams. This issue explores how they approached the problem, whether it’s re-framing the job description, re-training staff or re-thinking the challenge entirely.
TURNING TO TRUSTED PARTNERS
Large numbers of CISOs turn to partners for key outsourced help. At K logix, increasing numbers of customers partner with us to help them make an impact in strategic areas of need. When teams are working at full capacity, timelines are short and programs may lack formal processes in place, we take the burden off these teams. Whether it’s understanding areas of investment for new technologies, or formalizing a board room presentation, CISOs will continue to rely on trusted partners for guidance.
In his profile (pages 22-23), Fred Kwong (CISO, Delta Dental Assocation), finds partnerships as one solution to the staffing problem. By leveraging the MSSP model, he is able to focus on strategic programs, while his partners are responsible for appropriately staffing the team. On page 23, he explains, “I have a small team at DDPA. There are only two of us dedicated to security within the association. The rest of my team is located at our MSSP. With the MSSP model our member organizations do not need to worry about hiring and retaining security staff. Our MSSP takes on that burden for us.”
CULTURE AND OPPORTUNITY KEEP STAFFERS ON BOARD
Nearly all CISOs we interviewed say they effectively retain employees by providing opportunity to advance in their careers and make an impact on the organization.
As stated in his profile (pages 14-15), Doug Graham the CSO of Nuance Communications, Inc., focuses on defining realistic job descriptions, and empowering his staff. Graham says, “Security people have an unbalanced sense of duty. More than salary and work-life balance, they want to do the right thing and impact change. If you can pay the right people a fair salary and show them that the organization is behind the security vision, and if you are able to give them the opportunity to impact positive change, then you are much more likely to hire and retain talent.”
In his profile (pages 18-19), Nick Shevelyov, CSO of Silicon Valley Bank states, “We are trying to cultivate a network of professionals. We are exploring ways to contact people in other industries and explain how cybersecurity fits into their career paths. Cybersecurity is a broad business problem, so there are many roles that do not require a technology background. For example, governance and information assurance often do not require deep technical expertise. We are doing a lot of measurement in our analytics group, so a classic data scientist can be a good fit for that team.”
IS THIS MUCH ADO ABOUT NOTHING?
In this issue, several CISOs suggest the staffing challenge may be a problem of our own making. They believe we might solve it by changing the way we think about staffing and who we recruit.
Graham succinctly sums up this line of thought. On page 15, he says, “I think there might not be as big of a gap in the market as we think. I think a lot of CISOs are looking for unicorns. They want to find one employee who can do every aspect of the security job. Someone who is technical, a visionary, an architect, and a skilled operations guy. That is just not realistic”
Suzie Smibert, the CISO and Global Director Enterprise Architecture at Finning International has this to say in her profile (pages 10-11), “I think we are bounding ourselves too much to specific degrees and technology or specific paths to get where you are. You could hire paralegals, auditors and HR people. We are restricting ourselves too much in what we are looking for in terms of talent. We keep looking for technical backgrounds. Other backgrounds might be more inclined to round up all the diversity of thought you need in a team.”
OPPORTUNITY REQUIRES ACTION
Looking forward, the skills gap should close as the market catches up. What is evident in these potentially challenging moments, is the resilience and business aptitude of CISOs who are facing it head on. These are the leaders taking action by starting to build strong ‘anchor’ teams. Instead of faltering under the pressure to fill open job placements, they ardently shape opportunities of success and advancement for their core teams.
In the profiles ahead, you’ll understand how CISOs approach the skills issue and be able to attain imperative methods from our industry research.