Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:00 AM
Simone Petrella
Simone Petrella
Connect Directly
E-Mail vvv

Cybersecurity Bounces Back, but Talent Still Absent

While the demand for cybersecurity talent rebounds, organizations will need to focus on cyber-enabled roles to fill immediate skills gaps.

Leave it to a global pandemic to disrupt industries many of us have assumed to be stalwart. Companies fortunate enough not to traffic in hard goods are realizing they can survive (and cut significant costs) by moving to work-from-home workforces. This shift, with an estimated 62% of the workforce now working from home, demonstrates the increased need in hiring for cybersecurity personnel required to manage these new business models. At first, this sounds great for the resilience of the cybersecurity sector — but this means the already existent skills shortage for security professionals is about to get a lot worse.

Related Content:

Special Report: Computing's New Normal, a Dark Reading Perspective

What to Tell Young People of Color About InfoSec Careers

The result is that the lines between what have been considered "pure" cybersecurity roles and, well, everything else are becoming blurred. A recent (ISC)² survey shows that many security professionals are being leveraged to support general IT requirements to accommodate different needs for work at home amid the pandemic. That makes sense. Companies need to have the infrastructure in place to support these new remote workers logging in from their home ISPs while also ensuring the security of sensitive data and intellectual property.

Enter the Cyber-Enabled Workforce
According to a Ponemon study, 88% of employees said their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, confidential business documents, or other sensitive data. Based on this projection, the cyber-enabled workforce within the United States exceeds 75 million personnel, and that number could be significantly larger if it included companies of fewer than 100 employees.

For example, threat hunting is a critical cyber role in many companies. But the personnel required is relatively small compared with the other defense and security functions in the organization. And even smaller relative to IT, network, and cloud roles.

The biggest role needs in security teams are, in fact, not what we would traditionally classify as cybersecurity roles — they're cyber-enabled roles. A cyber-enabled employee should have an above-average understanding of cybersecurity, but does not need the breadth and depth of knowledge that a dedicated cybersecurity practitioner has.

Information Technology
The most common cyber-enabled roles are in IT and are relevant to organizations of all sizes, not just limited to large enterprises with mature cybersecurity teams.

  • Network architecture: Designing and deploying a computer network is a traditional IT role that increasingly requires a solid understanding of security to ensure corporate systems are configured securely and reduce the risk of external attacks. 

  • Cloud architecture and deployment: The move to the cloud has created a similar role for cloud-based networks, their design, and their security.
  • Identity and access management: Solutions that verify and authenticate users on a network must be deployed in a way that still complies with organizational security requirements and minimizes data loss.

Software Development
Security development and DevSecOps have been reigning buzzwords for a few years. Whether you believe that developers need to acquire security experience or security practitioners need to learn to write code, most organizations have made a direct effort to infuse cybersecurity best practices into each stage of the software development life cycle (SDLC), rather than after the finished product is released..

  • Application software developers: Computer and mobile applications are used by corporate and individual consumers for all kinds of things (cars, video games, online shopping, social media, you name it). Not only does that mean an application developer needs to understand user’s needs to design and write the code to create a solution, but also do so securely to minimize the risk of data or code within the application from being stolen or hijacked.
  • Systems software developers: These professionals' creed operating systems-level software, more geared towards designing enterprise solutions (medical, industrial, military, business, etc.). The industry focus of their work makes it imperative that these systems are designed securely to minimize vulnerabilities.

Governance, Risk, and Compliance (GRC)
GRC team members are also considered cyber-enabled based on their need to understand all areas of the organization that could present meaningful risk. In this light, their understanding of cyber-risk needs to go well beyond traditional awareness training.

  • Risk manager: A traditional risk analyst or manager examines a series of activities or initiatives and analyzes the risk involved in those associated decisions. Given almost every action and activity in business today takes place over a network or technology system, knowledge of cybersecurity is imperative to appropriately apply it to the decision-making process.

  • GRC analysts: Policies, processes, and controls are necessary parts of all businesses. Cybersecurity is no exception, and there's growing demand for people with regulatory and business backgrounds to apply that knowledge in the development of security GRC programs.

