CyberWire Daily - Putting a dent in the cybersecurity workforce gap. [Special Edition]
Episode Date: January 15, 2024In this special edition of Solution Spotlight, N2K President, Simone Petrella is talking with ISC2 CEO Clar Rosso about putting a dent in the cybersecurity workforce gap through empowerment, breaking ...down barriers and expanding DE&I initiatives. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
In our ongoing Solutions Spotlight series,
today N2K President Simone Petrello returns with a conversation with ISC2 CEO Claire Rosso
about putting a dent in the cybersecurity workforce gap.
Here's their conversation.
I am so excited to be joined today by Claire Rosso,
and you've spearheaded some pretty amazing initiatives in your tenure since joining.
Just to level set for everyone listening, those initiatives,
one of which is the entry-level certified in cybersecurity certification.
And it has had over 110,000 people express interest in joining the cybersecurity industry in just three months.
I will also state for the record, we actually put out a challenge to our own team.
If they wanted to take the certified in cybersecurity, we are helping them get that and encouraging them to take it.
So we've created some own incentives to do that.
But the workforce gap is wide.
But Claire, I'm excited to talk today about some things that you
all are doing to help tackle that, especially around diversity initiatives as well. Before we
dive into all of that, one of the first things I noticed about you is that you have a long history
with associations, but of accountants. So I would love to hear a little bit about your background,
but then also your perspective on the similarities and maybe differences that you've noticed in the field since joining cybersecurity.
Thank you, Simone. So thanks. It's great to be here. Great to be talking to you.
Thanks for having me. And it's fascinating, actually, that I come from working for decades
for the accounting and finance profession because I actually think my experiences there
are not dissimilar to what we're doing here.
And there's a lot to be learned both ways
in that relationship.
So accounting and finance has an underlying need
to have a deep knowledge and understanding
of risk management.
And if you think about what cybersecurity,
but it's nothing but risk management.
So the overlap there was a super pleasant surprise for me
when I joined the organization.
And then personally, I think that,
plus the fact that in my career,
I had had so many opportunities as a business leader
to be involved as a sponsor
and the different times very hands-on
in the execution of tech projects.
So that sort of, and I always, like my whole career was really interested in talking to
network security people, although they didn't call themselves network security. They were just the IT
guys and they were guys. Yeah. And they were all about the network and they'd draw the pictures on
the wall and they'd explain what firewalls were to me. And this was like early days for me. And it left a lasting
impression that is serving me well today. But when I think about the profession, there's a couple
areas that some of what I learned when working with accountants is actually serving me really well here with
cybersecurity. So one is just thinking about the professionals. And in accounting, we had a
workforce gap, nothing on the scale like we have in cybersecurity. But that challenged us about a
decade or so ago to really think, how do we think differently about who we hire and how can
we challenge our traditional beliefs that we need to have people who have technical accounting
skills and really think about what are the core competencies that make someone a good accountant?
Well, guess what? They're problem solvers and analytical thinkers and critical thinkers.
They have a commitment to lifelong learning. We need them.
We may not have historically needed them to, but now today, we need them to be good communicators.
They need to, in writing and in verbal communications, they need to be great. And gosh,
that sounds really similar to what we need in cybersecurity. So I think that is a pleasant area of overlap that
we can leverage. The other thing, because we're here today at Secure DC for ISC2,
we just had a speaker downstairs and the room started talking about the disparity of standards in cybersecurity. And that really struck a chord with me because,
you know, ISC2, we're 35 years old in 2024. This is a new profession. We haven't been around for
150 years. So we're early days and we are seeing a tidal wave of regulation coming to the profession, and professionals are overwhelmed because they want to be in compliance with regulation, but they also need to do the work of cyber defense.
And you can't really do both most of the time, so there are tradeoffs.
So we really have some opportunity to talk about setting global standards in cybersecurity and really harmonizing.
And it has to be global
because the work of cybersecurity professionals is global.
And I think because the accounting profession
has been around for decades,
this will be my last accounting analogy,
but they learned for that,
but it took them 125 years to figure it out.
We can do it much earlier.
We can now start having the conversation about how do we harmonize?
How do we harmonize across the globe?
How do we harmonize within agencies in the U.S.?
And that can create a real important opportunity to strengthen the security posture of our whole ecosystem.
Yeah. I mean, it always has struck me,
being in the cybersecurity industry for as long as I've been in there,
we are an industry of professionals, but we haven't professionalized.
Yeah.
And what I think you're describing is this concept of like professionalization,
you know, and those standards are part of it.
Yeah. So we have, we like kind of look at the,
I don't know, I get a little confused about the number of the legs on the stool, but we have the certification piece, right, that has exam, education, experience, and ethics.
But I'm going to come back to ethics.
We need the standardization and the standards that we're holding people to.
