CyberWire Daily - Putting a dent in the cybersecurity workforce gap.
Episode Date: December 26, 2024Please enjoy this encore episode of Solution Spotlight. In this special edition of Solution Spotlight, N2K President, Simone Petrella is talking with ISC2 CEO Clar Rosso about putting a dent in the cy...bersecurity workforce gap through empowerment, breaking down barriers and expanding DE&I initiatives. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security.
In our ongoing Solutions Spotlight series,
today N2K President Simone Petrello returns with a conversation with ISC2 CEO Claire Rosso
about putting a dent in the cybersecurity workforce gap.
Here's their conversation.
I am so excited to be joined today by Claire Rosso,
and you've spearheaded some pretty amazing initiatives
in your tenure since joining.
Just to level set for everyone listening, those initiatives, one of which is the entry-level
certified in cybersecurity certification, and it has had over 110,000 people express interest in
joining the cybersecurity industry in just three months. I will also state for the record, we actually put out a challenge
to our own team. If they wanted to take the certified in cybersecurity, we are helping them
get that and encouraging them to take it. So we've created some own incentives to do that.
But the workforce gap is wide. But Claire, I'm excited to talk today about some things that you
all are doing to help tackle that, especially around diversity initiatives as well. Before we dive into all of that, one of the first things I noticed about you
is that you have a long history with associations, but of accountants. So I would love to hear a
little bit about your background, but then also your perspective on the similarities and maybe
differences that you've noticed in the field since joining cybersecurity. Thank you, Simone. So thanks. It's great to be here. Great to be talking to you.
Thanks for having me. And it's fascinating, actually, that I come from working for decades
for the accounting and finance profession because I actually think my experiences there
are not dissimilar to what we're doing here. And there's a lot to be learned
both ways in that relationship. So accounting and finance has an underlying need to have a deep
knowledge and understanding of risk management. And if you think about what cybersecurity,
but it's nothing but risk management. So the overlap there was a super pleasant surprise for me
when I joined the organization.
And then personally, I think that,
plus the fact that in my career,
I had had so many opportunities as a business leader
to be involved as a sponsor
and the different times very hands-on
in the execution of tech projects.
So that sort of, and I always,
like my whole career was really interested
in talking to network security people.
Although they didn't call themselves network security.
They were just the IT guys and they were guys.
Yeah.
And they were all about the network
and they'd draw the pictures on the wall
and they'd explain what firewalls were to me.
And this was like early days for me.
And it left a lasting impression that is serving me well today.
But when I think about the profession,
there's a couple areas that some of what I learned
when working with accountants
is actually serving me really well here with cybersecurity.
So one is just thinking about the professionals.
really well here with cybersecurity. So one is just thinking about the professionals.
And in accounting, we had a workforce gap, nothing on the scale like we have in cybersecurity.
But that challenged us about a decade or so ago to really think, how do we think differently about who we hire? And how can we challenge our traditional beliefs that we need to have people who have
technical accounting skills and really think about what are the core competencies that make
someone a good accountant? Well, guess what? They're problem solvers and analytical thinkers
and critical thinkers. They have a commitment to lifelong learning. We need them. We may not
have historically needed them to, but now today, we need them to be good communicators.
They need to, in writing and in verbal communications,
they need to be great.
And gosh, that sounds really similar
to what we need in cybersecurity.
So I think that is a pleasant area of overlap
that we can leverage.
The other thing, because we're here today at Secure DC for ISC2, we just had a speaker downstairs and the room started talking about the disparity of standards in cybersecurity.
And that really struck a chord with me because, you know, ISC2, we're 35 years old in 2024.
This is a new profession.
We haven't been around for 150 years.
So we're early days and we are seeing a tidal wave of regulation coming to the profession.
