It’s prediction season!
In 2019, we discussed cyber workforce development with hundreds of security leaders, including many CISOs from Fortune 500 companies in the technology, retail, financial services, and healthcare space, as well as top cybersecurity workforce experts in the U.S. government and military.
As a result, we have the opportunity to place our fingers directly on the pulse of the top trends shaping the cybersecurity workforce. Some of these are a steady incline of 2019 trends, while others – like skills assessments and federal government hiring increases – are unique to 2020. Let’s dive in.
Increase in Spending on Training
Training and development continue to rank as top priorities for workforce leaders in IT and cybersecurity. Driven just as much by technical needs as by the requests of an increasingly in-demand workforce, security leaders will contribute an even greater portion of their budgets to training in 2020.
Recent surveys of security leaders have indicated that just about half of organizations plan an increase in training investment in 2020, with another 31% planning to hold steady. In large part, this trend is being propelled by employees, particularly younger employees, advocating for more opportunities for internal “upskilling” and “cross-skilling.” Some 81% of employees surveyed by (ISC)2 this year said they needed additional training to prepare for future roles. Other studies have found that upwards of 90% of employees consider training and development critical to their decision to stay with a company. Simply put, training is expected by today’s top talent, and security leaders are finally beginning to put it at the top of the priority list.
Pivot from Training to “Formal Workforce Development"
As security leaders increase investment in training initiatives, they face greater pressure to demonstrate ROI from the spend. Many are finding that a more strategic approach to allocating training resources leads to a higher return.
“Workforce Development” – a structured, programmatic approach to developing a resilient workforce – has been a longtime hallmark of government and military cybersecurity programs. Cyber teams within the military, for example, must perform at an extremely high level, at a very large scale, with high degrees of attrition. The only sustainable model in that context is one that builds clearly defined pathways from role to role, with standardized and highly technical skills development efforts along the way.
Commercial organizations are beginning to adopt significant portions of the military model, taking a more disciplined approach to evaluating and developing cyber talent within their organizations. We expect this trend to accelerate dramatically in 2020, as increasing competition for external talent makes internal development more and more enticing.
Focal Point recently interviewed Drew Simonis, Deputy CISO at Hewlett-Packard Enterprise, where a workforce development model has been implemented with great success in recent years.
Transitioning Non-traditional Hires
Even for entry-level positions, many security leaders report significant hiring difficulties. In recent years, however, we’ve seen the hiring manager’s doors open to a broader range of potential candidates.
Increasingly, these candidates are not certified and lack specific cyber expertise. Instead, they’re being hired for their intangible qualities – problem solving, creativity, communication, and technical aptitude.
This has made cyber an ideal field for those looking for a career change, for veterans transitioning to civilian roles, and for employees in related departments (e.g., finance, audit, IT) looking for advancement. While recent graduates and existing cyber professionals are still worthwhile sources of talent, recent studies have demonstrated just how rich the talent pools are elsewhere.
A popular strategy in 2019, and one sure to continue trending upward in 2020, involved building deliberate talent pipelines from IT to cybersecurity. IT employees come from a much larger pool (there are about 6 IT professionals for every 1 cybersecurity professional), have a demonstrated technical aptitude, and understand the systems and technologies in play within the organization. Providing high-performing IT employees with a baseline cybersecurity training program is an excellent way to transition them into an entry-level cyber analyst role. From the employee’s perspective, there is clear career progression and often a salary increase. From the employer’s perspective, bypassing a lengthy and challenging recruiting process can help realize significant cost savings. And using this strategy, you’ll also have IT staff with increased cyber capabilities as they transition, which is a definite plus. It’s truly a win-win.
Skills Assessments Begin to Displace Knowledge Assessments
We’ve written in the past about the unique history of certifications in the cybersecurity industry, and while we’re not predicting the demise of certifications anytime soon, we are on the precipice of a dramatic shift in the way we validate skills and abilities in our field.
“Knowledge tests” or “certification exams” are no longer the only show in town. “Skill assessments,” which measure the ability to accomplish tasks instead of answer questions, are proliferating quickly, both with in-house cyber teams and with professional services and training providers. Skills-based assessments allow test-takers to demonstrate their abilities inside of a virtual lab environment, scoring them on their ability to synthesize book knowledge and apply it to unpredictable, dynamic, real-world scenarios.
As these assessments become more sophisticated, and as costs are driven down by competitive pressures, we expect a new market for skills-based certifications to rise. As a more reliable predictor of abilities, we expect hiring managers to begin screening for high scores on skills assessments, rather than the alphabet soup after the name.
