Senior leaders in business and government ought to take note of ISACA’s State of Cybersecurity 2019 research, which details the findings of a global survey of cybersecurity professionals.
The report highlights many of the issues of which we cybersecurity professionals long have been painfully aware: that it is increasingly difficult to recruit and retain technically adept cybersecurity professionals; that while gender diversity programs have yielded positive results, support for these programs may be waning; and, cybersecurity professionals are concerned that budgets for cybersecurity programs are flattening or on the decline.
While most senior leaders are already sensitive to these issues, the report should kindle a sense of urgency to address them. I submit that traditional methods of addressing these issues are inadequate to remedy the situation and we need to look to other leadership approaches to fill the gaps.
With cybersecurity professionals being such a high demand/low density asset, organizations ought to think out-of-the-box to ensure they have the right people, with the right skills, in the right place, at the right time. They need to look at other sources of talent. As an example, I am a huge fan of reskilling personnel. Reskilling is a term meant to describe where an existing employee is trained in new skills to fill gaps. During my time in the US Air Force, I saw this technique used to great effect as we took mid-level security forces personnel and trained them in information technology and cybersecurity skill sets. Some of the best cybersecurity professionals I know are former Air Force cops. Reskilling personnel is a tool that senior leaders can use to close the gaps.
Retention of coveted cybersecurity personnel is always going to be difficult, especially when the promise of a better salary and benefits are presented. Senior leaders ought to take a hard look at the compensation of their cybersecurity personnel, most of whom are undervalued. When you consider the “value at risk” protected by the cybersecurity professional, there is a good case to be made that, in many organizations, the cybersecurity staff is not receiving proper or competitive compensation.
For cybersecurity professionals, compensation is more than just making money. It is about being valued. It means seeing the organization demonstrate its commitment to its workforce (and its clients) by investing in the right technology and ensuring that its staff receive continuing professional education paid for by the organization. It means assigning leaders who understand and appreciate technology’s role in driving business success and sharing the rewards equitably. The best organizations that I served in made sure staff training was in the budget and that every member of the team knew what we, as an organization, were investing in them. In fact, I received my CISM certification through ISACA thanks to a commitment from my organization. Leadership matters when it comes to retention.
Likewise, leadership matters when it comes to fostering an environment where everyone’s contributions are valued. I know the value that diversity provides organizations and take notice when I see diversity programs being perceived as on the decline. ISACA’s 2019 State of Cybersecurity findings ought to spur an internal look into your organization. Is your diversity program on-track and meeting your current and future goals? Do you have the right personnel to ensure that you have diversity of experience, thought, culture and perspectives? Is your diversity program training producing the results you need? If the answer is no to any of these questions, it is time for leaders to step in and step up.
Effective and informed leadership is needed to address the issues this report highlights. Let’s all take a leadership role to make things better.