And I think the other thing, and this is actually one of our work projects for 2024, is we need a standardized code of professional conduct or ethics in the profession.
So we've been starting to talk to government stakeholders, the other certifying bodies, about let's put together that framework for what does a code of professional conduct look like?
What are the standards we all need to be held to?
And in a profession where in certain parts of the world,
it's more lucrative to go work for the bad actors than it is to work for businesses and government.
It's really important that we take that step
and focus on that professionalization.
I would think it's also pretty helpful
for recruiting other people to
even progress in the field. Because I know one area that a lot of cybersecurity leaders are
really nervous about right now are the recent SEC charges against SolarWinds and then who's
taking that personally and kind of what happened with Uber. So there is some accountability that's coming into the profession. And we need to create clarity about what's okay and what's not okay.
I think the other thing that we need to be looking at is, I was actually really surprised.
I feel a little naive about this, but I was really surprised to learn because ever since I've been an executive role in an organization, I have been covered by the DNO insurance of that organization. So work I do on behalf of the organization is covered by
the insurance. CISOs aren't always included in that. And that was actually pretty stunning to
me that they're not. And so I think that we can do something as a 600,000 plus professional organization to talk to businesses, talk to
the insurance companies, and talk about, wait a second, we need to have the same protections
for our cyber leaders as you are giving to other leaders in the organizations. Now,
that doesn't absolve anybody if they participate in criminal activity.
But yeah, good point.
But it wouldn't do that for any other executive.
It wouldn't do that for anybody either.
Yeah, exactly.
Right.
So switching back to kind of the meat of the topic,
ISC2 is known for putting out
its annual cybersecurity workforce study.
And the most recent came out in early November
of 2023. Would you mind sharing some key takeaways or themes that you saw from this most recent study?
Okay. As usual, it's a good news, bad news scenario, which is really ultimately good news.
So the workforce grew. It grew 8.7% to 5.5 million professionals.
We count fractional people in cybersecurity as part of the workforce.
And because it is really illustrative of what the cybersecurity workforce looks like.
So anybody who spends more than 25% of their time on cyber roles, we include as part of the workforce.
So 5.5 million, we grew the supply,
always good news. We've had ourselves on the back. But at the same time, the demand grew even
more. So our unfilled roles in cybersecurity now globally are around 4 million, which is huge. It
was about a 12 point something percent increase year over year. And while that's worrisome, I actually think it's positive, too, because what that tells me, because this is demand for unveiled roles, is that organizations are prioritizing cyber professionals on their team, which is they understand the value of cybersecurity professionals in the workforce.
So that was kind of the top level.
It's about the same all over the globe.
APAC has the highest gap.
It's well over 2 million unfilled roles, which again, you could turn that to say they have
the greatest awareness of the value of cybersecurity within the business.
But some of the other things that came out that I thought were interesting,
maybe not surprising, but like uniformly interesting, is 75% of all the respondents
said threat landscape's the worst they've seen in the past five years. This year, we dug into
the difference between people and skills. And so not just do you have a gap in your workforce,
but do you have a skills gap?
And perhaps it has really shown a spotlight
on the fact that we need to be paying more attention
to the skills gap
because 92% of organizations are saying
they have skills gaps in one or more areas.
And a significant number of professionals are saying,
if we could address the skills gap in our organization, it would lessen the impact of
the workforce gap. So I think that really points to thinking about what are the skills we need?
How do we take the time? And that's the hard part, right? You're a cyber professional,
you know this. That's the hard part. How do we take the time to develop the skills that we
deem essential to our organization so that we can really address our security posture?
And in some cases, take the time to identify which skills are required for the roles that we need.
There's kind of an inventory analysis that has to happen before you even take the time to identify which skills are required for the roles that we need. There's
kind of an inventory analysis that has to happen before you even take the time to mitigate it by
giving people training or whatever you're going to do to develop them. Are you finding also just
in this unique economic environment, the market's doing okay, but companies are behaving like, you know, costs are kind of constrained. And so the first
things that often get cut are development budgets. I'm just curious if you're seeing that too.
So, yes, which then makes me say we're hearing two different things, right? We're hearing two
different things. So we actually did research early in 2023 where
the C-suite said, we understand the value of cybersecurity professionals. We know that our
risk is worse during times of economic instability. Last people we'd ever cut from our teams are
cybersecurity professionals. So we were cautiously optimistic. But what we found is that 47% of cyber professionals in the past year have dealt with cutbacks to their team, either in the form of layoffs, budget cuts, or hiring or promotion freezes.
that the risk of malicious insider,
and this was some of the interesting stuff that we found in this report too,
are far greater during these times of economic pressure.
And it's actually like a stable time versus times like now.
It's like the threat of malicious insiders
are three times worse than they are during normal times.