More Competition in Cybersecurity Hiring (and Much of It Coming from the Federal Government)
The competition for qualified cybersecurity professionals is intense, with seemingly every company short staffed already. But that competition is set to heat up even further in the coming years, as many federal government agencies look to bolster their cyber hiring and improve the compensation packages available to cyber employees.
According to a flurry of RFPs released this year, the Department of Homeland Security (DHS), for example, is looking to create a market-sensitive pay structure for cyber employees that more closely aligns with the compensation available in the private sector. This comes in tandem with several new DHS programs to improve upward mobility within its cybersecurity ranks.
And DHS is not alone. Many other agencies are also launching programs to increase the attractiveness of their open cybersecurity roles. This increased competition is likely to be felt by the commercial sector, which has historically offered higher salaries for cybersecurity jobs than the government. With the public sector now catching up (and some arguing that the government already offers superior training and professional development), companies will need to look for other ways to make their jobs more compelling to recruits and to limit attrition.
Outsourcing Hard-to-Fill Cybersecurity Responsibilities
Driven by the same hiring crunch mentioned above, 2020 is likely to see no slowdown in the reliance on outsourced partners to supplement hard-to-fill job roles within the security team.
A recent (ISC)2 report highlights the security responsibilities most frequently outsourced. Among them are penetration testing, red teaming and purple teaming, forensics, threat research, and security monitoring and detection. For smaller and midsize companies, we’re also seeing the rapid adoption of the SOC-as-a-Service model among small to upper-mid market organizations.
These MSSP and professional services relationships will become increasingly important for all companies in 2020, as they look for novel ways to stretch their workforce (and their budgets) to cover an ever-broader array of responsibilities.
Automating the Boring Stuff
Is automation the saving grace of the understaffed cybersecurity industry? Probably not. But will it help? Certainly.
We’ve seen major advances in recent years in the ability of cybersecurity software to “intelligently” automate routine tasks associated with a variety of daily tasks and responsibilities. In 2020 and beyond, we expect these features to move to the forefront – no longer a cutting-edge feature, but a standard component of most software packages. The burden on humans to monitor systems to perform block-and-tackle threat analysis, monitoring, and reporting will continue to diminish thanks to automation. A recent Gartner report suggested that, at the start of 2020, nearly 70% of SOCs will have adopted automated tasks in the security vulnerability and configuration scanning for open-source and commercial packages, up from 10% in 2016. Automation of these repetitive tasks will free up the human workforce to focus on higher-value tasks.
New technologies, like robotic process automation (RPA), advances in SIEM and SOAR solutions, built-in automation within enterprise-class tools (ERP, IAM, etc.), and speculative solutions like robotic decision automation (RDA), will become the norm, rather than the exception. While they won’t solve the workforce shortage, they will help companies do more with less.
Inclusivity and Diversity
The cybersecurity industry has a long way to go to achieve anything close to an inclusive or diverse workforce. In the latest data available, only 11% of the global cybersecurity workforce are women. In North America, which has the greatest concentration of women working in the industry, that number rises only to 14%. In even the most optimistic projections, the percentage creeps up only to 20%.
Minority representation in cybersecurity stands at 26%. While that is slightly higher than the overall minority workforce in the U.S. (21%), recent reports from (ISC)2 have found that these employees are vastly underrepresented in the managerial ranks. Minorities, particularly minority women, are also likely to experience significant pay discrepancies compared to their non-minority peers.
While the U.S. cybersecurity industry is trending toward a more inclusive workforce, we expect (and encourage) companies to prioritize a more diverse hiring process, one that includes hiring for non-traditional educational and professional backgrounds, recruiting from diverse colleges and universities, and supporting events, conferences, and organizations aiming to foster opportunities for diverse employees in the industry.
The business imperative for a diverse cybersecurity workforce is clear. Not only is it critical for closing the workforce shortage, diverse teams just plain perform better. Research shows that diverse teams are more fact-oriented, more innovative, and are better problem solvers – all critical factors for successful cybersecurity teams.
The common threads throughout these trends are the need for a change in approach and for greater investments in cybersecurity. Traditional hiring models, team structures, and job qualifications cannot support the growth needed to sustain the security programs of most organizations. Without deeper investments in cyber training, skills development, and career pathing, cybersecurity leaders struggle to keep their team staffed and equipped for battle. The good news is that these aren’t problems without solutions. New workforce models have been proposed, new tools are helping to reduce the labor-intensive tasks burdening teams, and many business leaders have a better understanding of the need to invest in cybersecurity.
Focal Point specializes in helping organizations design workforce development programs that build skills, improve retention, increase diversity, and create a sustainable cybersecurity program.
Want more cyber workforce guides and insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.