The First Battle in Cyber is the War for Talent: 4 Things Every CHRO Should Know
15 March, 2017
By Tom Connolly, GattiHR (USA)
“Rarely has something been so important and so talked about with less and less clarity and understanding.” This is how General Michael Hayden, former Director of the CIA, described the cyber-security knowledge gap. Another senior leader in the Defense Department, speaking on why cybersecurity and cyberwar was so important, could only define the issue as “all this cyber stuff.” Definitional confusion aside, between 2015 and 2020, spending on information security will grow from $75B to $170B, and most of that spending will be on people. Simply put, cybersecurity is a battle of wits. Organizations that recognize and tackle the inherent talent challenges of cyber will be dramatically better off, and that puts the responsibility squarely on HR leaders.
What’s Driving the Talent Shortage in Cyber?
It’s easy to blame the talent shortage in information security on an educational system that simply doesn’t produce enough STEM graduate or immigration policy that requires bright, newly-minted computer scientists to return to their home country, or even the extraordinary breadth of the cyber-discipline itself. The reality though, is that noeducational system can really keep up with the demand. Not since the invention of the modern accounting and legal professions has every organization in every sector of the economy been looking for the same core skill-set. When you look beyond the simple math of too many “black hats” and not enough “white hats,” there are more subtle reasons.
First, product complexity creates demand. The Space Shuttle needed just 40,000 lines of code to run efficiently (well, to run…). The typical BMW has more than 65 millionlines of code, which at one point made them the most stolen car anywhere, because cyber thieves figured out how to use the car’s own security system against itself. As software rapidly becomes an integral part of every product, demand for people who know about “this cyber stuff” increases with even greater speed.
Second, as everything becomes connected, everythingtakes on a cyber security dimension. It’s becoming more and more difficult to identify where the product or service design ends and the information security concerns begin. The Internet of Everything blurs the lines between the core operations of an organization and cyber, jobs that never had a cyber dimension now require cyber skills. Supply chain, medical devices and even HVAC systems designers are just a few of the areas where cybersecurity is suddenly an integral part of the skill set.
Third, the 2007 financial meltdown and the ensuing wave of regulation has driven a 40% increase in risk-management staff in the sector. Ensuring the security of personal information and the integrity of the financial system is driving demand for talented information security professionals.
Finally, the biggest challenge might be that the people who understand the issue best have only half the story. The development path of a Chief Information Security Officer (CISO) starts (and often ends) with deep technical grounding – perimeter defenses, surveillance technologies, threat identification, etc. However, cyber-threats are most often behavioral – manipulating individuals and organizations into helping the bad guys. Too often, incredibly talented CISOs build their careers on technical excellence, but they haven’t had an opportunity to develop the behavioral side of the equation. Discussing information security issues in terms that other C-suite executives can relate to – terms like shareholder value, cost/value relationships and P&L impact – is also not a skill they’ve developed yet.
All of this combines to create a perfect storm in cyber security and an intriguing challenge for HR leaders. Cisco estimates there are currently more than 1M open cyber jobs globally, increasing to 6M openings by 2020. Symantec estimates that by 2020, 1.5M of these will simply go unfilled. With an estimated 200,000 open cyber-positions in the United States this year, HR leaders and the organizations they serve face a significant challenge, and that number is probably a low estimate.
Finding qualified candidates in market this tight is obviously hard. Finding the rightcandidate is vastly more difficult. In one recent senior-level search, more than 1,000 candidates were seriously evaluated and considered technically qualified. Of those 1,000, only 7 were fit-for-purpose, and they were spread across 3 continents!
The Bottom Line
The talent shortage in cyber-security is not just a supply/demand problem, and organizations are not going to solve it by just poaching each other’s people. Closing the gap will require a much more nuanced and thoughtful approach, using just about every tool HR leaders have available:
- Creative organizational and job designs that maximize the effectiveness and efficiency of scarce cyber-resources;
- Accelerated people development resources that go beyond traditional IT learning paths;
- Employee engagement and assessment strategies that inform leaders on where gaps in understanding or awareness create gaps in cyber-defenses, and finally;
- Aggressively competitive acquisition strategies that attract and retain the best talent available.
The talent shortage aside, it takes a village to keep an organization safe. The only completely safe option for any company is to close its doors. Short of that, well-conceived communications and training programs that create awareness without distraction, and information security without bureaucratic frustration are among the next best options.