Most CEOs will tell you security is an important aspect of their business operations. But too often, what’s deemed important by management doesn’t always translate into real priorities. We’ve seen too many cybersecurity teams stretched thin on staffing, overworked, and improperly aligned with the rest of the organization. This leaves companies vulnerable to cybersecurity threats, huge losses, and bad PR.
Recently, CyberSN Founder and CEO Deidre Diamond spoke with Dan Blum, Cybersecurity Strategist and Author of the book, “Rational Cybersecurity for Business: The Security Leader’s Guide to Business Alignment,” about this pervasive problem. Cybersecurity operations are complex, but the solution to better security is simple; companies must align business processes with cybersecurity operations.
Hear the discussion. Watch “Hire, Motivate, and Manage a Business-Aligned Cybersecurity Team.”
Blum, who has years of experience in the corporate security field at organizations like the Burton Group, Inc., and Gartner, defines cybersecurity-business alignment as:
“A state of agreement or cooperation between persons or organizations with a common security interest. It is enabled through security governance structures, processes, communication skills, and relationships that engage the business. When in a state of alignment, all business leaders, staff, and business-related processes act in accordance with clear roles and responsibilities to support the security program and strategy.”
In other words, alignment happens when cybersecurity is fully integrated into company operations, all employees understand the importance of security, and chief information security officers have input when important decisions are made. It also means funding cybersecurity teams and technology to allow them to do their job and do it well.
Unfortunately, many companies understaff their cybersecurity teams or silo them away from important projects and decision-making meetings. Management may understand that cybersecurity is a vital aspect of business but they are not clear on the investment required to do cybersecurity right. According to Blum, only 44% of boards of directors consider cybersecurity to be strategic. If more than half of directors say that cybersecurity is less important than other aspects of the business, then it will be nearly impossible for CISOs to get the resources they need.
“They may think they are funding it adequately but they are not giving it the attention required to make sure the work that’s being done is really fitting the business needs,” said Blum.
Corporate leaders want to run lean in hopes of maximizing profits, but as Diamond points out, the number one problem facing cybersecurity teams is the lack of budget to properly staff. The result is a cybersecurity team that feels stressed out, burned out, and has trouble disconnecting at the end of the work day. It also causes high turnover, putting more pressure on the team and more work on managers to fill an already hard-to-fill role.
This is especially troublesome in the CISO position. Most CISOs remain in the job less than three years. Considering how difficult these leaders are to replace and that it takes about six months for a new CISO to fully know a company’s security operations before even implementing a program, losing your CISO should be part of your risk prevention strategy.
After conducting more than 70 interviews of corporate security professionals, Blum learned that security breaches are often predictable when cybersecurity operations are not aligned. When a CISO is denied funding for security measures, it leaves companies vulnerable. Having a skeleton staff leaves the security operations in disarray. Poor integration into the rest of the company can lead to hundreds of millions of dollars in costs and ultimately the company’s top leaders stepping down.
“The biggest problem that companies have is a lack of a definition of security that fits their business,” said Blum. Management must define how security applies to their business strategy, their vertical industry, the culture, mission and mandate of business, as well as what oversight of that security means, said Blum. Security is part of how companies do business in a digital environment and should be treated as such.
Here are some steps companies can take to ensure a well-aligned security program:
Diamond emphasized how clearly defined cybersecurity roles is a major gap she’s seen in cybersecurity staffing. Roles that are poorly defined make it harder to recruit, but also make it more difficult to define accountability. These problems lead to dysfunctional teams and hinder retention. Companies also need to bake hiring and retention into the job description and responsibilities of managers, she said. Finding cybersecurity professionals takes work and time, as does investing in the relationship-building efforts and EQ training required for keeping those employees. Documenting it as part of the job shows that the company takes cyber staffing seriously.
How can teams make security as seamless as possible? It’s a question managers and executives should be asking regularly and work collaboratively throughout the organization to achieve. Enacting cybersecurity-business alignment can shed light on potential problems earlier in the process and open the door to new ideas and innovation.
“Through alignment you can release a lot of untapped potential,” said Blum. “Look for progress not perfection. Making some progress is really going to move the needle but it happens with the team. It’s a team sport.”
With more employees working from home than ever, companies must be vigilant to protect themselves from evolving cybersecurity threats. Your cybersecurity team has likely been hard at work maintaining privacy and safeguarding the enterprise, even as shifts in the workforce present new challenges. But as most cyber professionals know, a major hurdle in risk management is making sure the entire organization values security and is doing all it can to protect the company’s reputation and assets.
