BlackBerry CISO Arvind Raman has adopted a talent management strategy to help bridge the gap between cybersecurity and IT and overcome the global shortage of cybersecurity personnel. Raman focuses on identifying the necessary key skills for a security role and seeks applicants from diverse backgrounds if they possess those skills over experienced cybersecurity professionals. In some cases, he has hired finance professionals for risk and compliance work and marketing pros for awareness training projects. According to a study by Fortinet Training Institute, 68% of respondents said their organisations face additional risks due to a cybersecurity skills shortage, while 56% struggle to recruit talent and 54% have problems retaining these individuals. The International Information System Security Certification Consortium reports that the cybersecurity workforce needs to grow by 75% in order to meet future demand.
CISOs are rethinking how they find and hire cybersecurity workers for their security teams. Many are concentrating on the skills required and searching for professionals with those skills, even if they don’t have a typical security worker pedigree. Simultaneously, others are searching for the skills they need in workers from non-security disciplines. They then provide on-the-job training and security certification programmes to upskill the hires. This approach fosters collaboration with other departments, ultimately resulting in more secure operations, especially in operational technology (OT) security.
Steven Sim, CISO for a global logistics company, seeks hires who demonstrate a passion and keenness to learn, ownership of their work, a high degree of integrity, a willingness to collaborate, and a “risk-based mindset.” He identifies the specific skills needed for each task and works collaboratively with employees’ managers to enhance their skills and prepare them for transfers to the security team. Jason Rader, vice president and CISO of Insight, posts information on his internal communications platform regarding the skills he needs for security projects. He also invites workers directly when he knows they have the experience he requires.
Fawaz Rasheed, field CISO at VMware, emphasises identifying specific skills required for the job and how CISOs work with candidates’ managers not to blindside employees in other departments when moving into security roles. Like Sim and Rader, Rasheed also stresses the importance of using a risk-based approach when hiring. For example, risk management and quantitative analysis capabilities are highly sought-after skills in finance professionals, and Rasheed hired one as a project manager. Rasheed acknowledges many of these hires won’t have the deep technical and security knowledge required for many security positions. However, he believes they can fill the skills gap and relieve cybersecurity professionals of compliance, contracts, and other routine tasks.
Overall, CISOs agree that it’s crucial to identify the required skills for each role, work collaboratively with employees’ managers, and provide on-the-job training and certification programmes. Focusing on the skills required over the candidate’s profession/classification is paramount to help fill the cybersecurity profession’s ranks.