LOGO

there is no cybersecurity skills gap, but cisos must think creatively

AVATAR Lamont Orange
Lamont Orange
April 26, 2021
Topics:ceoColumncomputer securitycybersecuritydata securityEC ColumnEC CybersecurityEC Future of WorkInformation technologylaborSecuritysecurityStartups
there is no cybersecurity skills gap, but cisos must think creatively

The Cybersecurity Skills Gap: A Question of Perspective

For years, frequent readers of technology and business news have encountered discussions regarding the purported cybersecurity skills gap. Numerous reports suggest a significant number of positions remain vacant due to a scarcity of suitably qualified applicants.

However, this assertion is debatable.

Fundamental economic principles dictate that a workforce will consistently adapt to opportunities in lucrative fields like security. The core issue isn't a lack of potential candidates, but rather the narrow criteria employed by Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) during the recruitment process.

The Problem with Rigid Requirements

Often, hiring managers prioritize candidates who demonstrate comprehensive proficiency in the precise technologies currently deployed within their organization. This approach not only restricts the pool of viable applicants but also limits the breadth of perspectives within security teams.

Ultimately, this can compromise both the organization’s security posture and the potential for talent development.

Netskope’s Alternative Staffing Strategy

At Netskope, we’ve adopted a distinct methodology for building our security teams. We firmly believe that the necessary cybersecurity skills can be effectively taught.

Consequently, we prioritize two key attributes over specific technical expertise:

  • A demonstrable eagerness to expand knowledge in the security domain, indicating a proactive approach to continuous skill enhancement.
  • Possession of a unique skillset not currently represented within our existing security personnel.

By focusing on these qualities, we aim to cultivate a more diverse and resilient security workforce.

This approach allows us to build teams capable of adapting to evolving threats and fostering innovation in cybersecurity.

The Illusion of a Security Talent Shortage Due to Overvalued Technical Skills

Our success in building a robust security team stems from a different hiring philosophy. Consider the lasting value of recruiting individuals based on a precise security skillset – how pertinent will that expertise be in the coming years?

The rapid evolution of even fundamental security technologies is a key factor. A significant shift is underway within most organizations, moving IT infrastructure from traditional on-premises setups to cloud-based environments. This necessitates that security teams acquire new skills.

This transition demands more than just learning new technologies; it requires a fundamental change in perspective. The focus is shifting from safeguarding physical hardware to protecting users and applications as workloads migrate beyond the confines of the corporate network.

While some security professionals struggle with this evolution, others embrace it. However, the technical proficiencies that initially secured their positions are rapidly diminishing in relevance as they adapt to this new landscape.

Chief Information Security Officers (CISOs) who prioritize specific technical skills in candidates and lament the lack of qualified applicants are, in effect, exacerbating the perceived “skills gap.” This restrictive hiring approach ultimately proves detrimental to their long-term security posture.

A broader skillset is more valuable than hyper-specialization in a quickly evolving field.

The Changing Nature of Security Work

The demands placed on security teams are constantly changing. A focus on adaptability and continuous learning is paramount.

  • The move to the cloud requires new security paradigms.
  • Protecting data and applications, not just infrastructure, is now critical.
  • A proactive, rather than reactive, security mindset is essential.

Investing in individuals who demonstrate a capacity for learning and problem-solving will yield greater returns than seeking candidates with a narrow set of technical skills.

Expanding Cybersecurity Capabilities: The Value of Diverse Expertise

Conventional wisdom often prioritizes extensive technical backgrounds when building cybersecurity teams. However, a more effective strategy involves evaluating candidates with limited direct security experience.

Consider, for instance, situations where project management or core business units are facing operational challenges. Individuals within these teams, possessing an in-depth grasp of the organization’s operations, may be eager to acquire new skills.

While their skillsets may not perfectly align with typical security job descriptions, they can introduce fresh perspectives that enhance the overall effectiveness of the cybersecurity team.

Cybersecurity as a Holistic Business Challenge

It’s crucial to recognize that cybersecurity isn't solely a technical issue confined to diagrams and technical specifications. It represents a broader business concern demanding consistent dialogue with executive leadership, stakeholders, and the board of directors.

This reality explains why even some Chief Information Security Officers (CISOs) may not possess extensive technical histories. A well-crafted security policy is ineffective if employees across all organizational levels aren’t persuaded to adhere to it.

The Benefits of Non-Traditional Roles

The inclusion of professionals from diverse backgrounds can significantly strengthen a security function. For example, individuals with marketing expertise can dramatically improve the communication of security principles to non-technical audiences.

Integrating this unconventional viewpoint into the security team can substantially increase compliance with security controls throughout the company.

Similarly, business and financial analysts can contribute valuable skills to a security staff. Their experience in scenario planning and risk modeling can heighten awareness of the potential consequences of various actions.

This broadened perspective enriches the security approach and its overall effectiveness. Such hires can offer insights into critical questions like: “What level of disruption will implementing change X cause for our users?” and “Will strategy Y genuinely enhance data protection, or will it introduce vulnerabilities through altered user behavior?”

  • Strategic Thinking: Analysts can model potential impacts.
  • User Experience: Assessing friction points is vital.
  • Holistic View: Considering both security and usability.

Essential Qualities to Consider During Recruitment

At Netskope, a primary focus for our security recruitment efforts is the enhancement of our team’s collective skillset diversity. Managers prioritize applicants who possess a strong grasp of the factors influencing our business operations and whose expertise extends beyond the realm of cybersecurity to complement our current capabilities.

We seek individuals capable of framing cybersecurity issues in terms of viable business resolutions. A genuine interest in security is, of course, fundamental.

For candidates with backgrounds in marketing or business, we inquire about their personal technological pursuits. What operating systems and applications are utilized on their personal devices? Have they proactively acquired technical skills independently – perhaps by developing a script to streamline personal tasks?

Demonstrated initiative in tackling technological challenges outside of one’s primary field is highly valued. Individuals who exhibit this level of engagement with cybersecurity are readily trainable in the specific technologies required for their role.

This broadened approach to cybersecurity hiring fosters greater team diversity. We actively seek variation not only in technical skills but also in age ranges and demographic representation.

A team comprised of individuals with diverse talents and backgrounds will approach security challenges from a wider spectrum of viewpoints than a homogenous group. Diversity is a central tenet throughout Netskope, ingrained from the executive level to all operational teams.

We firmly believe that inclusivity, embracing a broad range of perspectives, is crucial for our sustained success and organizational resilience.

The Link Between Diversity and Digital Transformation

Ultimately, cultivating diversity represents a culminating stage in the process of digital transformation. Numerous security teams are currently navigating the complexities of adapting their security controls to align with evolving organizational structures.

Their prospects for successfully completing this transition and safeguarding cloud-based resources are significantly improved by simultaneously transforming the composition of the security team itself.