5 Ways Skills Planning Helps To Avoid a Cybersecurity Catastrophe
Knowing what skills you have, and which you need, can help keep critical cybersecurity roles filled so companies aren't left exposed. Learn more in this article.
For leaders who are considering across-the-board downsizing amidst recession fears, the impact of Twitter’s deep cuts should serve as a cautionary tale.
After conducting widespread layoffs, the company was left with only one engineer to manage an important API project. A major service outage ensued, generating a litany of user complaints.
Indeed, avoiding cuts to business-critical positions is essential, and this is particularly true within the domain of cybersecurity, where there is a massive talent shortage: according to Cybersecurity Ventures, between 2013 and 2021, the number of unfilled cybersecurity jobs grew by 350 percent.
It’s a sobering statistic, especially in light of findings from a 2023 Global Cybersecurity Outlook report by the World Economic Forum and Accenture:
93% of cyber leaders believe that a catastrophic cyber event is likely to happen within the next two years resulting from worldwide geopolitical instability.
New types of threats are always emerging: The Russia-Ukraine war brought cyberattacks to another level. Remote work arrangements and rapid digital transformations have also given cybercriminals more opportunities to exploit vulnerabilities. According to Check Point Research, global cyberattacks increased by 38% in 2022.
Identity theft, cyber extortion, data leaks, and critical infrastructure breakdown—these are all concerns that are top of mind for business and cybersecurity leaders alike.
Cybersecurity Ventures predicts that the global annual cost of cyber crimewill reach $8 trillion in 2023. According to IBM, in 2022, the average cost of a data breach in the U.S. was $9.44 million, and the average cost of a ransomware attack was $4.54 million. Cyberattacks also represent many indirect and hidden costs, such as insurance premium increases, loss of customer trust, operational disruptions, and higher interest rates, which can all add up to generate significant bottom-line impacts.
To stay safe, businesses need to ensure they keep and develop the right people—there simply isn’t enough expertise in the labor market to support a last-minute hiring surge.
Cybersecurity threats: Employers must rethink who they need to retain
Preserving the right cybersecurity talent, however, is not simply a matter of holding on to people who have titles like information security analyst or application security administrator.
To start, cybersecurity is a field requiring many generalist roles with a broad skill set. A common misperception is that it’s only for deep technical experts, when in reality, cybersecurity spans a number of roles and lines of business.
A banker, for example, understands the vulnerabilities of banking-related operations. “They can bring this wealth of knowledge to cybersecurity operations by gaining the right skill set to build their technological capability,” stated Deepa Seshadri, a partner with Deloitte India, in this ISACA blog post.
Organizations also need people from disciplines such as law, communications, and psychology to detect and avoid cyber attacks.
Equipping certain employees with new skills is a strategy that employers can use to fill a talent gap.For example, Intuit launched a seven-month training program for AI that was popular among data analysts and project managers. The outcome? Previously non-technical employees were able to graduate as level-one engineers.
While a certain amount of advanced technical expertise will always be required, employers stand to benefit from being more expansive in their thinking about who would perform well in a cybersecurity role. This approach can support DEI goals by helping women and individuals from underrepresented groups move into technical roles and leadership positions.
Avoid a cyber catastrophe: Ask these 5 skills intelligence questions
Finding individuals who currently have in-demand skills or have the potential to develop critical skills is a best practice: it can help the organization fill cybersecurity positions when external hiring is impossible or too costly. When the organization has no choice but to make job cuts, a focus on skills also helps leaders identify the critical people they should retain to stay safe as new threats emerge.
To retain and invest in the right talent in an optimal way, leaders need insights. But because skills evolve all the time, the data quickly falls out of relevance unless organizations put processes in place to capture them—and verify the accuracy of the captured information. That’s why it’s valuable to have tools and systems, such as a skills intelligence platform, in place.
Skills intelligence answers the fundamental questions leaders have so they can prepare for the future and avoid failure when facing a threat. Here are five questions skills intelligence can help employers answer:
1. What cybersecurity skills do we need?
One of the most challenging aspects of determining which skills will become critical over the mid- and long-term is that it’s impossible to predict what the organization will need in the future with 100% certainty, particularly when it comes to continuously evolving cybersecurity threats.
Skills intelligence makes the process of planning more precise with its skills mapping and matching capabilities. It automatically takes job titles, job descriptions, course descriptions, and project briefings and maps these inputs to skills.
This makes it possible to look at different cybersecurity scenarios from multiple dimensions, whether it's the impact of geopolitical friction, new regulations, or digital transformation. Without skills intelligence, however, this proves to be an intractable problem, and the organization drowns in an infinite number of data wrangling, data clean-up, and standardization projects.
2. Who has critical cybersecurity skills?
Identifying who within the organization has critical skills is a fundamental step to help determine which people the organization absolutely needs to keep in a rightsizing situation. Certain cybersecurity skills are crucial for the organization to have in-house and take years to acquire.
With a skills intelligence engine, organizations are able to leverage an advanced job and skills ontology to gain a complete and inclusive view of all employees regardless of role or location so they have a truly comprehensive view of who possesses critical skills.
Going by title alone, an individual might appear to be filling a redundant position that should be cut, whereas a more granular look at skills would reveal that they have a unique skill set that is critical to business operations in a cyber threat landscape.
3. Who has cybersecurity potential?
Skills intelligence—in addition to helping leaders spot talent who already possess critical skills—enables organizations to identify people who have the potential to perform critical cybersecurity functions.
Robust skills intelligence platforms can integrate with AI-powered analytics that can infer which skills employees might have by mapping job codes to market standards, then listing skills likely held by people in those positions. This groups similar skills together (such as intelligence analyst and business analyst) to make adjacent skills more obvious.
Advanced technology is already proving to be a benefit for companies that are looking to help employees reach their full potential. For example, Merck KGaA—a leading science and technology company in healthcare, life science, and performance materials with over 56,000 employees across the globe—has launched a project to augment an employee’s profile of skills and capabilities using Natural Language Processing.
4. How should we develop employees?
Skills intelligence paints a clear picture of the gap between supply and demand.
When layered in with people analytics, this informs strategic plans for closing those gaps— whether they involve on-the-job learning, apprenticeship programs, or a more intensive reskilling program.
Leaders can also use people analytics to understand time to productivity, which is a very important metric for skills growth because it is an indicator of how much of an investment is required to reach specific goals. The more aggressively an organization needs to shorten time to productivity, the higher the learning investment.
5. Are training investments keeping the organization protected?
Leaders need to know that their training investments are paying off, especially when budgets have been reduced. Skill progression is one of the most important metrics leaders can focus on to see if reskilling strategies are working to ensure people are learning the right things.
When integrated into a people analytics platform, skills intelligence can give leaders a clear picture of how newly acquired skills are helping people identify and respond to potential threats. This comprehensive, granular picture of the employee helps leaders refine reskilling programs as needed, ensuring the organization stays nimble as disruptions arise.
Future-proof the business by developing a pool of cybersecurity talent
By taking a granular view of talent through a skills lens, businesses can overcome cybersecurity hiring challenges and move individuals into roles that would otherwise stay unfilled and put the organization at risk. It’s an approach that also helps employers avoid unintentionally letting go of high-potential cybersecurity talent while rightsizing.
People are more than just job titles. With the right skills, organizations can maintain the security of sensitive data and systems, while protecting mission-critical assets. As threats continue to evolve, this is paramount to maintaining the trust of customers and stakeholders.