Why Hiring More Staff Won’t Solve the Cybersecurity Skills Shortage


“Businesses should prioritize retaining their cybersecurity talent, and investing in their security operations. Those that prepare and invest now, will be in a much better position to combat an evolving threat landscape that is fast becoming more complicated,” Says Ian McShane, VP Strategy at Arctic Wolf in an exclusive interview with EnterpriseTalk.

ET Bureau: The cybersecurity industry is crucial to the maintenance of critical infrastructure worldwide. How much of a demand is there in the industry for a larger workforce? Is there really a talent shortage?
Ian McShane: The discussions about the talent shortage can seem alarming and understandably leave many business leaders concerned about the future, and of course their organization.
The significant shortfall in new intakes, coupled with discontent amongst those working in the industry is unsustainable, but I do believe there are solutions. The key to finding these will be for the leadership team across IT and HR departments to work together to not only advertise (and run) their company in a way that attracts keen new hires, but also to maintain and increase the skills and knowledge for existing employees.
Businesses need to ensure all staff have access to the right training to prepare them for what’s coming in the months and years ahead, especially when cyber-threats are occurring quite regularly. This means building a culture of trust and empowerment, where employees feel comfortable reporting security-related incidents or mistakes to IT.
Also Read: Five Ways to Build Ethics and Trust in AI
Perhaps most important of all, teams must be prepared to help avoid burn-out and try to avoid the feeling of “owners vs staff”. The 24/7 nature of information security cannot be sustained by a handful of people being expected to work around the clock, and with staff sharing their experience on sites like GlassDoor, LinkedIn, and Reddit, a company’s reputation for overworking and undercaring are red flags that can be found instantly with a quick search.
ET Bureau: Do you believe that hiring more staff is the best way for companies to address the cybersecurity talent shortage?
Ian McShane: It is far more crucial for businesses to consider how they retain their staff and invest in their security operations to ensure the problem doesn’t worsen.
Often, the answer is not as simple as hiring more people. While this can be beneficial if the people are suited for the job, at a time when we’re facing this unprecedented talent shortage, the time and money spent by a business on hiring new employees can be used more effectively to bolster their security infrastructure.
Ultimately, it can be better to have a smaller group of well-trained IT professionals that know your business inside-out, rather than a disparate larger group of new employees or contractors that aren’t equipped with the right skills, and still coming to grips with understanding their new job and the business as a whole.
ET Bureau: Filling the IT talent gap will need a concerted and long-term effort — better education and increased accessibility are critical. However, how can leaders better manage their tech stack with minimal manpower in the short term?
Ian McShane: Businesses should prioritize retaining their cybersecurity talent, and investing in their security operations.
Leaders need to ensure their enrollment involves training and certification opportunities for all types of employees, to prepare them for any potential threats and attacks in the future. Businesses can then supplement these team skills with the technology and expertise of a suitable security partner to get the balance right.
Also Read: How Automation and Digital Transformation Go Hand in Hand
These multiplier forces working together can have a positive effect on an organization’s overall security posture, enabling staff to handle strategic initiatives and key priorities effectively. Those that prepare and invest now, will be in a much better position to combat an evolving threat landscape that is fast becoming more complicated.
ET Bureau: How can diversifying the cybersecurity team help in addressing the cyber-skills gap?
Ian McShane: Tech vendors aren’t making their lives easy when it comes to their hiring criteria; using words like “cutting-edge,” “rock star” and “unicorn” in their job descriptions just gives the impression of a closed, exclusive cybersecurity club, when actually we’re in times when we desperately need fresh, diverse talent. Organizations must start reframing their expectations of who can fill roles, and analyze what skills are actually required for grappling with a threat landscape that is radically changing.
The location of your recruitment could also make a difference to boost talent. With less need for workers to be based in London, tech firms can easily look further afield and take advantage of diverse talent clusters quickly establishing in other areas of the country as the UK economy continues its recovery. For example, my company opted to open our EMEA headquarters in Newcastle, capitalizing on the incredible talent pool that has developed outside of London.  Remote work from anywhere roles are no longer considered a benefit, they are becoming the baseline requirement for workers in information security.
ET Bureau: Is AI the silver bullet for the cybersecurity skills shortage? What role do AI and automation play in resolving the problem?
Ian McShane: In the hype-fueled cybersecurity sector, it can often be forgotten that the threat landscape cannot be dealt with by just technology alone. People and processes still have a huge role to play and we need to move to a position where the two are working together. It shouldn’t be an either-or decision.
I absolutely believe AI and automation have and will continue to have a critical role in keeping companies safe but I don’t think it’s the silver bullet for the skills shortage. They will play a part, and likely streamline processes, but they will not take over.
It isn’t an industry that will be replaced by AI anytime soon and the human element is critical to getting cybersecurity right. If you don’t measure it, it’s not managed. If you lack the talent, whether through lack of investment or availability, ultimately you’re playing security by chance instead of security by choice. You’re hoping luck will prevail. Nobody wants to experience the huge cost and inconvenience of a ransomware attack.
The human element is the most critical way to getting cybersecurity right, and combining AI, technology, and people is the best way to go.
[vc_column][vc_tta_tour][vc_tta_section title=”Ian McShane” tab_id=”1602598322051-0408cb00-0e1c”][vc_column_text]
Ian has over 20 years of experience in cybersecurity and operational IT and as a former Gartner analyst, has advised the largest and fastest-growing technology companies as well as tens of thousands of organizations worldwide. He is well known as a trusted advisor and popular commentator in the cyber/InfoSec industry, and before joining Arctic Wolf Ian spent time at Symantec, Gartner, Endgame, Elastic, and CrowdStrike.