Blog

How to Strengthen Your Cybersecurity Culture Despite the Skills Shortage

Nov 05, 2018

Despite a shortage of 3 million cybersecurity professionals across the globe, a comfortable majority of those currently employed (68%) are happy in their jobs, according to (ISC)2’s newly published Cybersecurity Workforce Study . Their job satisfaction is related to the level of investment employers make in cybersecurity skills, technology and practices – all of which determines how cybersecurity professionals spend their time.

The study is instructive to employers who are hampered by the skills shortage, but nevertheless need to improve their cybersecurity posture and culture. “By providing the right security resources, whether that means additional personnel, training or specialized cybersecurity solutions, companies can have a major impact on how cybersecurity pros spend their time, which in turn impacts their job satisfaction rates,” according to the report.

One area where employers can have a serious impact is training. Investment is needed in end-user awareness training, and in helping cybersecurity pros defray expenses associated with skills-building certifications. Most study participants (86%) are currently pursuing cybersecurity certifications or plan to do so in the future.

Build a Strong Cybersecurity Culture

Blog-Quote-v1 The Cybersecurity Workforce Study reinforces many of the findings of another (ISC)2 report, Building a Resilient Cybersecurity Culture , which concludes “organizations that make a strong investment in cybersecurity technology, acquire the requisite expertise and follow best practices have a higher level of confidence in their defenses against cybersecurity threats.”

Management in these organizations makes meaningful investments in cybersecurity technology and people. They understand the need for user awareness, hiring certified cybersecurity professionals, providing ongoing training and promoting from within. The result: happier cybersecurity workers who are less likely to leave their posts for greener pastures.

To boost job satisfaction, employers should start by reviewing how cybersecurity pros spend their time. The Cybersecurity Workforce Study makes it clear that cybersecurity staff are less interested in the time-consuming tasks of security administration, incident response and endpoint security management than higher-value priorities such as threat intelligence analysis, penetration testing and forensics.

Despite the acute skills shortage, employers are not helpless to address these issues. For one thing, employers can invest in automated tools to handle repetitive, time-consuming functions. It also helps to clearly define advancement opportunities so cybersecurity workers don’t find themselves stuck in “busy work” positions with little or no chance of career progression.

Turn Challenges into Opportunities

To be sure, these professionals face numerous challenges as they attend to their day-to-day responsibilities. Employers have the power to turn those challenges into opportunities and, in the process, boost cybersecurity pros’ job satisfaction and strengthen their overall cybersecurity posture.

Lack of sufficient end-user security awareness, cited by 25% of Workforce Study participants, is chief among the challenges. Inadequate awareness training increases security vulnerabilities as users are more likely to do something like click an infected URL or share a password. The obvious answer here is to invest in user awareness to minimize these potential vulnerabilities.

Challenges cited by study participants also include the need to allocate more cybersecurity funding (23%) and increase cybersecurity staff (24%). In addition, 23% said they have too much data to analyze.

These issues are related. Investments in automated tools that sift through large volumes of data will decrease the amount of data workers have to analyze. The tougher part is hiring more staff because of the massive skills shortage. However, employers can reallocate human resources to cybersecurity jobs. Not all security-related positions are exclusively technical. For instance, candidates with good people and communication skills can be real assets in managing user awareness initiatives that require a lot of communication and instruction.

Get Support from the Top

The Workforce Study revealed concerns around management’s attitude toward cybersecurity initiatives. About one fifth of respondents (21%) indicated “there’s a general lack of support/awareness from management about the urgency of cybersecurity initiatives.”

Management can turn this around by educating itself on cybersecurity. The Building a Resilient Cybersecurity Culture report clearly demonstrates that effective cybersecurity practices start at the top. In that study, the overwhelming majority of respondents say top management understands the importance of strong cybersecurity (97%) and their policies align with their board of directors’ cybersecurity strategy (96%).

The lesson here is that a management team that invests in training and awareness also must include itself in those initiatives. Executives are just as susceptible as rank-and-file employees are to engage in an activity that causes security vulnerabilities. In fact, often they are more likely to be targeted by malicious actors because they have access to corporate coffers. A management team with proper cybersecurity education will make better decisions to invest in cybersecurity defenses.

Invest in Skills-building

While roughly two-thirds (68%) of Workforce Study participants are somewhat or very satisfied with their jobs, it’s reasonable to speculate the percentage would increase with more support from management for skills-building.

Cyber pros understand the importance of staying current on cybersecurity threats, tools and practices, as evidenced by the 86% who are either pursuing, or planning to pursue, certifications. Among them, 54% are doing so within the next year. They see certifications as important to advancing their careers.

But cybersecurity pros are struggling with the associated costs. Some companies cover these costs for their staff, but not all. This is an area where employers can have a positive impact – by paying for all or part of their cybersecurity workers’ skills-building activities. These employees are particularly interested in sharpening their skills in areas such as cloud computing security, penetration testing, forensics and threat intelligence analysis.

Investing in training – and carving out time for cybersecurity pros to attend conferences or take courses – also makes a company more attractive to potential recruits. Companies that offer career advancement perks, such as paying for certifications and training, stand a better chance of attracting the best available candidates.

Conclusion

It will take some time to close the cybersecurity skills gap, a task that requires a concerted effort by the cybersecurity industry, employers and academia. But employers simply cannot wait for the gap to close because cybercriminals certainly won’t. That’s why it’s crucial to make the right investments in technology, people and – yes – the attitude to build a resilient, long-lasting cybersecurity culture.