The skills gap all IT organizations struggle with can be summed up in three words: "not enough people," according to author and Wall Street Journal columnist Gary J. Beach (Beach is also publisher emeritus of CIO magazine and CIO.com). But when the skills gap is viewed through the lens of cybersecurity, it becomes much more than an HR struggle to put bodies in seats - it can be dangerous and costly.
CIOs must take advantage of their unique position in the C-suite to drive increased emphasis on security spending, hiring quality talent and furthering education and training for that talent, or risk catastrophe.
Security is a sound investment
The paradox inherent in enterprise security is that if you're doing it right, no one can tell, says Mark Weinstein, founder of social media platform Sgrouples, CEO of MeWe.com and a cybersecurity and privacy expert. According to Weinstein, CIOs must be vigilant about explaining the real risks and threats, and be willing to drive the investments necessary to mitigate them.
"One of the major issues here is that if you're doing security right, you're not necessarily going to see the results. You're not going to get the huge breaches, you're not going to get the highly publicized failures, which you'd assume is a great thing, but that can lead to complacency -- and an unwillingness to invest in skilled talent, preventative technology and education and training to keep organizations secure. So it's all about being able to understand threats, how they're evolving and why, and be proactive about heading them off before they occur," says Weinstein.
That proactive approach must also extend to communicating effectively about the nature of potential and emerging threats and continuing to make security a priority across the entire organization, says Elaine Varelas, Managing Partner of Keystone Associates. That includes realistic assessments of the costs and benefits of a sound security strategy.
"Organizations tend to reward people who save them the most money, but especially in the area of security, they don't always understand at what cost that's being done," Varelas says. Organizations that are security conscious enough to have a chief security officer are often more proactive about security issues, but for those that aren't, the burden often lands on the shoulders of the CIO.
"If you're trying to squeeze out a few extra bucks by hiring cheaper talent, slashing software budgets or eliminating training and education, well, in the short-term you might be rewarded. But someone must be asking the question, loudly, 'Does this increase our risk At the highest executive level, some CEOs will say, 'Well, that's not my issue, I hired a CIO for that,' but the constant vigilance about security, risk and threats has to be spread across the entire organization, not just on the shoulders of one exec," says Varelas. CIOs must be confident enough to maintain, with the help of the CFO, the financial balancing act of risk-versus-reward so everyone understands how to make the best, most secure decisions.
"CIOs in this position must be able to communicate their beliefs about the level of security that's needed in language everyone can understand. The C-suite, executive boards, managers, entry-level workers all must understand that even if they can't see results of the security strategy immediately, that the strategy is working and the investment is paying off," she says.
Don't ignore education and training
It's not enough to simply invest in hiring security talent, though, there must be adequate resources devoted to keeping that talent on the cutting edge of security and best practices. "Sometimes executives believe that if they've hired a few people, they've solved their vulnerability problem. But it's more complex than that -- landing the talent's only half of the equation. It's about continuing education and training for that talent; defending budgets for conference attendance, educational courses and workshops. What your talent locked down and secured for you last year could be vulnerable this year. It's about more than just salary, it's a continuous investment into the best weapon you've got -- the brains behind the technology," says Weinstein.
Many organizations do understand the need for continuing IT training, especially in the areas of security, compliance and governance skills, but balk when confronted with the costs of such training, according to a survey from Cybrary, a provider of free massive open online courses (MOOCs) for IT and cybersecurity.
The survey asked 405 senior-level technology professionals about their companies' plans for IT training in 2015, according to co-founder Ryan Corey. While 61 percent of respondents said employees in their company need such training and 55 percent predicted an increased need this year and beyond, the survey revealed that most companies plan to spend the same amount of money on IT training for 2015 as they did in 2014.
Less than a quarter of survey respondents allocate 10 percent to 20 percent of their IT budgets to training, while 11 percent said they don't provide any money for IT training because it's too expensive - and that could be a costly mistake.
"The data we've compiled suggests that companies do not provide enough means for IT training, despite a lack of IT talent and ever-increasing technology and cybersecurity challenges," Corey says. "This skills gap is only getting worse, even as demand for these skills accelerates. And most cybersecurity training providers are prohibitively expensive -- even the most forward-thinking business is going to raise an eyebrow at paying $3,000 to $5,000 per class, especially because the skills taught could be obsolete almost immediately!" says Corey.
That's not to say such training isn't worth it, by any means, Corey says. "Cost is the biggest obstacle -- for employees who want and need to learn these skills but whose companies cut the training budget, or who don't offer reimbursement for courses, it's a fantastic option," he says. Cybrary also emphasizes a focus on talent from developing nations that might not have the computing resources or infrastructure available to otherwise study and address security threats.
"The cybersecurity landscape changes so quickly that it's already nearly impossible to keep up with the emerging threats without ongoing access to continuing education. You need to make awareness and education of your security talent the linchpin of your overall strategy," says Corey.
Listen to your talent
If you have the talent and you're willing to invest in their education and training, you're on the right track. But those investments won't pay off unless you're also committed to following through on their recommendations, says Mike Ricotta, head of development at Blue Fountain Media and a cybersecurity expert.
Make sure your skilled, certified, experienced security employees aren't needlessly having their work impeded by operational priorities -- because ensuring the security of your organization and its data, not to mention that of its customers, is priority number 1. Even if the expected cost of recourse for a security failure may not outweigh the costs for proactive resolution, the damage to your business's reputation and loss of customer trust can be devastating.
"If your organization is serious about ensuring security, make sure that you give your talent a voice and you take every recommendation seriously, because the one that gets compromised may very well be the one that's exploited," Ricotta says.