The key to communicating the importance of cybersecurity within a company is to use the established means of communication. Work with the point person for internal communications to emphasize the importance of cybersecurity awareness and encourage compliance through regular reminders. Determine together the best means to disseminate and consume this information company-wide, whether it’s through an e-newsletter each week or a special awareness campaign.
These regular cybersecurity updates should cover the company’s security practices, which can include:
All companies want to protect themselves from cybersecurity threats and data breaches. Communicating the importance of maintaining security practices will go a long way in creating a security-focused culture.
Phishing continues to be the top entry point of data breach and compromise. The Verizon 2019 Data Breach Investigations Report confirms phishing as the top threat and that cyber attacks are successfully executed with information stolen from employees who unwittingly give away their login and access credentials.
The ideal cybersecurity strategy uses tools and practices that aim to prevent attacks against all systems and people. Cyber solutions, including security products and the people behind them, can only take security so far and ultimately fail. Regardless of the budget a company spends on cybersecurity or the number of products it employs, the actions of a single person can impact the organization. Awareness campaigns arm people with the skills and, hopefully, the skepticism to avoid common cyber threats, supplementing the technical controls put in place by cyber teams.
Extensive working from home only adds to the problem. The environment is target rich for phishing opportunities. People are working in a more casual environment using unfamiliar tools. Emails and alerts prompting users to reset a password or click on a link about a COVID-19 update can fool even cautious employees during this time.
The most immediate step cyber teams can take is to revisit remote access security practices and make sure employees are aware of the increased threat from phishing scams due to the coronavirus outbreak.
Infosec and cybersecurity teams have been putting out fires and given additional responsibilities for weeks as companies rapidly shift to this new work environment. While cybersecurity professionals often thrive in high-pressure situations, weeks of long hours and growing stress levels can take its toll on morale.
Security managers should continue to advocate for their team; push for the funding you need to give them the right tools and full staffing levels. Check in with your staff to gauge stress levels and create ways to address burnout, whether that be more time off or more staff to spread out the workload.
Cybersecurity is one area of business that’s often a victim of its own success—when you’re doing your job well, no one knows you exist. This can also make advocating for more resources difficult. Cybersecurity attacks cost businesses large and small not only financially, but target their reputation and put them at risk of failing, according to the business strategy firm Accenture. Investment in cybersecurity now, even when budgets are shrinking, will pay off in the long run.
Information security departments can sometimes take security measures for granted. It’s easy to forget that employees may not use 2FA unless prompted to, or have been recycling the same three passwords for years. By using the internal communication systems to better educate employees of emerging threats, enhancing security practices to increase your cyber resilience, and taking care of your cyber staff to avoid burnout, you will better protect your company’s assets and help contribute to the long-term growth of the company.
In the era of the mega-breach, CEOs have increasingly been called on to account for the cyber readiness of their organizations. Ask any CEO and they’ll surely tell you that they consider cybersecurity to be of the utmost importance to their organization—in fact, one major survey of US CEOs this year had them rank cybersecurity as the number one external concern in 2019.
However, sometimes it seems a lot of that concern is still at the platitude and lip service stage.
Here’s a good example of how that kind of lip service plays out in a large organization. It’s a classic example of what longtime security pros would label as ‘security theater.’ The top levels of an organization publicly commit to building out stronger cybersecurity practices. As a sign of their good faith to regulatory auditors and shareholders, they green light the opening of dozens of new positions to fill out the cybersecurity team.
Sounds great on paper, right? Yes, with a big caveat. What wasn’t so publicly disclosed is that though the funds are opened up for salary and benefits, very little additional money is put into the recruiting or training elements of filling these slots. The security leaders are left out in the cold in an extremely competitive market to find scarce candidates. They’ve got to make do tapping into their own limited network of contacts and maybe leaning on a little internal help from HR, which rarely has valuable insights into the unique nature of the insular security world.
The result? Months and months go by and very few of those copious open positions are filled.
This is far from a hypothetical situation. We’ve seen it play out so many times, we’re almost willing to put on a tinfoil hat and posit a conspiracy theory that maybe CEOs just aren’t that serious about building security teams. They open the positions for show and then tell their CISOs that the positions need to be open a minimum of six months before they allow an outside agency to begin to work them. Unsurprisingly, almost one-in-three organizations today reports that it takes at least six months to fill their cybersecurity positions.