And professionals are overwhelmed because they want to be in compliance
with regulation, but they also need to do the work of cyber defense. And you can't really do both
most of the time, so they're trade-offs. So we really have some opportunity to talk about setting
global standards in cybersecurity and really harmonizing. And it has to be global because
the work of cybersecurity professionals is global. And it has to be global because the work of cybersecurity
professionals is global. And I think because the accounting profession has been around for decades,
this will be my last accounting analogy, but they learned from that, but it took them 125 years to
figure it out. We can do it much earlier. We can now start having the conversation about how do we
harmonize? How do we harmonize across the globe?
How do we harmonize within agencies in the U.S.?
And that can create a real important opportunity to strengthen the security posture of our whole ecosystem.
Yeah.
I mean, it always has struck me, being in the cybersecurity industry for as long as I've been in there, we are an industry of professionals, but we haven't professionalized. Yeah. I mean, it always has struck me, being in the cybersecurity industry for as long as I've been in there, we are an industry of professionals, but we haven't professionalized.
Yeah.
And what I think you're describing is this concept of like professionalization, you know, and those standards are part of it.
Yeah. So we have, we like kind of look at the, I don't know, I get a little confused about the number of the legs on the stool. But we have the certification piece, right, that has exam, education, experience, and ethics.
But I'm going to come back to ethics.
We need the standardization and the standards that we're holding people to.
But then I think the other thing, and this is actually one of our work projects for 2024, is we need a standardized code of professional conduct or ethics in the profession. So we've
been starting to talk to government stakeholders, the other certifying bodies about let's put
together that framework for what does a code of professional conduct look like? What are the
standards we all need to be held to? And in a profession where in certain parts of the world, it's more lucrative
to go work for the bad actors
than it is to work
for businesses and government.
It's really important
that we take that step
and focus on that professionalization.
I would think it's also
pretty helpful for
recruiting other people
to even progress in the field.
Because I know one area
that a lot of cybersecurity leaders
are really nervous about right now are, you know,
the recent SEC charges against SolarWinds
and then who's taking that personally
and kind of, you know, what happened with Uber.
So there is some accountability that's coming into the profession.
And we need to create clarity about what's okay and what's not okay.
I think the other thing that we need to be looking at is, I was actually really surprised.
I feel a little naive about this, but I was really surprised to learn because ever since I've been an executive role in an organization, I have been covered by the DNO insurance of that organization.
So work I do on behalf of the organization is covered by the DNO insurance of that organization. So work I do on behalf of the organization
is covered by the insurance.
CISOs aren't always included in that.
And that was actually pretty stunning to me
that they're not.
And so I think that we can do something
as a 600,000 plus professional organization
to talk to businesses, talk to the insurance companies, and talk about,
wait a second, we need to have the same protections for our cyber leaders as you are giving to other
leaders in the organizations. Now, that doesn't absolve anybody if they participate in criminal
activity. But yeah, good point. But it wouldn't do that for any other executive.
Yeah, exactly. So switching back to kind of the meat of the topic,
IAC2 is known for putting out its annual cybersecurity workforce study, and the most
recent came out in early November of 2023. Would you mind sharing some key takeaways or themes
that you saw from this most recent study?
Okay.
As usual, it's a good news, bad news scenario,
which is really ultimately good news.
So the workforce grew.
It grew 8.7% to 5.5 million professionals.
We count fractional people in cybersecurity as part of the workforce,
and because it is really illustrative of what the cybersecurity workforce looks like. So,
anybody who spends more than 25% of their time on cyber roles, we include as part of the workforce.
So, 5.5 million, we grew the supply. Always good news. We've had ourselves on the back.
But at the same time, the demand grew even more.
So our unfilled roles in cybersecurity now globally are around 4 million, which is huge.
It was about a 12-point-something percent increase year over year.
And while that's worrisome, I actually think it's positive, too, because what that tells me, because this is demand for unfilled roles, is that organizations are prioritizing cyber professionals on their team, which is they understand the value of cybersecurity professionals in the workforce. So that was kind of the top level. It's about the same all over the globe. APAC has the highest gap. It's well over 2 million unfilled roles, which again, you could turn that
to say they have the greatest awareness of the value of cybersecurity within the business.
