Ever since the onset of the COVID-19 pandemic, organizations worldwide have witnessed a significant increase in their employee turnover irrespective of the industries they operate in. This has been called the Great Resignation or the Great Reshuffle. This has been attributed to several reasons such as employee burnout, wage stagnation, rising cost of living and the need for growth in career opportunities. This exodus of talent will have a long-lasting effect on organizational culture, employee expectations, work environment and, most importantly, the cybersecurity posture of organizations.
The current times are indeed challenging for the cybersecurity industry, which was already plagued by a shortage of skilled workers before the pandemic. As the cybersecurity industry struggles to cope with talent shortages and an increase in cyberattacks in the last few years, especially during the pandemic, the aftereffects of the great reshuffle have widened the already existing skills gap. According to a recent (ISC)2 study, the global shortage of talented cybersecurity workers is reported to be at 2.7 million positions globally. With the emerging technology trends and industry threat landscape, the dearth of qualified cybersecurity professionals only puts organizations at a greater risk of security breaches.
The challenge most organizations currently face is recruitment of talented cybersecurity professionals and sufficient security budget to hire and train the talent for handling security issues within the organization. This has raised concerns around how organizations view and evaluate their cybersecurity preparedness and how often leaders struggle to answer the question “How secure are we?”
While organizations shift to remote working in the post-pandemic new normal, coupled with the shortage in the cybersecurity workforce, there is an increased risk of insider threats looming around the corner. Lack of appropriate security controls on endpoints, systems, network infrastructure, processes and individuals working remotely can expose organizations to cyberthreats such as ransomware, resulting in intellectual property theft and customer data loss, and causing damage to organizational reputation.
Organizations across industries need a strategic approach to manage their cybersecurity workforce to optimally utilize them to drive security initiatives and improve overall security posture. Some effective talent transformation strategies that security leaders can implement to build a resilient cybersecurity workforce and enhance the overall cybersecurity program effectiveness include:
- Invest in a strong security culture—A sustainable, high-performing security organization thrives on the underlying culture and ethos of security practitioners. Security leaders have the unenviable responsibility of carefully and continuously orchestrating a healthy culture that enables their employees to build trust, understand their security responsibilities and receive continual feedback on their performance. Adapting work practices to the evolving needs of the professionals, providing work flexibility to employees and accommodating a safe environment to fail and learn are important aspects of a healthy security culture.
- Implement a vision and growth mindset—A cybersecurity workforce with a growth mindset sees challenges as opportunities to grow, learn and become more resilient and adaptable. The hybrid work environment prevalent today needs security employees working toward a common goal that is aligned with broader organizational objectives. It is the responsibility of security leaders to set the tone at the top and communicate frequently and effectively with their teams on the vision and purpose of the organization’s security functions to the broader business and the value that security unlocks for the business to rapidly scale and expand.
- Continually upskill and reskill talent—Key factors that help build a resilient environment are enhancing cybersecurity skills through training programs, sponsoring certifications and providing incentives for reskilling required for complementary security capabilities. Another approach to reduce the workforce skills gap to create better role clarity for the cyber workforce by leveraging industry-accepted frameworks such as the National Initiative for Cybersecurity Education (NICE) Framework for defining cybersecurity roles and establishing the responsibilities.
- Embrace the hybrid working model—Security leaders should train their managers to lead and manage teams in this new hybrid working model and educate the cybersecurity staff to deal with the impact on security investments, workforce restructuring and work backlog to meet business requirements. Organizations should build a stronger workforce by augmenting their internal capacity with external security vendors and managed security service providers (MSSPs) where required. Managed services can take the form of outsourcing or co-sourcing models, which can be quick and effective ways to overcome these challenges.
- Automate cybersecurity capabilities and processes—Lack of appropriate tools and systems in place will not only burden the workforce with heightened security responsibilities but also result in increased attrition. To bridge the talent gap, security leaders should consider investing in emerging technologies such as artificial intelligence (AI), machine learning (ML), analytics and robotic process automation (RPA) to automate their security processes and functions, thereby empowering teams and increasing their efficiency of routine day-to-day operations.
Organizations should re-evaluate and transform their cybersecurity recruitment and retention strategies to prevent valued and skilled employees from leaving. They should implement plans to minimize the effects of turnover and the threats posed by insiders and (re)build a resilient workforce. Security leaders leveraging these strategies can reduce the impact of the great reshuffle on the cybersecurity workforce shortage and further improve the overall cybersecurity posture.
Editor’s note: For further insights on this topic, read the authors’ recent Journal article, “Building Resilient Security in the Age of the Great Reshuffle,” ISACA Journal, volume 5 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your MyISACA dashboard and opting in!