Look at it in all its dimensions before jumping to ready-made solutions
You don’t have to go far to find cyber security professionals complaining about skills shortages, but the problem has several dimensions which have to be understood and mapped out before we can start to figure out possible solutions.
First of all, the problem is absolutely real, but it goes way beyond a lack of education or training opportunities; and acting at those levels only will not fix it.
The cyber security skills gap has its roots in the avalanche of cyber-attacks we have seen over the past decade and the awakening of most industries to the reality and virulence of cyber threats.
Many firms which did not have a cyber security practice 10 years ago now have one or are building one. This is creating an escalating demand for cyber talents, at all levels, from CISOs to developers, architects, trainers, auditors or pen testers.
But the fact that the demand for talent outstrips the supply is not the only factor here.
In fact, the cyber security industry has a perennial image problem: The image of a complex technical niche; something for geeks and nerds; the negative image of “the-guy-who-says-no”.
Of course, those are clichés, but the security industry and its tech vendors do little to redress them. Just look out for the padlock and hoodie imagery they constantly use.
The imagery is also massively male-dominated and coupled with the already prevalent lack of diversity in tech and in STEM, I doubt it acts as an attractive factor for women and girls.
Those are the cornerstones of a talent acquisition problem, which can only be dealt with by moving away from the purely technical positioning of cyber roles, showcasing the full spectrum of jobs and careers the industry can offer, and pushing forward role models from more diverse backgrounds.
But it is only one side of the whole skills gap landscape.
The cyber security industry also has a significant talent retention problem, which is rooted in different factors.
Many entry-level jobs are simply too repetitive and boring. This is a direct consequence of the fact that many security operational processes have been reversely engineered organically and tactically around the capabilities of countless tools. Without any overarching view in many cases, they have remained excessively manual and are often inefficient and disjointed.
Nobody joins cyber security to end up cutting and pasting data into Excel sheets or to produce useless reports simply designed to put ticks in compliance boxes. But that’s the life of many young analysts; they leave as soon as they find something more attractive, and they don’t come back.
At a higher level, CISOs are feeling a different type of pain.
Most have been forced into a constant firefighting mode by the non-stop cyber-attacks of the past 10 years. Now that the penny is dropping in the Boardroom and the “when-not-if” paradigm is taking root, they are being pushed into an impossible role, where they are expected to be credible one day in front of the Board, the next in front of pen testers, the day after, in front of regulators or auditors, and so on.
Firefighting technical problems do not lead to the development of the type of managerial experience or political understanding which is now expected of many CISOs. They struggle with a situation for which they have been poorly prepared by the last decade, and stories abound of mental health issues and burnout.
Those aspects are more difficult to deal with than the talent acquisition aspects because here, it is cyber security practices that need to change.
It has to start with the decluttering of cyber security estates and the streamlining of operational processes around fewer tools. Automation is key, but “clever automation”, is aimed at reducing the number of tools in use and optimising process efficiency.
The objective here should be to free up time for a smaller number of analysts to perform less repetitive tasks so that they can be involved in the more challenging roles for which they have been hired (maybe looking towards threat intelligence or incident forensics).
Successful action at this level would have an impact on acquisition and retention rates.
At the top, cyber security functions have to be reorganised and redistributed to remove excessive dependency on key profiles and other bottlenecks.
The profile of the CISO has to be raised – at least in large organizations – and the role has to be seen as a true leadership role, orchestrating work across a team of experts, as well as across the firm and its supply chain.
In many cases, it may require expanding the cyber security team, but it should also force to redesign it functionally in a structured way around some form of operating model, away from the legacy and project-led type of organisations still prevailing today in many firms.
Overall, the cyber security skills gap is not a fatality, but it is key to look at it in all its dimensions before jumping to ready-made solutions dealing with it may involve facing a number of deep-rooted and inconvenient truths for many organizations and the security industry at large.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.