The great cyber security talent migration has begun, here’s what you can do

The macro-economic consequences of COVID-19 have reached cyber security and the talented people who keep us secure. In some senses, invisibility is a hallmark of good cyber security, back-end operations running smoothly keeping the assets, operations and reputation of an organisation from harm. But this invisibility is built on proper resourcing and in the last 18 months, we’ve seen a progressive erosion of the human resources behind successful organisational cyber security.

Let’s call this the great talent migration.

At any given time, there are a limited number of top cyber security professionals. When you add border closures, data sovereignty concerns, reduced student numbers in the pipeline and the incredible systemic network stressors of work-from-home, you basically create a situation in which burnout is high and talent demand is even higher.

The consequence is a large number of organisations fighting for a very limited number of professionals. This is worse than the cyber security skills gap. On the surface, an organisation might look like its business-as-usual. But behind the scenes, this scrambling for critical resources is having both short- and long-term consequences for the organisation’s security and our society’s collective security.

Moreover, business confidence is on the rise in Australia and globally accelerating the trend because jobs availability is increasing even more. Then there’s record levels of employee fatigue. Worldwide Gartner research this September showed 34 per cent of HR leaders are significantly concerned about employee turnover, rising to 91 per cent who are increasingly concerned as the economy improves in the coming months.

At the same time, some cyber security experts are exiting their career due to aforementioned burnout, a reprioritisation of their personal goals due to the pandemic (the “great resignation” anyone?), or a shift in participation due to life stages. From recruitment to internal development, incentives and culture, what levers have the biggest impact?

So how do you attract and retain talent in this environment?

Cyber specialists will be looking for employers that support remote work, interesting projects that enrich their life experience and organisations that actively show appreciation of their efforts, not just bonuses, but a culture that supports them and their growth. Creating a culture that fosters inclusivity, openness, diversity and a fun environment will be essential to retain the staff you’ve got.

VIEW ALL

Locally, and now globally, Trustwave has set up a Diversity Network Initiative (DNI) designed to action diversity and inclusion awareness through education and programs to make our organisation a great place to work and a great team for our clients to conduct business. Our DNI has five streams of focus: gender, LGBTQIA+, indigenous, culture and wellbeing, and mental health, with accelerated progress for gender within the business. I’m proud that 50 per cent of our local leadership team are women. I can also see recent sessions run by the network on mental health, including tips from an organisation that offers therapy dogs to mitigate stress, working to foster a culture of learning and sharing.

A critical element of retaining that talent is openness. Fostering a culture of open dialogue between all levels of the business ensures staff know what the mission is, and how we’re going to get there is critical. Our “Ask Us Anything” open forums give employees a chance to ask leaders anything. It is often business-related, but not limited to that.

Offloading or reframing?

As people leave jobs, the remaining staff might be asked to bear the burden, shouldering the duties left behind. Organisational knowledge retention is becoming a major issue. Many are looking to take advantage of outsourced service vendors who add human intelligence to the tasks left behind (not just AI and automation). Cyber security risk management requires analytics and then assessment based on a human view of how the risk impacts an organisation, taking in the needs of the business and the potential effects to understand the necessary actions.

Enticing back people who stepped out of the industry and asking them to do those fixed scope engagements can convince them that they can have their side gig on the coast – semi-retirement, time with children as well as explore new challenges and project goals they’d like to get their teeth into – help them.

Bring in the experts; recycle knowledge

Engaging specialised experts for scoped tasks or gigs can meet the business needs for compliance or significant projects and can indeed get the job done faster and with greater effectiveness. And maybe at the same time, skill up your existing employees. More cyber departments are using services to remove the burden of low level (and high level) threat detection and response. This is freeing up resources for security analytics, specific threat prevention initiatives and key projects that uplift the cyber posture of an organisation. I expect organisations are reconsidering their need for data sovereignty for some aspects of cyber security and use global talent and services to fill the gap.

The fastest way to adopt best practices, and one that reduces the burden on staff, is to re-use what others have done before. Our business shares the work we’ve done with clients via a free subscription portal where anyone can download, mostly for free, the work derived from major Australian and global clients on topics such as presenting to the board or incident response guidelines and metrics we’ve seen work in an industry like theirs. Why build from scratch?

Look beyond the IT silo for talent

Smart organisations are also turning to staff already in their companies to grow cyber talent – John in legal? Sally in marketing? Well-rounded humans have thrived in cyber security from the beginning because while coding is literally binary, cyber security is not. In the face of a cyber degree explosion, we’re still hiring humanities grads, lawyers and those told they must learn to code but never did, because the optimal cyber security team is a truly diverse one.

There’s no doubt the great cyber security migration is underway, but if you tackle it head on, there’s plenty you can do to emerge stronger and more secure as an organisation.

Jason Whyte is the general manager for Trustwave in the Pacific region.