But some of the other things that came out that I thought were interesting, maybe not surprising, but like uniformly interesting,
is 75% of all the respondents said threat landscape's the worst they've seen in the
past five years. This year, we dug into the difference between people and skills.
And so not just do you have a gap in your workforce, but do you have a skills gap?
And perhaps it has really shown a spotlight on the fact that we need to be paying more
attention to the skills gap because 92% of organizations are saying they have skills
gaps in one or more areas.
And a significant number of professionals are saying, if we could address the skills gap in our organization, it would lessen the impact of the workforce gap.
So I think that really points to thinking about what are the skills we need? How do we take the time? And that's the hard part, right? You're a cyber professional. You know this. That's the hard part. How do we take the time to develop it by giving people training or whatever you're going to do to develop them.
Are you finding also just in this unique economic environment, the market's doing okay,
but companies are behaving like costs are kind of constrained. And so the first things that often get cut are development budgets.
I'm just curious if you're seeing that too.
So, yes, which then makes me say we're hearing two different things, right?
We're hearing two different things.
So we actually did research early in 2023 where the C-suite said,
we understand the value of cybersecurity professionals.
We know that our risk is worse during times of economic instability. Last people we'd ever cut
from our teams are cybersecurity professionals. So we were cautiously optimistic, but what we
found is that 47% of cyber professionals in the past year
have dealt with cutbacks to their team
either in the form of layoffs, budget cuts,
or hiring or promotion freezes.
71% agree that the risk of malicious insider,
and this was some of the interesting stuff
that we found in this report too,
are far greater during these times of economic pressure.
And it's actually like a stable time versus times like now. It's like the threat of malicious
insiders are three times worse than they are during normal times. In fact, we had more than
50 percent of the respondents say that they have either first or second hand exposure to
a malicious insider event in the past year, and that over 40% are saying they've actually been
approached to be the malicious insider. And that, I think the cybersecurity profession knows and
understands the risk of malicious insiders.
I think there's a lot of education we can do in the business community of helping them understand the risks that they're creating to their organization when indiscriminate cuts are made
to teams. What is ISE2 doing when it comes to educating at the executive level? Is that something
you all are getting involved with now as that mission is expanding? It is. So we're looking at it from
two angles. So our first angle is to work with cyber professionals themselves and help them
think about what they do in terms of how a business runs itself. So talking about cyber
in terms of how is it supporting the organization's strategic priorities or what risks may be presented to the organization's strategic priorities based on what they do or don't do related to cybersecurity.
So we're working on that.
We've started to run cyber leader workshops this fall, and we're going to start to ramp that up into next year.
So that's one way we're
tackling it. We are also tackling it with business leaders through more generalized outreach of how
we talk to the media, how we talk to groups that represent business leaders and boards of directors
about what they need to know about cyber literacy. We actually endorsed a report by Night Dragon and Diligence.
Night Dragon and Diligence.
Sorry about that pause there.
But that actually looked at the cyber literacy of public company boards of directors in the U.S.
of public company boards of directors in the U.S., and it found that only 12% of directors
have any level, any reasonable level of cyber literacy.
So if they're, so board directors in the U.S.
are woefully unprepared
to consider an organization's cyber risk,
and that's in public companies.
So just imagine what it is in private companies.
And then the third thing we're doing
is we are scanning the horizon on global regulation. We're trying to look at it through that lens as well of what are the decisions that businesses are making.
what I think we see and hear governments talking about as being kind of business friendly.
We're going to share best practices with you.
We're going to suggest what frameworks you should be following.
I'm not sure as business friendly as they make them out to be
because we're allowing businesses to kind of shoot themselves in the foot,
so to speak, and make bad decisions that are putting them at risk.
If they're part of critical national infrastructure
and practically what's not, right?
