Of all the challenges currently facing Chief Information Security Officers (CISOs), one of the most significant is attracting and retaining new talent. This is because demand is far outstripping supply.

According to industry estimates, the number of cybersecurity job vacancies globally has grown to 3.5 million, up from 1 million in 2013. In Australia, it is estimated vacancies could reach 30,000 by 2026. 

These shortages are occurring at a troubling time. During 2022, the number of weekly cyberattacks per organisation increased to just under 1,200 – 38% more than in 2021. With the average cost of a data breach reaching a record high of $US4.35 million, it should come as no surprise that three out of five US-based CISOs say stress poses the largest personal risk they face.

In Australia, the number of attacks is also trending upward at an alarming rate. According to the latest Annual Cyber Threat Report compiled by the Australian Cyber Security Centre, more than 76,000 cybercrime reports were made by businesses in the 2021-22 financial year, up by 13% compared with the previous 12 months.

Filling The Talent Gap From The Inside

Faced with such gaps, many CISOs turn to recruitment companies for assistance. Using advertising campaigns and headhunting techniques, they do their best to find suitable candidates for the vacant roles. Increasingly, however, these techniques are not unearthing sufficient skilled and experienced people.

For this reason, increasing numbers of organisations are looking within for the people they require. As well as opening up a new talent pool, this approach can also be much more cost-effective.

US-based talent management and development company EL Goldberg & Associates estimates the total cost to hire a new worker can amount to three to four times the position’s salary. That would be $240,000 or more to fill an opening with a starting annual salary of $80,000.

Given such mounting hiring costs and the increasing consequences of cyber threats, it makes sense for organisations to look internally for proven performers. Such people may not be highly skilled security professionals however, by providing training and support, leaders can empower them to take on critical roles in cyber defence.

The Benefits of Training

Industry research shows many software developers feel they lack the knowledge to address security vulnerabilities or aren’t aware of what makes code vulnerable. The majority say more extensive training in secure code best practices would significantly reduce both common vulnerabilities and time spent on future patching.

Unfortunately, many organisations fail to invest in existing inside talent adequately. However, this creates additional issues as 58% of professionals are likely to leave their organisation due to a lack of development.

To overcome this situation, training existing staff members makes complete sense. It allows CISOs to enrich the protection of cyber assets, boost bottom-line results, and improve the capabilities of their teams.

When undertaking internal training, there are four key factors to consider:

1. Debunk the myth:
   Many managers get trapped into thinking that, if existing employees are offered the chance of more training, they will be more likely to leave for a competitor. This, however, is a myth. Elevating knowledge through training actually enhances an organisation. It improves needed skill sets as well as engagement, morale, and company loyalty.
2. Involve the entire C-suite:
   Such staff training and development shouldn’t be limited to the CISO and chief human resources officer (CHRO). It’s important to get a sense of the role cyber defence plays in every facet of the business, and then collaborate with all top officers to identify which skills best support essential company-wide security requirements.
3. Identify priorities:
   Every organisation will require different security skills to fit different security needs, and so training curriculums will need to be customised accordingly.  For example, developers need to know how to identify and fix vulnerable code. When they spend time upskilling with security-side team members, with learning materials that reflect the languages and frameworks encountered in their work day, they learn how to use the right coding patterns from the very start of the coding process.
4. Use agile learning methods:
   Experience shows that candidates thrive with hands-on, interactive experiences as opposed to static teaching. They benefit by solving problems that exist in the real world, using agile learning methods that can deliver them the right lessons at the most beneficial, relevant times. Delivered in ‘microbursts’ this style of training can significantly improve the chances of information retention and engagement.

It’s an unfortunate truth that the cybercriminals against which security professionals battle are not facing a similar lack of talent. As well as increasing in number, they are constantly looking for new ways to mount attacks and cause disruption and losses.

For this reason, a strategy of focusing on internal resources and developing security skills makes strategic sense. It will better position organisations to overcome the talent shortage and make their infrastructures as resilient as possible.

References:

https://ia.acs.org.au/article/2022/cyber-skills-gap-is-worse-than-we-thought.html
https://www.cyber.gov.au/about-us/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022