In fact, we had more than 50% of the respondents say
that they have either first or second hand exposure to a malicious insider event in the past year,
and that over 40% are saying they've actually been approached to be the malicious insider.
And that, I think the cybersecurity profession knows and
understands the risk of malicious insiders. I think there's a lot of education we can do
in the business community of helping them understand the risks that they're creating
to their organization when indiscriminate cuts are made to teams. What is ISE2 doing when it comes to educating at the executive level?
Is that something you all are getting involved with now as that mission is expanding?
It is.
So we're looking at it from two angles.
So our first angle is to work with cyber professionals themselves and help them think about what they do in terms of how a business runs itself. So talking about cyber in terms of how is it supporting the organization's strategic priorities
or what risks may be presented to the organization's strategic priorities
based on what they do or don't do related to cybersecurity.
So we're working on that.
We've started to run Cyber Leader Workshops this fall,
and we're going to start to ramp that up into next year. So that's one way we're tackling it. We are also tackling it with business leaders through more generalized outreach of how we talk to the media, how we talk to groups that represent business leaders and boards of directors about what they need to know about cyber literacy.
We actually endorsed a report by Night Dragon and Diligence.
Night Dragon and Diligence.
Sorry about that pause there.
But that actually looked at the cyber literacy of public company boards of directors in the U.S.
And it found that only 12% of directors have any level, any reasonable level of cyber literacy.
So board directors in the U.S. are woefully unprepared to consider an organization's cyber arrest.
And that's in public companies.
So just imagine what it is in private companies.
And then the third thing we're doing is,
as we are scanning the horizon on global regulation,
we're trying to look at it through that lens as well
of what are the decisions that businesses are making.
And I think one of the,
what I think we see and hear governments talking about
is being kind of business friendly. We're going to share best practices with you. We're going to
suggest what frameworks you should be following. I'm not sure as business friendly as they make
them out to be because we're allowing businesses to kind of shoot themselves in the foot, so to speak, and make bad decisions that are putting them at risk.
If they're part of critical national infrastructure and practically what's not, right, you're putting
the whole nation at risk. So it's a really interesting situation. And I think there is a
ton of work to do. We were just in a room where somebody said, you know, the business leaders in my sector, they're really smart. They make
thoughtful decisions. And then he said, but time and time again, they're not prioritizing the
cybersecurity risks within their businesses. So I have to ask, are they really making thoughtful
decisions? Do they really understand what they're deciding on? Right. Well, there's that old adage
now that every company is a tech company. Yeah. I mean, what company is it? You know, you could be
driving FedEx trucks and those trucks are loaded with sensors. They know every single location
they're at when they're happening. Like, you don't think that's connected to the internet?
How are you not running a tech company? Yeah. Exactly. exactly. Well, you know, full disclosure, we've been a partner of ISE2 for a long time.
But one thing that is so exciting to me is
it seems like your mission's really expanded
over the last few years
and you were just taking on so much more.
Everyone knows ISE2 is the CISSP.
We are CISSP.
And what you're describing is so much more
as we think about that road to professionalization.
Has that been, if I'm reading in between the lines here, has that been part of your charter as you've been thinking about reshaping the organization?
Yeah, working with our board of directors, that is absolutely intentional.
So I would akin it to, you know, we're talking about professionalizing the sector and part of that is professionalizing the professional bodies.
So we really and our peers acted like training organizations to some degree.
We push people to be certified and we certify people.
And that has done that.
The work of ISC2 and the other certification bodies has done more
to build the cybersecurity workforce than anything else across the globe.
So that has great value, and we're still totally committed to that.
So that part I always want to be clear about.
But the reality is our members, the cybersecurity profession, needs representation.
They need people out there advocating with regulators, policymakers on
what makes sense and what doesn't make sense. Because everyone goes generally to make policy
with good intentions, but they don't really understand the impact of the decisions they're
making unless somebody who has that expertise can come and let me explain to you why maybe
reporting a cyber, every cyber incident within 24 hours of it happening actually doesn't make
any sense at all, right? And so part of what we can do is we can help speak for the collective.
We can give voice to the individuals in ways that they aren't going to be able to do for themselves.
And so absolutely intentional on that advocacy front for the profession.
The other thing that we've really expanded greatly and will continue to do into the future
is once someone is certified, rather than just automatically saying, okay, earn your
next certification, really focus on what are the areas of professional development that
you need most and how can we help you do that.
So you can imagine in the virtual halls of ISC2, we are talking a lot about third-party supply chain risks.
We're talking about AI security and the safe and ethical use of AI.
We're talking about OTIT, industrial controls, you name it. We're talking about all
those things and talking about how do we help people effectively and rapidly make sense of
what's going on so that they can do their jobs better and faster and easier. Well, on that point,
I know a part of that is also addressing diversity and inclusion, and that's
a priority for ISEs too as well. How are you approaching those particular issues in the
cybersecurity community and what initiatives are in place now to promote diversity?