You're putting the whole nation at risk.
So it's a really interesting situation.
And I think there is a ton of work to do.
We were just in a room where somebody said,
you know, the business leaders in my sector,
they're really smart.
They make thoughtful decisions. And then he said, but time and time again, they're not
prioritizing the cybersecurity risks within their businesses. So I have to ask, are they really
making thoughtful decisions? Do they really understand what they're deciding on?
Right. Well, there's that old adage now that every company is a tech company.
Yeah.
on? Right. Well, there's that old adage now that every company is a tech company. Yeah. I mean,
what company is it? You know, you could be driving FedEx trucks and those trucks are loaded with sensors. They know every single location they're at when they're happening. Like, you don't think
that's connected to the internet? How are you not running a tech company? Yeah. Exactly. Exactly.
Well, you know, full disclosure, we've been a partner of ISE2 for a long time. But one thing that is so exciting to
me is it seems like your mission's really expanded over the last few years, and you're just taking on
so much more. Everyone knows ISE2 is the CISSP. We are CISSP. And what you're describing is so
much more as we think about that road to professionalization. Has that been, if I'm
reading in between the lines here, has that been part of your charter as you've been thinking about reshaping the organization? Working with our board of
directors, that is absolutely intentional. So I would akin it to, you know, we're talking about
professionalizing the sector and part of that is professionalizing the professional bodies.
So we really, and our peers, acted like training organizations to some degree.
We push people to be certified and we certify people.
And that has done that.
The work of ISC2 and the other certification bodies has done more to build the cybersecurity workforce than anything else across the globe.
So that has great value and we're still totally committed to that.
So that part I always want to be clear about. But the reality is our members, the cybersecurity
profession needs representation. They need people out there advocating with regulators, policymakers on what makes sense and what doesn't make sense. Because
everyone goes generally to make policy with good intentions, but they don't really understand the
impact of the decisions they're making unless somebody who has that expertise can come and
let me explain to you why maybe reporting a cyber, every cyber incident within 24 hours of it happening actually doesn't make any sense at all, right?
And so part of what we can do is we can help speak for the collective.
We can give voice to the individuals in ways that they aren't going to be able to do for themselves.
And so absolutely intentional on that advocacy front for the profession.
intentional on that advocacy front for the profession. The other thing that we've really expanded greatly and will continue to do into the future is once someone is certified, rather than
just automatically saying, okay, earn your next certification, really focus on what are the areas
of professional development that you need most and how can we help you do that? So you can imagine in the virtual halls of ISC2,
we are talking a lot about third-party supply chain risks. We're talking about AI security
and the safe and ethical use of AI. We're talking about OTIT, industrial controls,
you name it. We're talking about all those things and talking about how do we help people effectively and rapidly make sense of what's going on so that they can do for ISEs too as well. How are you approaching those particular issues in the cybersecurity community
and what initiatives are in place now to promote diversity?
All right.
Well, so we kicked off a DEI initiative three years ago when I first joined,
and we brought a group together globally to say,
what's the landscape look like here and what do we need to do?
And the data is super clear.
We bring diverse individuals in, and they don't stay.
And it's the worst with women, right?
We bring women in, and they don't stay in cyber,
and we need to change that.
We need to understand what the root causes of that.
So our approach has been, first and foremost, that we're
not going in alone on this. So there are so many wonderful nonprofits all across the globe that are
focused on helping different kinds of diverse or underrepresented groups enter the cybersecurity
profession. So some of them are racially based, ethnically based, gender based, neurodiversity based.
There's tons of organizations. So we are partnering with them to understand what we can do to help people be successful.
And one of the things that we found out, and we held a global DEI summit in Washington, D.C. last summer to bring that group together and talk about what can we do that's most important.
And where we landed
was sort of a two-way path on employability. How do we, for individuals beyond our certified in
cybersecurity, how do we help provide them with the tools and the confidence they need to consider a job in cyber, to interview for a job, to create that resume, to successfully onboard in a job, and especially when you might be onboarding in an organization where you don't see a whole lot of people like you there.
