(ISC)² CEO Clar Rosso kicked off Security Congress 2021 this morning and wasted no time addressing two of the industry’s most pressing topics – the workforce gap and the need for diversity in cybersecurity.

This year’s Congress, taking place today through Wednesday, is once again virtual as a result of the COVID-19 pandemic. In welcoming attendees to the yearly event, Rosso had some praise for the cybersecurity community.

“You’ve proven yourself ready for any challenge,” she said. “For almost two years, in the midst of an ongoing pandemic and unrelenting threats, you continue onward, defending our critical assets and keeping us safe.”

She then wasted no time pivoting to the challenges the industry faces on a daily basis, starting with the persistent workforce gap. Forthcoming research by (ISC)² puts the number at 2.7 million worldwide. But rather than focus on skill shortage numbers, Rosso urged the more than 3,000 virtual attendees to think about the gap in a different way.

“For you, what does it matter if the workforce gap is 2 million, 3 million or even 4 million?” Rosso said. “The only gap number that really matters is your own. Do you have enough people in your organization right now?  What would you do today if you had more staff? What preventable vulnerabilities could you address if you had more people?”

The single most effective tool to address the skills gap, Rosso said, comes down to diversity, equity and inclusion (DEI). The underlying theme of all other recommendations was to find and retain talent to build up cybersecurity teams.

In all, Rosso shared five recommendations:

Challenge hiring practices

Cybersecurity professionals often tell (ISC)² that non-technical skills such as problem-solving, analytical thinking, the ability to work alone (as well as within a team) are important to success in the field. By looking for these skills, rather than focusing exclusively on technical knowhow, organizations can address their gaps by hiring people with non-technical skills. Some candidates, Rosso pointed out, can come from within the organization.

Get smart about how to fill your gaps

“Stop trying to hire someone who is just like you,” she said. Instead, organizations should focus on which skillsets to hire and which to build in their cybersecurity teams over time. This requires identifying talent gaps so organizations can address their teams’ specific needs.

Embrace remote work

She urged organizations to embrace remote work, pointing out that it has increased job satisfaction for workers across the globe. That’s particularly true with the cybersecurity profession, she said. “Stop thinking of remote work as a free pass for slackers. It’s not. If you’re a people leader, it’s your responsibility to set clear expectations and drive accountability.”

Invest in people before technology

Organizations should prioritize people over technology to strengthen their security posture. That means focusing on development and retention of existing staff, fine-tuning recruitment practices and encouraging the development of future staff. “Let’s amp up our focus on the human factor in cyber defense,” she said, by investing in people, their professional development and mental well-being.

Stand up for DEI

Hiring people with diverse backgrounds is the most important step organizations can take to create the next generation of cybersecurity professionals, Rosso said. If organizations continue to look for the same skillsets and characteristics they already have in place, the problem will not be solved.

“DEI is not about quotas or casting an entire workforce as toxic,” Rosso said. “It is not about eliminating opportunities for white males. It is about recognizing that there are a lot of people who are attracted to the problem-solving, challenging and mission-oriented work that drives many of you.” If organizations keep focusing on hiring the same skillsets and characteristics again and again, “then the pool remains the slowly flowing stream of talent when what we need is a flood of talent.”

Focusing on DEI can create a watershed moment that everyone in cybersecurity will remember as “the time when it changed,” she said.

(ISC)² Security Congress continues through Wednesday, October 20. For a full agenda of sessions, please visit: https://congress.isc2.org