As technological changes transform the operations of many employers, there’s an unprecedented demand for cybersecurity professionals — and a resulting cyber-talent shortage.
Seventy-three per cent of Canadian executives expect the number of full-time cybersecurity staff to increase over the next three to five years, with one-quarter expecting cyber teams to grow by more than 25 per cent, according to a report by Deloitte and the Toronto Financial Services Alliance (TFSA).
Executives cite the “increased frequency and complexity of cyber threats” and “increased security and privacy regulation” as the trends that will have the most impact on their cybersecurity over the next three to five years.
“This is a field where we’re all struggling… because the race to leverage technology and get the most value out of it is outpacing our ability to manage the risk associated with it,” said Sashya D’Souza, senior vice-president of talent initiatives at the TFSA.
“We as a nation, and really globally, don’t have enough talent to make sure that the risks are minimized,” she said. “We will use AI and machine learning to help detect threats, and we will use process automation to take away some of the repetitive, labour-intensive cybersecurity tasks that are being done today by humans but we’re still going to need humans, and we’re not growing our teams quick enough.”
Employers are adopting a lot more technology, such as the cloud, social media, customer analytics or digital payments, but that also increases their surface area of attack, said Marc MacKinnon, who leads Deloitte Canada’s cyber-strategy practice and is a partner in the firm’s risk-advisory practice in Toronto.
“As they embark upon all these technologies, continue to advance their businesses, they’re... blurring many of the boundaries that once existed in terms of where’s really the inside versus the outside of the organization, collaborating and partnering with a lot more third parties and different organizations that may now have access to data.”
As a result, there’s been an increase in the sophistication and deliberation of threats, he said.
“Unfortunately, a lot of efforts therefore fall onto the shoulders of the security function, and when you have a demand that’s increasing when the supply side isn’t able to keep pace, then there’s this whole challenge or glut in (the) market, essentially, where there’s not enough supply in order to meet demand.”
Recruitment, retention challenges
Recruiting, developing and retaining cybersecurity professionals remains an ongoing challenge, according to the report, based on interviews with more than 40 cybersecurity leaders,
educators and administrators, along with a survey of 110 Canadian executives.
The top recruitment challenge is finding the right mix of technical, analytical and soft skills (76 per cent), followed by the issue that demand for cyber talent exceeds supply (56 per cent), the lack of academic programs in this area (33 per cent) and graduates from academic programs in this area who don’t have job-ready skills (30 per cent).
Finding senior-level cyber talent is most difficult (47 per cent), compared to mid-level talent (35 per cent) and entry-level talent (18 per cent).
On the one hand, you could walk into the certified information security systems professional exam and see hundreds of people looking to have “CISSP” after their name, said Jeff Curtis, chief privacy officer at Sunnybrook Health Sciences Centre in Toronto.
“And a lot of them will get certified and then they hit the market, they go out and try to get a security job. The problem is they’ve never worked in security before; they’ve worked in technology but they haven’t worked in any type of… compliance or risk management function.”
Younger people may know how to use software and conduct vulnerability scans, but they haven’t seen how that lives within a security program, or completed a plan-do-check-act cycle of actions that’s governed by a certified information systems security officer (CISSO) who sets out the objectives of the program, he said.
“It’s very difficult… I can only get one out of 10 candidates who can put a sentence together, even if they’ve taken the courses, who can explain a narrative around what matters most,” said Curtis.
“They have no associated business training, so they’re technologically very astute, but technological people are easy to find. It’s the combination of that with the business training that’s not there,” he said.
“I would rather take an MBA and turn them into a security expert than try to take a security expert and turn them into an MBA.”
Security people “worth their salt” realize if they push too hard, things will break, said Curtis.
“There’s an art to that, and that’s part of the reason why it’s tough to find people to fulfill those roles — it takes experience, it takes some wisdom, good judgment, management judgment skills, and... I’m not finding that in the average candidate, it’s not something that’s easily taught.”
While the educational system recognizes the need to develop cybersecurity talent, the field is moving so quickly that educators find it difficult to keep their curricula up to date, according to the report.
“Colleges are doing a good job of increasing cybersecurity programs and increasing enrolment in those programs, but their challenge is getting enough instructors to teach… all the cybersecurity professionals are out in the industry working,” said D’Souza.
Another challenge is too few people are venturing into this field, judging by enrolment rates.
And academia has developed programs and curriculums that don’t necessarily provide the skill sets employers are looking for, said MacKinnon, “so there wasn’t a good intersection between public-private working together with academia in order to be able to set the requirements and produce talent they can actually take from vocations and academia in order to put into roles they’re trying to fill today.”
