What aspect of cybersecurity is the most challenging for company managers? Cloud security? Protecting open source software? Defending IIoT devices from invaders?

No matter what the threats are, no organization can protect itself without a strong cybersecurity team. The supply of qualified cybersecurity practitioners is not equal to demand, a shortage that is now in its third year, according to the Information Systems Security Association (ISSA). ISSA bases this assertion on an annual survey it sponsors with the Enterprise Strategy Group. Among the alarming results from the most recent survey are the following:

· At least 48% of survey respondents had experienced a security breach in the previous two years.

· The cybersecurity skills shortage itself is a root cause of the increase in security incidents.

· 91% of cybersecurity experts believe that most organizations are vulnerable to attack; 94% believe the balance of power rests with the attackers.

· Over 60% of organizations surveyed do not provide adequate training to enable their IT staff to do their jobs effectively.

Executives must accept that cyber threats present a business problem, not just a security problem. IBM reported that in 2019 a data security breach costs an average of nearly $4 million worldwide, and over $8 million in the U.S. Set the costs of building, equipping and maintaining a cybersecurity team against the costs of a security breach, and the value of security to a business is much clearer.

What to do? Corporate executives can take immediate action on several fronts, starting by learning which skills their cybersecurity team needs, which ones they lack and how to acquire them. Another significant, and often overlooked, aspect of cybersecurity is taking care of the people that are currently providing services.

Who plays on a cybersecurity team?

Defining a one-size-suits-all security team is, of course, impossible. Figuring out the kinds of services an organization needs, and deciding which to provide in-house and which to contract out, does not have to be a major task. The U.S. Department of Homeland Security provides a good tool for understanding in detail the work roles, tasks, skills and knowledge involved in providing organizational cybersecurity.

The resulting National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, which is published by the National Institute of Standards and Technology provides “a nationally focused resource that categorizes and describes cybersecurity work...it establishes a common lexicon that describes cybersecurity work and workers regardless of where or for whom the work is performed.” The same report has a framework tool to help identify gaps in an organization’s current cybersecurity team. Various organizations inside and outside of academia offer executive education courses that give participants a strategic view of cybersecurity risk management and a vocabulary for talking to security experts, among many other insights and skills.

In a world where the IT department – or whatever name an organization bestows on the people who keep the network running and the desktop applications running – has become the locus for all things tech, the expanded responsibility for cybersecurity probably came without an understanding of the new roles and skills necessary to fulfill that responsibility. CyberSeek took multiple lists of job titles and roles, including those defined in the NICE framework, into a tractable interactive summary that shows career paths, job responsibilities and role interrelationships.

Cybersecurity professionals can earn certifications through ISC² that show employers an employee’s areas of expertise. Some certifications focus on specific kinds of software or industries, such as HealthCare Information Security and Privacy Professional (HCISPP), and others require broad general expertise, like the Certified Information Systems Security Professional (CISSP). Employers can require certification before hiring — or support current staffers as they pursue certification.

How to find and keep cybersecurity team members

A few years ago, TechRepublic published an article titled “Why your organization can’t hire a cybersecurity professional, and what you can do about it.” The first part of that title sounds discouraging and reinforces the results of the ISSA survey mentioned above. Despite a labor market that favors job seekers and a small pipeline, employers can take positive steps to recruit — and retain — good people.

One piece of hiring advice is borrowed from the world of job seekers: network. Encourage other IT and cybersecurity employees to take active roles in local professional groups, such as a local chapter of IEEE. Be a presence at local job fairs and at regional or national association meetings. These activities offer chances for both formal and informal recruiting and spread information about the company. Set up an internship or co-op program with a university that specializes in cybersecurity. Companies are not obligated to hire interns or co-op students, however, these students come with advantages: they know the company culture, they already have a group of colleagues and they know how to do the work expected of them.

To keep cybersecurity staff, employers need to understand the subjective aspects of cybersecurity jobs. Work-life balance can pose even more of a challenge for these workers than for compatriots in IT. One reason for the scales tipping more towards work: security people are often on call around the clock. Sometimes this is a result of short staffing, and the short staffing could be an effect of the job market. Finding ways to help ease the workload or make working conditions as comfortable as possible – by allowing remote work, for example — can help alleviate some stress.

The tight job market contributes to two other problems. Recruiters tend to ask that candidates offer too many skills, well beyond the needs of the position offered. One way to satisfy a company’s need for these skills is to train an existing employee. This option is often overlooked, yet offering training to a current employee is good for morale as well as good for the employer. Prioritizing which skills to seek in the job market and keeping the skills wish list under control will help lead to a successful recruitment cycle.