While much has been said and written about the difficult cybersecurity skills and hiring landscape, one key characteristic that is typically overlooked in cybersecurity professionals is empathy.
As part of a session at the RSA conference last week in San Francisco, USA, Jenai Marinkovic said undervaluing empathy as a skill for cybersecurity practitioners is hurting companies more than they may realize.
“Social engineering at the end of the day is weaponized empathy, and we’re ill-equipped to be able to handle it,” said Marinkovic, later adding, “Attackers are happy to take our place in being empathetic.”
Marinkovic, vCISO/CTO, Tiro Security Advisory Board member, Beyond Executive Director & Founder, GRC for Intelligent Ecosystems, and Rob Clyde, ISACA Board Director and 2018-19 Board Chair, Board Director with White Cloud Security and Crypto Quantique, and Executive Advisor, ShardSecure, Curtail and Axiomatics, co-presented at RSA on “State of Cybersecurity 2022: From the Great Resignation to Global Threats.” In ISACA’s 2022 State of Cybersecurity research, empathy and honesty ranked low on the list of key soft skills for cybersecurity practitioners. Marinkovic and Clyde both expressed dismay at that ranking, with Marinkovic wondering, “How on earth can you be a strong communicator if you’re not empathetic?”
The duo also explored how companies can do a better job retaining their top talent – no easy task in an especially volatile job market. So, why are cybersecurity professionals leaving? The top factors, according to the ISACA data, are:
- Being recruited by another company (59 percent)
- Poor financial incentives (48 percent)
- Limited promotion and development opportunities (47 percent)
- High stress levels (45 percent)
- Lack of management support (34 percent)
On the financial front, Clyde emphasized that in this Great Resignation-infused job landscape – which has compounded existing hiring and retention challenges – companies would be well-served to consider compensation bumps for top performers at least twice a year instead of on the traditional annual review cycle.
“Job No. 1 is don’t lose your people – hang onto the ones you have,” Clyde said. “In a market like this, it is a time to consider retention bonuses. That is unusual, but we can’t wish this market away. We have to live in the reality we’re in, and that does mean we need to take stock of who our best people are, because we don’t want to lose those, identify those key employees, and figure out how to put a package together to make sure they stay. Don’t wait until they come forward and say I have an offer from a competing company and can you match it … at that point, their mind is already halfway out the door.”
Elsewhere in the State of Cybersecurity survey, 73 percent of respondents consider prior hands-on cybersecurity experience part of being “qualified,” with factors such as possessing credentials and hands-on training also ranking high in importance. Clyde and Marinkovic agreed that companies need to be open-minded about hiring cybersecurity talent from nontraditional backgrounds. Clyde said four-year degrees should not be requirements in job postings unless the role truly requires one.
“If you have open job positions right now that have that (four-year degree) requirement, ask yourself right now, ‘Why?’” Clyde said. “Is it absolutely necessary or is it a nice to have? If it’s a nice to have, and I think in most cases if we’re honest, it is, take it off your list. Don’t even put it in the advertisement.”
Another prevalent theme was the value of building diverse security teams with professionals who have a wide range of lived experiences. Marinkovic said that in her experience, people from various backgrounds can be nurtured to thrive as cybersecurity professionals, provided they have certain key characteristics – especially grit and a willingness to learn.
“What it came down to is security people are tough because it’s a tough industry,” Marinkovic said. “You have to have that intestinal fortitude to be able to power through a lot of that. So, it’s grit and that intellectual curiosity – a constant yearning to want to understand.”