In an attempt to improve the situation, The Changing Faces of Cybersecurity: Closing the Cyber Risk Gap presents seven cybersecurity personas that personify the set of capabilities that apply to various cybersecurity functions.
A “strategist,” for example, has capabilities such as influence, leadership and communication, along with skills such as business acumen and security-risk management.
A “firefighter” has the capabilities of agility, judgment, critical thinking and a threat mindset, with skills such as security incident management and IT administration.
Right now, in looking at cyber job descriptions, they’re often very technical, so only a few people can understand what they’re asking, which means employers are limiting the pool of potential candidates, said D’Souza.
“And because it’s not technical, it’s much more inclusive, so people who aren’t technologists or have technology backgrounds can look at these and think, ‘Maybe there’s a place for me.’”
The personas also help employers to see both what they can do now and what they can be training for in the future. And they take recruitment to a much more strategic level, she said.
“The technical skills that one puts in a job description are changing so rapidly that you almost send out a job description, and by the time you recruit and onboard someone into the organization, those skills you recruited for are outdated… so these personas take a more strategic approach, a more stable approach to looking at what you need in an organization.”
There are many different stakeholders involved with recruitment, from executives in charge of business cases to the talent and cybersecurity function, said MacKinnon.
The personas provide a framework for HR or cybersecurity experts to create a common language to talk to one another in developing talent strategy.
“These are really a personification of a set of capabilities in order to be able to address certain functions within the organization… and it’s really in a language that people can relate to,” he said.
Even job descriptions and online postings that are often passive and ineffective can use the personas as a starting point to better describe potential opportunities, with employers looking at which capabilities should be mandatory and which skills can be trained, said the report.
Talent strategy needed
The report also recommends employers use an overall talent strategy to combat the problem, instead of just tactics such a hackathons or flexible work programs.
That means articulating a talent value proposition that shows what you can offer people in exchange for them bringing their careers to your organization, such as defined career paths, formal and informal training opportunities and access to strategy leaders.
Employers should also gather data about their current workforce to identify and remediate gaps in capabilities, skills and behaviours.
This will help with finding potential solutions, such as cognitive technologies and automation or alternative sourcing, on-demand workers or crowdsourcing.
“A lot of organizations are not yet ready to answer that question in terms of ‘What actually are we missing so we can deliberately and thoughtfully fill the roles in terms of capabilities?’” said MacKinnon.
“They need to have strategy that’s encompassed with the total value proposition. So is your strategic intent to be an employer of choice?”
“Is your strategic intent to be a world-class security organization? Or is it just to make sure you don’t have any breaches and keep the lights on? That would mean very different ways that you attract and retain your talent.”
Employers should also build and actively live a culture and brand that connects with the cyber workforce they are targeting, said the report.
“People have to want to work in the cyber field, and right from elementary school through to mid-career professionals we need to do a good job of explaining why cybersecurity is important — why it’s meaningful — because you hear that millennials want meaningful work… cybersecurity is quite meaningful, when you think it’s (about) protecting people, so there’s a whole opportunity to educate people and improve the image of this field,” said D’Souza.
Employers are also trying to get ahead of the curve by working with colleges and universities with an openness to look at other sources of talent, such as boot camps and other technology education players, such as smaller, private establishments.
“The benefit of that is they’re quite able to keep curriculum very up to date,” she said.
Organizations can also make a point to better incorporate students into the cybersecurity field, or retrain people already in the workforce by providing a path to transition to a cybersecurity role, said the report.
“Career shifters” such as mid-career professionals, can be trained in other areas and bring a mature mindset and know-how to the new role.
Non-traditional talent sources should also be considered, such as veterans or women, as the average Canadian cybersecurity team is 29 per cent female, compared to the global average of 11 per cent, according to D’Souza.
“Your pool is quite limited if you’re only drawing from males and the IT field (instead of) looking at more women and… mid-career professionals,” said D’Souza.
“We should be looking to tap into them and how can we map their current skills to the skills, for instance, in these personas… and what will it take to train them to transition over?”
And once new employees are onboard, it’s important to focus on retention strategies such as mentorships, rotational assignments, assigning a variety of projects to engage people, promoting continuous learning, defining clear career trajectories, and keeping compensation plans at pace with the market, said the report.
© Copyright Canadian HR Reporter, Thomson Reuters Canada Limited. All rights reserved.