With recent victims including Equifax, Yahoo and Deloitte — just to name a few — it’s hard to find a company these days that hasn’t been hacked in one form or another. And that means protecting both business and consumer data from cyber attacks has become a way of life for employers.
But the demand for cybersecurity professionals has been outpacing supply for some time now, according to the Leviathan Security Group, an information security firm in Seattle that addressed the shortage in a 2015 white paper:
“With more than one million cybersecurity positions unfilled worldwide,” the white paper states, “currently identified security needs couldn’t be met if every employee at GM, Costco, Home Depot, Delta and Procter & Gamble became security experts tomorrow.”
Since then, the shortage has grown “much, much worse,” says Frank Heidt, CEO at Leviathan.
And while there seems to be no end in sight to the attacks, HR professionals are fighting back by growing their own cybersecurity staff or placing in-house talent with key business skills in hybrid positions to help prevent global invasions.
Earlier this year, the Information Systems Security Association and the Enterprise Strategy Group surveyed 343 information security professionals about the cybersecurity-skills shortage. It found that 45 percent had experienced at least one “security event” over the past two years. Perhaps more troubling, 70 percent believe that the shortage has had a negative impact on their organization, with 62 percent also saying they are falling behind in providing an adequate level of cybersecurity training.
To boost its cybersecurity-training efforts, Mosaic451, a Phoenix-based cybersecurity services provider and consultancy, piloted Cyber Candidate School last spring. The paid, six-month internship for new employees with diverse backgrounds has already graduated 15 participants from three classes, who were then placed in entry-level positions, says Michael Baker, managing director at the organization. Next year, he hopes the program will produce double the number of graduates.
While grow your own programs can be effective, they require resources, training time and must attract the right people, says Aileen Alexander, senior client partner at Korn Ferry in Washington, who also co-leads the organization’s global cybersecurity practice.
She says successful cybersecurity professionals often share similar skills and competencies. For example, they understand risk, are agile and business savvy, and demonstrate resilience on the job.
“Once you have that framework, you can think about growing from within,” says Alexander, adding that military veterans and business consultants generally perform well in cybersecurity roles. “So much of these roles are moving from a pure technical function to one that’s really business and risk driven.”
She believes HR leaders need to step back to assess their organization’s talent capabilities and gaps, identify who cybersecurity should report to — the CEO, CIO, CISO, or chief risk officer — then decide whether to hire or train new talent. Some mature companies are also rotating inhouse talent by giving them different experiences and exposure, rightsizing from a compensation perspective, and being more deliberate with succession planning.
Other companies are creating hybrid positions that require some technical skills and a solid understanding of their business model and strategies, says Tracey Malcolm, future of work leader at Willis Towers Watson in Toronto.
These individuals, she says, possess a well-rounded business view that enables them to better understand the organization’s threats and risks and help develop suitable incident responses.
“It’s being conscious from an architecture standpoint about what’s happening with the business model (so you can identify) where threats start to emerge or exist as the business continues to change,” says Malcolm.
HR can also expand skills training to another talent pool — contractors and contingent workers — or move employees with analytical skills in other departments to the cybersecurity team to help conduct research or develop incident responses from an analytics perspective, she says.
“Because this is a specialized skills area, some HR professionals don’t get too close to it,” says Malcolm, adding that HR’s strategic workforce plan must support cybersecurity. “Look at alternatives to permanent employees filling critical roles . . . and change the conversation from purely talent deficits to one that’s more centered on strategic workforce planning.”
Meanwhile, HR at other companies are relaxing compensation rules, says Kanak Rajan, a partner at Mercer in Chicago. Since cybersecurity skills are constantly changing, he says, rigid pay structures may be problematic.
“When the need for cybersecurity is high, and there’s a strong business case, HR can be flexible by paying the max [for talent] when warranted and also providing a retention or signing bonus,” he says.
While compensation plays a big role, so does a progressive workplace. Job candidates don’t want to get stuck working with outdated technology and knowledge, where “their currency in the market is no longer relevant,” he adds.
Oftentimes, HR professionals who work with cybersecurity departments possess a generalist background and struggle to pick up the nuances of the profession. He says they need to be better trained, even coached, so they can speak the technology language and better understand cybersecurity’s skill gaps and needs.
Cybersecurity professionals “are a different kind of animal,” says Rajan, adding that companies can also check out talent by sponsoring hackathons. “HR needs to establish a lot more collaborative environment with IT.”