This is a particularly tough situation for new CISOs tasked to build out a team from scratch. Many of these people are sacrificial lambs being readied for slaughter in the event of a breach down the road. The leader is brought in and told they can hire a set amount of people and aren’t given the support to do so. They struggle to find candidates due to the extreme constraints of the market, and are turned down time and again by their executives for permission to use a specialized recruiter to help them out. Six months go by and no luck. A year goes by and they begin to feel really frustrated. A year-and-a-half passes and the writing is on the wall that they may never be able to build out a world-class team.
For security leaders jumping into a new position, we recommend that recruiting budget to use outside agencies is approved in writing before they start. When they’re brought on with the promise of building out a new team, try asking the organization to include details about recruiting support put directly into the offer letter. Make sure that the CEO and leadership are willing to put their money where their mouths are when it comes to the commitment to attracting first-rate security talent. Putting it in writing could save a lot of heartache and frustration in the long run. My very best advice: Do not go to work for a company that will not give you, in writing, the budget to use a staffing agency specializing in cybersecurity.
I wanted to share a precursor to my RSAC 2019 talk. Join me Friday, Mar 08 | 11:10 A.M. – 12:00 P.M for Retaining and Growing Cybersecurity Talent: A Proven Model. RSVP to this session here.
As 2019 begins and companies ramp up their Q1 cybersecurity staffing initiatives, hiring data reveals that filling an open position, a process that normally takes between three and six months, is only half the battle. At CyberSN, the leading cybersecurity staffing firm in North America, we have found that retaining cybersecurity talent is even more difficult than finding the “right” candidate.
The intersection of these trends has created an industry-wide problem, where companies invest significant time and capital pursuing, on-boarding and training cybersecurity talent, only to watch new hires leave after a year. Conventional cybersecurity HR practices only ensure that this vicious cycle repeats itself ad infinitum.
With enterprises increasingly under attack from cybercriminals, and hemorrhaging trillions in hacking-related losses, these hiring gaps leave companies exposed to an unacceptable spectrum of risk. In fact, industry research firm Cybersecurity Ventures projects 3.5-million unfilled cybersecurity positions by 2021. In the U.S., it is CyberSN’s view that this talent gap constitutes a national security crisis.
Given these sobering statistics, the development of a strategic framework to ensure long-term talent retention is a New Year’s resolution that every cybersecurity hiring manager should make in 2019.
This blog post will explain the rhyme and reason behind each tactic, and how integrating the three into one cohesive hiring strategy can help organizations achieve better cybersecurity talent retention.
According to trade certification organization (ISC)² only 15 percent of employees have no intention of leaving their current employer. This may be due to the fact that cybersecurity talent are looking for more than a job. They want a career with an organization that invests in their continuing education and rewards their evolving value.
Yet a 2017 survey of 300 cybersecurity professionals conducted by Endgame’s Andrea Little Limbago found that over 50 percent of respondents cited lack of career advancement as the primary reason for ditching their previous employers. These findings dovetail with a 2018 Capgemini survey, which found that lack of career progression was the number-one reason cited by cybersecurity professionals for being dissatisfied with their current job.
Meanwhile, 59 percent of (ISC)² survey respondents cited continuing education and investment in new cybersecurity technologies as the most important factors, when evaluating current job fulfillment.
In 2019, hiring managers must take the hard data into account and invest more in employee training, while staying up to date with the most cutting-edge cybersecurity tools.
This approach will help cybersecurity professionals see a runway that nurtures their professional development and enables them with the resources to grow within the company and beyond. This is especially important for younger cybersecurity professionals. According to the Capgemini study, new entrants into the cybersecurity labor market from Generations Y and Z are more inclined to stay with employers that help them “visualize a career path.”
According to Capgemini, 83 percent of cybersecurity professionals cite work-life balance as the most important consideration when switching jobs. On a related note, Limbago’s 2017 survey found that 38 percent of cybersecurity professionals cited burnout as the main reason for leaving their jobs, while another 28 percent cited stress.
Limbago’s data is not all that surprising, seeing that the topic of an August 2018 Black Hat Conference panel in Las Vegas: “Burnout, Depression and Suicide in the Hacker Community.” This discussion identified burnout as a “monumental mental health crisis” afflicting cybersecurity professionals.
Part of the reason for this pervasive burnout is that organizations often fail to provide clearly defined roles for their hires. As a result, security talent may find themselves juggling multiple responsibilities and tasks that deviate from their initial understanding of the position, for which they were on-boarded. By bombarding personnel with divergent workloads that may not be specific to their expertise, enterprises risk overwhelming cybersecurity talent, pushing them to leave their jobs or worse.