  • Privacy analysts: Since most organizations store data on computer networks and databases, a privacy analyst needs to understand those systems and applications in addition to business processes and the privacy regulations of specific industries.

Healthcare Professionals and Medical Device Professionals
Healthcare organizations employ large numbers of employees that manage or have access to sensitive data and medical devices on a day-to-day basis. Compared with other industries, such as financial services, healthcare organizations do not as frequently create discrete cybersecurity positions and are more likely to create cyber-enabled roles. 

  • Data security administrator/analysts: Ensuring that information, and in particular protected health information, is properly handled and stored is a priority for healthcare organizations. Preventing data security violations, especially those protected by HIPAA, GDPR, and a growing number of other regulations, is a primary business concern for the healthcare sector. 

  • Clinical engineers: As medical devices become increasingly connected (by 2025, it's estimated 68% will be connected to the Internet), there's an even greater need for security given the sensitivity of health data. And that's not a traditional security role — that's often the engineers building the devices, although medical device manufacturers have a critical role when it comes to cybersecurity as well.  

It's About the Skills, Not the Roles
While these lines between security and other jobs are blurred, there's a secondary shift in play (also thanks to COVID-19): Our traditional education model has been turned on its head. Degree programs are costly and not turning out job-ready graduates. The market, students and employers alike, are now considering faster, more cost-effective, and efficient ways to align talent to job requirements. And this isn't specific to the private sector. The White House issued an executive order on June 26 that directs the federal government to de-emphasize degree requirements and instead focus on skill, competency, and knowledge.

Companies also need to invest in their workforce strategies and training instead of relying on the external market. It's important to create, tailor, and deliver upskilling solutions to employers based on their unique workforce requirements and roles. That means a need for modular, skill-focused education that allows employees to acquire new knowledge in shorter chunks of time without sacrificing workplace productivity. When an employer defines the roles in their own organization companies can then be more discriminating in selecting and deploying upskilling strategies.

A skills-based approach provides an efficient way to upskill and prepare for the cyber-enabled jobs of the future (and today) without leaving positions unfilled or waiting for a pipeline of candidates through lengthy degree programs. Skills are transferable from position to position and are cumulative, meaning the workforce of the future will be more likely to have cybersecurity knowledge and abilities despite not being in a cybersecurity position.

Simone is chief executive officer at CyberVista where she leads product development and delivery of cybersecurity training and education curriculums as well as workforce initiatives for executives, cyber practitioners, and continuing education. Previously, Simone was a senior ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
9/18/2020 | 5:22:22 PM
Interesting commentary
Thank you for sharing, but it is going to take time to move from a degree based paradigm to a skilled based one. If that is the case, then we might as well hire hackers and bring them in to address some of our "DevSecOps" (not sure why they changed it because DevOps was the start, SecDev is a group in the military and Dev - Development, Sec - Security, Ops -Operations, shouldn't it be SecDevOps since the primary concern is to infuse Security with the already Application design framework, but I digress).

Also, there is a thing called morality, having skills without understanding the consequences would be catastrophic for a business, (Paige Thompson - Capital One Hack). We need people who have a high moral fiber while at the same time they are skilled in the IT arena.

In addition, one thing we are leaving out is racism in the IT business sector. Not just white america, but there are a large number of Indian companies who are looking only to place their own people. There have been numerous interviews where the interviewer was looking for a solution instead of hiring a person not from their origin (India). In addiiton, there have been instances where people from India make calls, ask the person to interview, they interview, do well and nothing comes from it. In the background, they have decided to move someone in a position who makes less money, they ask you to train them and then they move you out because of differences.

The commentary sounds good, but the problem is that we have human traits that go beyond the workplace. Just ask yourself, when you walk into the conference room or lunch room. Look at the people and their likeness, people tend to gravitate to people who look like them, that also translates to the boardroom and in HR. In addition, it is going to take time to change that paradigm, look at Black Lives Matter, this same argument has been going on for years and all they want is to be treated equally and not shot at a police stop.

It is sad, but it happens. I don't think there is a lack of talent, I just think people need to take off their blinders and take a careful look at themselves before making a decision to hire someone who does not look like them.

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.