Organizations across the globe currently have two main concerns when it comes to cybersecurity: 1) the never-ending and ever-evolving deluge of threats, attacks, intrusions and cyber disasters by any other name, and 2) the immense difficulties faced in hiring, retaining or otherwise employing cybersecurity professionals.
Perhaps it goes without saying, but the first problem tends to feast on the second.
With DDoS attacks, data breaches and other events causing catastrophes that start with crippled systems, gain momentum with bad press and tend to end with class action lawsuits, organizations need creative, quick-thinking and fastidious cybersecurity teams – and there are two main ways they can build them.
A pressing need
Relying on managed security services or out of the box on-premise solutions may have allowed organizations to do just enough in terms of cybersecurity in the past, but things have changed. Cyberassaults have become a big enough business that medium to large enterprises can no longer go without an in-house cybersecurity team or security operations center.
Companies are resorting to underhanded tactics to hurt competitors, disgruntled employees are looking to do damage to their own firms, hacktivist groups are hacking for the attention, and nation states are even getting in on the intrusion action. Threats are everywhere, attackers are more sophisticated than ever, data ranging from financial to customer to intellectual property all commands a price on the online black market, and organizations and businesses are some of the biggest targets of all.
Last year was worse than it’s ever been for the number of records compromised in data breaches – 4.2 billion, and this year is shaping up to be even more dire. It’s hard to assign a damage total to the PR nightmare of a data breach and the resultant loss of customer loyalty, but what isn’t hard to quantify are the millions of dollars being paid out in the class-action lawsuits that stem from these breaches.
In addition to the overwhelming data breach threat, DDoS attacks are at an all-time high, ransomware is poised to cause damages in excess of $5 billion in 2017, and compliance regulations are stricter than ever but causing their own security issues.
So yeah, cybersecurity help wanted.
Building a cybersec team through the traditional hiring process
Typically when an organization needs to fill a position, they post an ad and then sit back while resumes and cover letters roll in, leaving it to a hiring manager to sift through the applicants, find the best few, and put those top contenders through the interview process to find the right fit. It’s a process we all know well.
For organizations that have cybersecurity needs, being able to choose from a pool of qualified and competing candidates is as easy and optimal as it gets. You need a pen tester? Here’s an applicant with a penetration testing certification and great communication skills. Perfect. Moving some of your computing to the cloud? Here’s a certified cloud security specialist with experience in migrating two other similarly sized organizations. Hired.
When organizations are able to fill cybersecurity positions through the traditional hiring process, they are on the fast-track to creating a strong in-house security operations center with people who have the certifications, education and experience necessary to lead an organization in this tumultuous online time.
The key word in the above paragraph is the very first one. When. The organization that has multiple qualified candidates to choose from for a cybersecurity position is a lucky one indeed. There was a global cybersecurity workforce shortage of one million last year, with 350,000 open positions in the United States alone. If an organization is thinking that maybe they can wait out this shortage then hopefully they’re in the position to hold out past 2019, when the shortage is expected to grow to 1.5 million globally.
If an organization is going to succeed at staffing its security operations center though the traditional hiring process, then either it must be an organization people are dying to work for (so…Google,) or there’s a good chance the organization is prepared to pay up in what is already a high-paying field. Otherwise, organizations can get used to trying to woo underqualified applicants for the positions that have been sitting open for months.
The takeaway for potential cybersecurity employees
This is a field with an actual 0% unemployment rate. This essentially means that there is a job in cybersecurity for every person qualified to hold a job in the field, which essentially means that if you have cybersecurity certifications or a security-related degree, you’re all but guaranteed a job. Add in some experience and sought-after soft skills and you could be choosing the city you want to live in, the company you want to work for, and the salary and benefits package that appeals to you.
Cybersecurity is the rare field in which potential employees hold plenty of power. If you’ve been thinking about transitioning from IT to cybersecurity, mulling a total career change, or simply spiffing up your resume with a new certification or two, there might never be a better time than in the next few years.
Building a cybersec team by creating from within
Like the mousy girl in a teen movie who takes off her glasses and is suddenly beautiful, it’s possible an organization’s best potential cybersecurity experts have been in the organization all along. Whether out of preference or simple necessity, more and more organizations are eschewing the traditional hiring process to invest in their own employees, providing IT or entry-level cybersecurity employees with professional training opportunities that will allow them to earn cybersecurity certifications and develop into high-level cybersecurity experts, ones who grow to comprise a top-flight in-house security operations center.
Firstly and most obviously, investing in professional training for employees allows organizations to sidestep the cybersecurity hiring frenzy, one in which employers routinely find themselves overpaying for underqualified applicants.
Secondly, according to a Center for Strategic and International Studies report, this is what cybersecurity professionals want. A full 72% of cybersecurity experts and 69% of lower-level cybersecurity employees said it was ‘very important’ to have access to employer-provided training in their jobs. This makes professional training a key component of job satisfaction, which in turn is a key component of employee loyalty. Employee retention is just as important as initial hiring when it comes to the success of a cybersecurity team, especially with organizations resorting to poaching top cybersecurity employees from other firms.
Thirdly, it isn’t all about having the right professionals in place and keeping them happy. Investing in professional training will help cybersecurity employees stay at the forefront of the industry, keeping up with all new developments in risks and vulnerabilities as well as prevention, protection and recovery. This makes it an excellent option for cybersecurity professionals at all levels, not just lower-level employees who need to be developed into experts. Happy, loyal employees armed with the most current knowledge are what create the strongest possible organizational security, full stop.
Long-term, this is a fantastic way to build a strong and loyal cybersecurity team that is always at the forefront of emerging technologies, risks, and mitigation and protection strategies. However, this is not the quick fix route. If an organization needs advanced cybersecurity specialists in place immediately to dam up vulnerabilities without another business day ticking down, investing in training opportunities for current employees is not the band-aid solution said organization requires. If this is the situation an organization is facing, the solution is money, money and probably more money.
(It’s worth noting that paying for managed security services or cybersecurity consultants while current employees undertake necessary training could be a stopgap option.)
The takeaway for potential cybersecurity employees
You don’t have to have an endless list of certifications or years and years of experience to get yourself into an advantageous position within an organization. If you’re willing to work hard and commit to a few years in an organization’s security operations center, you could set yourself up with not only a high-paying job, but free professional training that will earn you even loftier cybersecurity positions and higher salaries in the future. In this age of cybersec hiring struggle, loyalty to an organization could pay off more handsomely than you may have ever dared dream, and it could all begin with little more than an IT expert certification and one or two entry-level cybersecurity certifications.
A hybrid approach
The reality for most organizations is that they now require a strong in-house cybersecurity team, and to build one they’re going to have use a combination of both of the above approaches. But a mix of already qualified, experienced experts as well as employees that are undertaking training and learning on the job might be the best possible solution anyway. The one that will best keep the problem of the never-ending and ever-evolving deluge of threats, attacks, intrusions and cyber disasters by any other name from making a meal of an organization, at any rate.