All right. Well, so we kicked off a DEI initiative three years ago when I first joined,
and we brought a group together globally to say,
what's the landscape look like here and what do we need to do? And the data is super clear.
The people, we bring diverse individuals in and they don't stay. And it's the worst with women,
right? We bring women in and they don't stay in cyber and we need to change that. We need to
understand what the root causes of that. So our approach has been, first and foremost,
that we're not going in alone on this. So there are so many wonderful nonprofits all across the
globe that are focused on helping different kinds of diverse or underrepresented groups
enter the cybersecurity profession. So some of them are racially based,
ethnically based, gender based, neurodiversity based, but there's tons of organizations. So we
are partnering with them to understand what we can do to help people be successful. And one of the
things that we found out, and we held a global DEI summit in Washington, D.C. last summer to bring
that group together and talk about
what can we do that's most important. And where we landed was sort of a two-way path on employability.
How do we, for individuals beyond our certified in cybersecurity, how do we help provide them with the tools and the confidence they need to consider a job in cyber, to interview for a job, to create that resume, to successfully onboard in a job?
And especially when you might be onboarding in an organization where you don't see a whole lot of people like you there.
like you there? And then how do you help them just navigate the workplace in a way where they feel included and they belong and that's somewhere where they want to stay? So, a whole bunch of
work starting in that area. And there's a lot going on there. We just want to amplify and scale that.
And we now need to also address the employer side of the equation. And I bet you have a story as you could tell me.
So many. when we talk about hiring differently. So let's talk about that. How's that mean you change your job descriptions?
How's that mean you change,
how do you change how you filter for who you interview?
How might that even change how you interview
and consider who's a qualified candidate for a job?
And then from there, once we get people hired,
what are the best onboarding practices?
How do you create an inclusive environment where everybody's voice is heard? Because that little thing, and it's not a little thing, that is one, it's a key to great problem solving in organizations that are dealing with dynamic challenges, but it's also one of the number one indicators of job satisfaction for cybersecurity professionals that make them want to stay at an organization is when they feel like they're being listened to.
And so we're going to work on the employer side with all those things.
We're going to talk about pay equity with people.
We're going to talk about their advancement practices and how to do it.
And then we're going to start to spotlight the organizations that are doing it well. We don't have an actual
name for it yet, but just imagine ISC2 Cybersecurity Employer of Choice. And we already know that
organizations that in their job postings talk about their diversity, equity, inclusion programs are viewed more favorably than those organizations that don't have that. So we think if we add this
other level, those employers will be the employers that people are beating down their door for.
Everyone always wants to keep up with the person next to them. So that's a brilliant idea. I love
it. Yeah. I got to tell you one more thing. I got to tell you one more thing. We now actually have
data that shows that organizations that have DEI programs in place have better security postures
than those that do not. Interesting.
than those that do not.
Interesting.
So 19% of organizations that have DEI programs in place report that they're at moderate to severe risk,
as opposed to 34% of organizations
either have no DEI programs at all,
nor any plans to have them ever in the future.
So I think that that's really interesting because some people, when you talk about DEI,
it's like they think they are being sent to the principal's office. And it's like,
this isn't about sending you to the principal's office. This is just about making you better,
all of us better at what we do.
What's your hypothesis on that? I have a couple I could come up with, but what's yours?
Well, I want to hear what yours are too.
Mine would be that if you have a DEI program in place that you've set a cultural expectation that you're looking for diversity of thought, experiences, and backgrounds. And so as a result, if you're making the effort to kind of put the program in place,
then you're doing a little more than just talking the talk.
And so even if it's not entirely formalized,
it's created a culture or at least the start of a culture
where you could hire people who have different diversity of thought.
And that makes, I believe that that actually ultimately reduces our risk in a security world.
Absolutely. I agree with you completely because I think what it does is it creates that,
if you're already doing that, it's not just a checkbox activity.
You are already thinking in ways that create like that sense of inclusion and belonging in the organization, which also hopefully means that you're also taking care of the people
on your team so that you're not burning them out and you're engaging in some of those best practices
of job or project rotation. So, okay, we all got to be 24-7 for periods of time, but we don't need to be 365 days a year. So I think so. And I do think
I absolutely see a strong willingness across the profession to head in this direction. And this
goes back to, we want to do it. Help us on how we do it. We know they're resistors and there's really vocal resistors,
but they are absolutely positively the minority in the profession, not the majority.
Most people are very inclusive.
I actually have been really impressed, you know,
moving from working with a different profession before to coming to cybersecurity
at how much cyber professionals
want to help bring along the next generation of cyber professionals.
So I think we're ripe for change here.
That's N2K President Simone Petrella with ISC2 CEO Claire Rosso. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.