During the pandemic, Aite-Novarica Group has been very involved in discussions as companies contend with workforce strategies to address topics such as remote work, hybrid work, “work from anywhere,” and other challenges. Typically, our view is strategic and from a broad organizational perspective. However, in this blog I will be delving into a specific discipline where the problem is especially acute.
The sourcing of IT security/cybersecurity organizations has now reached the point that urgent action must be taken, analogous to the urgency demonstrated when an organization is dealing with a zero-day threat.
There are a couple of patches that can address the zero-day threat of security resources leaving:
- Move left of boom: Waiting until the actual event (here, the resignation) is too late. Moving to the left means taking positive action before the event happens. A corporation may be working to address its resourcing issues across all functions with a holistic, one-size-fits-all program. This is well intentioned, but it will miss the mark. There is a wide variety of estimates on how many cybersecurity positions are open, from 500,000 to one million. However, there is little debate that the unemployment rate is essentially zero and will continue to be so for the foreseeable future. Below are some ideas that will move you to the left, but the first patch is realizing that urgent action needs to be taken.
- Remember that security is a team effort: Any truly good security resource does not take pleasure in telling people what is not allowed. The best security staff try to recommend ways to use tools and technology to reduce risks behind the scenes. But the reality is that some security practices will be visible. With travel, for instance, if we said, “I want to fly, but I don’t want to see any evidence of security,” that would strike all of us as unrealistic. We know a lot of airline security is unseen, but some of it has to be visible to us as travelers. The entire organization has to support the importance of security and reinforce that security staff are valued. If every time a security measure is visible, leaders are dismissive and frame the measure as, “the security staff AKA work prevention makes us do this,” expect security people not to feel like they are part of the team and to leave.
- Invest more in security: If multiple security staff agree that a tool or feature is missing from the security solution set, there should be a dialogue. If security staff feel there is a gap not being addressed and they can’t do their jobs adequately, they will leave. If the company cannot pursue a tool, solution, or process change at present, the security team should have a discussion with decision makers that leaves titles at the door. This ensures that security experts’ voices are heard and that decision makers can articulate what the other priorities are. Hearing thirdhand that the company “can’t afford it” is not good, and hearing, “They are sick of us asking for more for cyber” is a kiss of death.
- Use security challenges to retain your staff: Invest in training on technology and risk reduction. Support resources in getting professional certifications. Engage security resources by having them provide ideas on how to educate, inform, and better defend your entire organization. There are so many challenges for financial services organizations today; it is not difficult to give resources new opportunities to take on projects or gain skills that will add value to your organization.
- Compensate your team appropriately: Even pre-pandemic, CISOs were surprised at the increased compensation that staff were being lured away with. Don’t be surprised—and don’t compare your staff to “the region” or “usual competitors our employees go to.” Like many other professions, security resources are now competing on a nationwide scale. Ensure your compensation analysis is conducted accordingly.
- Don’t wait for squeaky wheel: IT security staff are unlikely to demand higher wages or agitate for the preceding patches. They will just smile—and then leave. If these actions resonate with you, don’t wait for noise to start in your organization. The noise may be the (virtual) door closing on your team’s way out.
Why should there be special action for security staff, you ask? Aren’t we all under staffing pressures? Isn’t all this constant discussion about cybersecurity overhyped?
Yes, yes, and no.
Yes, absolutely many disciplines are under pressure, and yes, absolutely we recommend special action for security. Sadly, no—the risk environment and risk of security talent attrition is not overhyped.
Don’t be a victim of zero-day for sourcing—it is patchable. To learn more about how to manage this risk, contact me at [email protected].