And then how do you help them just navigate the workplace in a way where they feel included and they belong and that's somewhere
where they want to stay. So, a whole bunch of work starting in that area. And there's a lot
going on there. We just want to amplify and scale that. And we now need to also address the employer
side of the equation. And I bet you have a story stories you could tell me. So many. But we need to work with
employers to say, what are those best practices? Let's work together because your heads are all
nodding when we talk about hiring differently. So let's talk about that. How does that mean you
change your job descriptions? How does that mean you change, how do you change how you filter for who you interview? How might that even change how you interview and consider who's
a qualified candidate for a job? And then from there, once we get people hired, what are the
best onboarding practices? How do you create an inclusive environment where everybody's voice is heard because that little thing,
and it's not a little thing, that is one, it's a key to great problem solving in organizations
that are dealing with dynamic challenges, but it's also one of the number one indicators
of job satisfaction for cybersecurity professionals that make them want to stay
at an organization is when they feel like they're being listened to.
And so we're going to work on the employer side with all those things.
We're going to talk about pay equity with people.
We're going to talk about their advancement practices and how to do it.
And then we're going to start to spotlight the organizations that are doing it well.
do it. And then we're going to start to spotlight the organizations that are doing it well. We don't have an actual name for it yet, but just imagine ISC2, Cybersecurity Employer of Choice.
Yeah.
And we already know that organizations that in their job postings talk about their diversity,
equity, and inclusion programs are viewed more favorably than those organizations that don't have that.
So we think if we add this other level,
those employers will be the employers that people are beating down their door for.
Everyone always wants to keep up with the person next to them.
So that's a brilliant idea. I love it.
Yeah. I got to tell you one more thing.
I got to tell you one more thing.
one more thing. I got to tell you one more thing. We now actually have data that shows that organizations that have DEI programs in place have better security postures than those that do not.
Interesting.
So 19% of organizations that have DEI programs in place report that they're at moderate to severe risk, as opposed to 34% of organizations either have no DEI programs at all, nor any plans to have them ever in the future. So I think that that's really interesting because some people,
some people when you talk about DEI,
it's like they think they are being sent
to the principal's office.
Right.
And it's like, this isn't about sending you
to the principal's office.
This is just about making you better.
All of us better at what we do.
What's your hypothesis on that?
I have a couple I could come up with, but what's yours?
Well, I want to hear what yours are too. Mine would be that if you have a DEI program in place
that you've set a cultural expectation that you're looking for diversity of thought,
experiences, and backgrounds. And so as a result, if you're making the effort to kind of put the program in place, then you're doing a little more than just talking the talk.
And so even if it's not entirely formalized, it's created a culture or at least the start of a culture where you could hire people who have different diversity of thought.
And I believe that that actually ultimately reduces our risk in a security world.
Absolutely. I agree with you completely because I think what it does is it creates that,
that if you're already doing that, it's not just a checkbox activity. You are already thinking in
ways that create like that sense of inclusion and belonging in the organization, which also
hopefully means that you're also taking care of the people on your team
so that you're not burning them out
and you're engaging in some of those best practices
of job or project rotation.
So, okay, we all gotta be 24 seven for periods of time,
but we don't need to be 365 days a year.
So I think so.
And I do think I absolutely see a strong willingness across the
profession to head in this direction. And this goes back to we want to do it. Help us on how we
do it. We know there are resistors and there's really vocal resistors, but they are absolutely positively the minority in the profession, not the majority.
Most people are very inclusive.
I actually have been really impressed, you know, moving from working with a different profession before to coming to cybersecurity at how much cyber professionals want to help bring along the next generation of cyber professionals. So
I think we're ripe for change here. That's N2K President Simone Petrella with ISC2 CEO Claire Rosso. Thank you.