Mitigating risk by improving cyber workforce resilience 

Organizations face significant threats when it comes to cybersecurity. Well-funded bad actors are upping the ante with increasing the frequency and sophistication of cyberattacks. At the same time, work-from-home and large-scale digital transformation efforts are escalating companies’ exposure to cyber risks.

In an attempt to counter these threats, organizations are investing heavily to ensure they’re adequately protected. These investments have driven an explosion in the demand for cybersecurity talent.

Cybersecurity is one of the most in-demand skills in the marketplace with thousands of unfilled positions as organizations struggle to find talent. Understaffed cyber teams are stretched too thin, leading to burnout, one of the top reasons for resignations. Employee churn in cyber is high at 44% – twice that of other IT professionals.

Instability in the cyber workforce heightens an organization’s cyber risk:

• The loss of institutional knowledge when tenured cyber employees leave, and
• Missed cyber control checks due to understaffed and inexperienced cyber teams.

The result: Cyber leaders are poaching talent from each other. They are all going to the same well and that well is drying up

For organizations in this environment of increased risk and limited talent pool, a top priority should be to build a strong cyber employee value proposition—the best match between what cyber talent wants and what your organization has to offer.

Some aspects of this value proposition have become a baseline: remote/flexible work opportunities and competitive compensation. Employers need to instead focus on those aspects of their value proposition that are unique and enhance their brand in cyber circles. Examples include a collaborative culture, commitment to learning and innovation, large investments in talent, etc. These take time to build and require dedicated effort from cyber leadership. But once in place, they provide a sustainable competitive advantage.

With talent in short supply, leaders should focus on building cyber workforce resilience through an approach designed to:

• Reskill non-cyber talent to do cyber work, and
• Optimize how work gets done through build / bot / borrow strategies.

We frequently hear from CISOs that some of their best cyber talent came backgrounds as varied as investigative journalism, insurance, and first responders. Creating a steady pipeline from non-traditional sources requires investment in programs such as internships, mentoring and training. Even then, these investments only yield results if they have strong and consistent support from cyber leadership and the commitment to building talent becomes part of the cyber team’s culture.

Optimizing how cyber work gets done requires three critical components: (1) deconstructing the work into tasks and activities, (2) redeploying tasks into the optimal work model, and (3) reconstructing work into cyber roles within the organization, automation tools, or outsourced to service providers.

Taking this long view to cyber workforce resilience requires commitment and investment. But, once accomplished, creates a cycle that provides a sustainable competitive advantage. 

Finally, support from the board can be critical to helping CISOs stabilize their cyber security workforce. This means getting cyber workforce strategy issues on the board agenda so that they:

• Have visibility to the talent issues the CISO is facing:  open cyber positions, cyber talent churn, employee satisfaction, talent development and succession planning efforts.
• Can understand the roadblocks to achieving cyber workforce resilience and how they can help to remove those roadblocks.

Getting your cybersecurity function right isn’t a mandate for the future – it’s a mandate for today! Organizations that are successful can build a culture and brand to drive cyber workforce resilience and reduce risks.