Beyond creating well-defined responsibilities that are aligned with the skill sets and core capabilities of cybersecurity personnel, organizations must also be receptive to their needs as people.
According to Capgemini, “Flexible work arrangements have become an important factor for employee satisfaction, helping reduce absenteeism, increase productivity, and enhance employee engagement.” As such, hiring managers should be willing to accommodate flexible work schedules and remote working.
According to trade organization Society for Human Resource Management (SHRM) “women and minorities remain significantly underrepresented in the cybersecurity profession.” In fact, 2017 survey data published by SHRM found that women and minorities only make up 11 and 12 percent of the cyber workforce, respectively.
To make matters worse, the cybersecurity community has long been plagued by cultural toxicity that has fomented a hostile environment for talent that is not white and male. In fact, Limbago’s survey found that 85 percent of female respondents reported being discriminated against at professional cybersecurity conferences.
The good news is that the culture is gradually changing, as evidenced by Black Hat, which last summer, invited speakers to discuss gender discrimination – a topic that had never before been addressed in the conference’s 21-year history.
Overcoming these cultural problems is key because research is increasingly demonstrating that a diverse workforce delivers better business results. In fact, research from McKinsey & Company revealed that firms in the top quartile for racial and ethnic diversity are 35-percent more likely to have financial returns above their respective national-industry averages.
The same principle applies to cybersecurity, where increasingly diverse threats demand new approaches and ideas to combat them. Speaking to this point is Javvad Malik, security advocate at AlienVault, who told Information Age, “ Security teams need diversity because of the diversity of challenges that it faces. Cyber/information security isn’t a narrowly-defined field, where one skill set can cover the entire spectrum.”
Therefore, by promoting healthier workplace cultures, companies can prevent the alienation of women and minorities, which has caused many to leave their job or the industry altogether. Cultural progress may require firing a workplace jerk or two, but the end results will yield better employee retention, which ensures better cybersecurity for the organization.
Ultimately, these historically marginalized groups represent an untapped resource that can help enterprises avoid the cybersecurity talent crunch.
With nearly half of all cybersecurity professionals being contacted weekly by recruiters, according to (ISC)², these specialists are some of the most coveted candidates in the job market. The dearth of skilled talent creates a situation, where cybersecurity personnel have no shortage of new job alternatives if their current employers fail to meet their expectations.
CyberSN’s three keys to cybersecurity talent retention can help organizations change this paradigm and create a more strategic human resources framework. While career advancement, work-life balance and diversity are not the only three factors that infosec talent consider when evaluating job fulfillment, together they form a sound foundation for successful retention.
We hope you enjoyed reading this post and be on the lookout for more CyberSN content in 2019. For more information about CyberSN and how we can help your company fulfill its security staffing needs, please visit our website.
I hope you can attend Coffee and Conversation on Thursday July 26 from 12-1pm EST as I join the Meet team to discuss: PREPARING YOUR TEAM: Set Up for Success at Trade Shows and In-Person Events
Team preparation and training is one of the most often overlooked keys to trade show and in-person event success. So much focus is put on booth location and decor that leaders often forget to empower their most important asset, their people. Whether a team member is in the booth, walking the floor, delivering a workshop, taking part in a hospitality event, or in one-on-one meetings they need to be prepared to leverage the event opportunity. Event opportunities are perishable. This particular audience will never appear in this way again. All too often, trade show preparation is left to the last minute, decisions about who is going to the trade show are hastily made, with the little time left the team is not supported with enough orientation and skill building to enable their success. This preparation procrastination hamstrings the team’s ability to execute and ultimately to maximize the trade shows return on investment. In this workshop, we’ll particularly focus on the activities that will empower your team and make them much more effective at trade shows and in-person events. Join us an learn the latest strategies to prepare and enable your team. Workshop Outline
Our webinars and services are geared toward helping B2B growth companies gain fast traction in new markets and develop reliable streams of high-quality prospects. Feel free to share this invitation with others. Space is limited. Sign up today!! ABOUT Deidre Diamond, Founder and CEO of CyberSN and the Founder of Brainbabe. Deirdre and her team participate in many of cyber securities biggest trade shows every year. CyberSN is a cybersecurity research and staffing firm. Brainbabe is a not-for-profit which is helping to desexualize industry conferences and events while helping to bridge the cyber-talent gap. Have questions about PREPARING YOUR TEAM: Setting Everyone Up for Success at Trade Shows and In-Person Events? Contact Bill Kenney