Cyber security faces a critical skills gap across a wide range of areas, including cloud security, OT security, data science and analytics, security architecture and engineering, and attack simulation. The war for talent is made even tougher due to high demand for many of the same capabilities across IT, pushing up salaries and increasing attrition.The average CISO’s tenure has been estimated by Forrester at just over two and a half years for UK CISOs and just over four years for US CISOs,1 and many are well aware of their market value and increasing demands (not least from regulatory obligations) leading to stress and burn-out. Another challenge for busy CISOs is acquiring the ‘soft’ skills necessary to forge relationships and influence behavior, as they and their teams become cyber evangelists.
“Cyber may in future operate with a small core team and many subcontractors and gig economy workers, tapping into a global pool of resources, which could help resolve some of our talent challenges. But we need to know that people are trustworthy. I envision a kind of ‘trust ring’ being built around people, who are vetted by other trustworthy people.”
Consequently, there are moves to professionalize cyber security, and to formalize qualifications and career paths in this youngest and most dynamic of occupations.
My role as a leader and manager of people must focus even more on mental health and wellbeing. Cyber security professionals are expected to prevent or stop any incident, but we all know that’s not possible — it’s asking too much. If you ask a CISO about their expectations for an incident, they’ll likely say 'we’ll get sacked.' — This is unhealthy and must change, which means focusing heavily on pastoral care of my team. I’m incredibly strong on this.
Looking further ahead, new roles are evolving that may not even exist today, such as resilience strategist, cyber risk modeler, orchestration manager, behavioral analyst, and AI ethicist. Vendor management has also taken on greater relevance, with the surge in outsourcing and third party partnerships — especially for cloud-based services, where cyber teams must share responsibility for security — so perhaps an ecosystem security architect too. In shaping the future cyber security workforce, CISOs will have to consider how to access both existing and new capabilities needed to stay on top of emerging threats, rebalancing the skills within their organizations to meet the changing demand.
Whether hiring, retraining or outsourcing, the CISOs KPMG professionals spoke with have some innovative ideas on how to possibly address the skills shortage.
Automation is vital for low-value activities like connecting with ticketing systems and automating workflow. Global Cyber Security Director Emma Smith says “Automation helps increase efficiency and retain interest for analysts. Addressing root cause issues is essential to keep improving and learning, so we don’t keep dealing with the same issues.”
Automation will play a vital role in the cyber workplace, as Joanna Burkey, CISO, HP acknowledges: “The cyber industry has deep structural challenges. We can’t keep up with the pace of technology change from a skills perspective, we can’t get enough talent in, and never will, and we can never assume 100 percent retention at any time. It’s not possible to keep up with the pace of technology change without embracing automation.”
The trend for cyber security generalists appears to have declined, with a new demand for and appreciation of people with strong technical capabilities, as Emma Smith, Global Cyber Security Director, Vodafone, notes: “Technical expertise, rewarding engineers and technical skills, creating a new model for building career paths, are fundamental to our strategy. I think organizations now realize the importance of both leadership and technical skills in cyber security teams.”
Retraining existing cyber professionals is costly and takes time. GSK SVP and CISO Matthew McCormack observes that: “Reskilling is a challenge. To use a motoring analogy: Motorbike mechanics can’t become Tesla mechanics overnight!” As technology transformation puts pressure on existing capabilities, it’s likely to take 2–3 years to upskill the current workforce, to cope with the shift from on-premises and access protection to cloud, mobile, IoT and big data.
CISOs can bring in people with in-demand skillsets like data analytics, risk management and cloud as core technical disciplines before ‘converting’ these individuals into well-rounded cyber professionals. They don’t have to be cyber experts: What’s more important is that they understand the business and are willing to learn. Such a move would help overcome the lack of diversity in cyber security, encouraging new skills, backgrounds, perspectives and opinions to look at the same problem from multiple angles. Decrypting Diversity, a 2020 KPMG in the UK/National Cyber Security Centre UK paper, surveyed diversity and inclusion in cyber security. Of those experiencing career barriers, 32 percent said it was due to gender discrimination, and 22 percent cited race, ethnic, social background or regional discrimination.
“There’s less of a skills gap than a diversity gap. A team, with diverse skills, backgrounds, opinions and perspectives will give us better answers.”
Forming partnerships with universities and colleges and investing in young talent has the dual benefit of training individuals and fostering loyalty. YPF CISO Brian O’Durnin feels that “By offering apprenticeship schemes and university places in regions with high unemployment and an underprivileged population, we’ll contribute to the profession in general. Even if some of these people don’t end up working for us, we’ll be contributing to the ecosystem of cyber security and making the world a little safer.”
The trend towards outsourced labor is only likely to accelerate; with CISOs in some cases looking to lower-cost locations, as remote working rises in popularity. The gig economy is also likely to increase, with cyber security professionals seeking greater flexibility over where and when they work; a trend reinforced by the shift to remote working during COVID-19.
To shape a dynamic 21st century workforce, CISOs must constantly assess what capabilities they need, and then source these skills from within and outside the organization — using a hybrid model of permanent hires, temporary workers and contract models.
Increasingly, we are likely to see CISOs outsource some of their operations. This may be to specialist providers that can scale up and down at ease; professional services companies offering transformation support and strategic advice; and niche service providers and contractors. And, as organizations continue to migrate to the cloud en masse, CISOs will look to cloud service providers for a growing range of security activities.
With automation taking over the bulk of transactional tasks, the cyber workforce is transitioning from ‘doer’ to ‘enabler’, focusing on new product development, operational productivity and resilience, and larger, strategic cyber initiatives. However, it will take time to get this partnership between human and machine right.
A key question for CISOs will be ‘What skills do I need to retain in-house?’, to establish a core that lets the organization govern its security, set strategic direction, make tough and informed choices on risk, and manage incidents and crises. Beyond this core will be a complex tapestry of sourcing strategies and relationships with outsourced and co-sourced suppliers, who provide the scale and specialist skills needed for security operations, as part of the shift to a shared responsibility model. Increasing regulatory expectations around the role and competence of CISOs and their teams will also impact roles and responsibilities.
And, while it’s vital to attract talent from peripheral industries into cyber security, it’s also helpful to encourage cyber practitioners to move in the opposite direction. Not only will this enhance career prospects, it can also spread awareness of the value of cyber in other functions and integrate cyber security more deeply into every employees’ thinking, until it becomes second nature. For instance, cloud engineering and legacy IT teams are swapping people to add greater rigor and security to the former and pace to the latter. This type of cross-fertilization extends to diversity and inclusion, as well as neurodiversity, which can bring huge benefits in terms of creativity. Cyber could also do more to embrace new workforce initiatives like returning parents, late career employees and retirees, all of whom can add to the skills base.
“The good news for cyber security professionals is that they’re becoming more important and more visible, with their roles encompassing a wider range of challenges like collaboration tools and transformation, giving them a chance to expand their commercial and strategic skills and build richer careers.”