A lack of competitive compensation is the number one reason organizations struggle to hire and retain infosec talent, according to annual survey findings from the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG). And yet, doling out higher salaries simply isn’t possible for some resource-strapped businesses, which find themselves outbid by companies with deeper pockets.
This is the first of three key cyber workforce dilemmas illustrated by the ISSA and ESG’s just released report, “The Life and Times of Cybersecurity Professionals 2021.” Ultimately, all three quandaries come down to either a lack of funds or time that are needed to give infosec professionals the salaries, training and influence they seek. Indeed, that’s why 59% of 489 surveyed cybersecurity professionals said their organization could be doing more to overcome shortages in cybersecurity skills.
ISSA and ESG refer to dilemma number two as a “training paradox," where the need to constantly learn conflicts with the inability to devote time to training. Among the surveyed cybersecurity pros, 91% said they and their peers must continually be honing and upgrading their skills in order to keep their organizations secure against the latest threats. Yet 82% noted that their own day-to-day job requirements typically get in the way of such ambitions, especially with many security teams suffering from staffing shortages.
Daily responsibilities also commonly interfere with cyber practitioners’ desire to be more involved in strategic IT planning and business alignment. This is the third dilemma.
The report noted that 86% of survey participants said they agreed or strongly agreed that security professionals “spend too much time on the technical aspects of cybersecurity and not enough time on how cybersecurity aligns with the corporate mission.”
“They want to participate in business planning, but they are often shut out of meetings and not considered in the development of strategic plans,” the report continues.
In an interview with SC Media, thought leaders from ISSA and ESG shared some potential solutions for this trio of conundrums.
Compensating for a lack of compensation
Among the survey participants, 38% blamed lack of competitive compensation as the biggest reason the cyber skills shortage is affecting their organization. Candy Alexander, ISSA international president, said that if employers are limited in what they can spend on payroll, they may need to find creative ways to keep cyber workers happy.
She noted: “For those organizations that can't afford the top salary rate, think about: How else can you make that individual feel valued?” For example, that might mean offering mentorships with C-suite executives — a doubly helpful suggestion because it also serves the needs of cyber professionals who want to be more involved in strategic corporate planning.
A worker-friendly environment that makes professionals feel welcomed, comfortable and content can also go a long way. “We work so damn hard and there’s so much stress, and as the survey suggests we have burnout rates that are through the roof,” said Alexander, so “feeling appreciated and having fun at work, having that life work-balance, is really important as well.”
Outside of raising compensation, actions that survey-takers most commonly suggested for addressing the cyber skills shortage were offering more cyber training and providing extra incentives such as paying for certifications or admission to industry events.
Organizations could also try appealing to employees’ values and sense of morality. For instance, "federal employees aren't making what they could make in the private sector, but sometimes they [value] the mission of being a civil servant,” serving a vital role in national security, said Jon Oltsik, senior principal analyst at ESG.
For some, that kind of job satisfaction may be more important than their earnings — at least up to a point. For the broader infosec community, however, perhaps not.
“In reality, it's such a competitive market that if you're if you're not competitive with salaries, you're fighting uphill,” said Oltsik.
Solving the training paradox
In some cases, companies can help alleviate their info talent defecits by looking within for employees who can be trained up. Keys areas that are in dire need of talent include application security and DevSecOps, cloud security, and forensics, said Alexander.
But even when companies do make allotments for training, such offerings are often low priority compared to the daily fires that infosec personnel have to put out. “It's come to the point where everybody will [nod] their heads and say, 'Yes, we need training as technologists, we need to stay current — all of our certifications require us to maintain CPEs' — but ironically enough, our daily roles are so intense that there's no time for training,” said Alexander.
Alexander said this trend continues to persist due to businesses failing to comprehend the value of or need for training. And, like it or not, the responsibility may end up falling on cyber professionals to help companies understand.
“If we were able to articulate to business the importance of training and keeping sharp with skills, then we would see a bit of a turnaround,” said Alexander. “And I don't think we as technologists or cybersecurity professionals have learned the fine art of business language. And so we have not been able to talk the talk and walk the walk from a business perspective, to get them to understand our needs.”
“Do you want your surgeon to still used leeches to draw blood?” asked Alexander. “Or do you want somebody who's state-of-the-art and understands robotics and how to use technology to accomplish the job? There's the difference — the value of learning and education.”
Indeed, falling behind training “means that the cybersecurity professionals haven't got the skills to keep up with the latest types of adversary tactics, techniques and procedures,” said Oltsik.
Ultimately, it’s up to employee to take initiative. “Stop playing the victim. Get out there, get your own training,” said Alexander, who recommended taking low-cost virtual training courses. “And then really start looking to learn about business, business life cycles, modeling, and how technology can support that.”
Following this advice will only further helps cyber pros align their teams with the overall corporate strategy. Which brings us to the third cyber talent dilemma: lack of involvement in IT and business planning.
Giving security a more influential voice
“Cybersecurity professionals are happiest when they are asked to participate directly in all IT planning, but grow frustrated when they are relegated to a technology administration role and forced to address security needs in later phases of projects,” warns the report. “The same is true of the security team’s relationship with business management: They want to participate in business planning, but they are often shut out of meetings and not considered in the development of strategic plans.”
The problem, said Alexander, is that right now too many businesses have built their security programs around governance, risk and compliance expectations, rather than around strategic business needs.
“We as security professionals are saying we're not being invited into the strategic discussions, and that's causing significant issues on the back end,” said Alexander. Security ends up "bolted on, as opposed to baked in.”
“We're not happy because we're not meeting our own needs of how to protect the organization, and the business is not happy because we're not doing that. And we do recognize that it’s because we're not being invited in," Alexander continued.
Fortunately, there are ways to remedy this situation. The top three suggestions from survey respondents for improving the relationship between cyber and IT were allowing security teams to partake in all IT projects from the beginning; embedding infosec pros within IT functional departments, exposing the IT staff to increased cyber training. And the top three actions for improving the relationship between infosec workers and business management were encouraging cybersecurity participation in business planning, improving cyber-risk identification and focusing cybersecurity resources on business-critical assets.
Other survey questons posed to security professionals for the purposes of the report included how cyber professionals found their current job, what advice they’d give to individuals looking to get into cybersecurity, and which certifications are most crucial to landing an infosec job.
“There's a lot of research on technology and technology trends, there's a lot of research on threats, [but] there's much less initial analysis of the professionals themselves. And really, the professionals are going to make or break our ability to defend ourselves — so we wanted to understand what they're doing,” with this research said Oltsik.
In specific regards to the cyber skills gap, Oltsik said the goal this year was “not just defining the problem, but to understand what companies are doing to overcome these issues and what cybersecurity professionals recommend their organizations do to overcome these issues.
