You’ve heard the statistics and the nightmare scenarios. Cybersecurity vulnerabilities are very real, very dangerous threats to businesses of all sizes. The most recent research confirms that cyberattacks are a leading threat to most U.S. businesses regardless of size or industry. In fact, a UK study found that jobs postings for “cybersecurity technician” increased 19,222% between April 2020 and April 2021.
“If your employees have email or your systems or processes are interconnected digitally in any way, you have a potential cybersecurity issue. And it’s one that could threaten your entire business. That’s why cybersecurity jobs catapulted into the stratosphere,” recommends Paul McGaughan, Practice Director for The HT Group Technical Recruiting
Most small and mid-sized businesses don’t have room on their teams from someone completely dedicated to cybersecurity. Inevitably, though, the duty must fall to someone. As ZDnet puts it, “Cybersecurity is often not specifically listed in skills reports, despite the fact, employers increasingly expect baseline IT security knowledge from workers.”
Who in your organization is dedicated to keeping cyberattacks at bay? Is it worked into their job description? Do they have the right credentials? And do they have the support from the organization to be successful in this critical role?
What The Latest Research Tells Us
“Over the last five years, even as IT leaders ranked cybersecurity in the top two areas that require more investment, the average cybersecurity budget has increased only marginally,” says Chris Maurer, a professor at the University of Virginia’s McIntire School of Commerce who, along with colleagues at the University of North Texas, recently completed a five-year investigation of cybersecurity practices within organizations.
The pandemic pushed cybersecurity to the forefront for several reasons, one being the sudden and overwhelming work-from-home (WFH) evolution. HP reports that 76% of the IT teams they talked to claimed security took a back seat to continuity during the transition, 91% felt pressure to compromise security for business continuity, and 83% believe remote work has become a “ticking time bomb” for a network breach.
Organizations with the resources to invest in dedicated cybersecurity jobs are met with a major skills shortage. More than half of cybersecurity professionals worldwide responding to an Information Systems Security Association (ISSA) study report a shortage of cybersecurity skills in their organizations, leading to a significant increase in workload on top of the increased stress of moving everyone in their organizations to remote work.
In his research, Maurer found that around 35% of organizations earning more than $1 billion in revenue did not have a dedicated CISO. “Companies of this size generally have several hundred to thousands of employees, and to not have a person whose sole job is to oversee cybersecurity is rather concerning,” he states.
Whatever your size, says Maurer, all organizations should have someone with formal responsibility over cybersecurity. Below are some steps to take to make that happen.
Make It A Business Priority
The ISSA study suggests that stakeholders often see cybersecurity as a technology issue rather than a business issue, “which is naïve when high-profile data breaches and ransomware attacks have demonstrated that if cybersecurity isn’t managed correctly, it can have huge consequences for the whole business.”
The experts agree that it’s time to take the cybersecurity function out of its silo and to understand how it holistically affects the business. Then, remove the barriers that will inhibit the people you put in charge of this critical business function.
The HT Group’s IT Advisors recently outlined steps to make cybersecurity a business priority. Their advice spans numerous industries including oil and gas, financial services and banking, healthcare, manufacturing and more. Take a look at the steps they outline, which start with building a mitigation plan that includes incident management training and shoring up employee and vendor vulnerabilities. Our HT Group advisors can help you form a plan for prioritizing your cybersecurity. Contact The HT Group Director of Consulting Services Sam Wood to get started today.
Know Who To Recruit
Then, determine who in your organization should be responsible for cybersecurity. Even if your organization is a small business and you work with an outside IT vendor, someone needs to understand and be responsible for establishing and policing security practices within the business including strong passwords, internet usage guidelines, data security and backups, firewall maintenance, Wi-Fi networks, software patches and more.
“That person may be a manager, administrative professional or in HR. Wherever they are in the organization, it’s vital to work these tasks into the job description and to hire employees who either have or are interested and capable of learning these skills,” McGaughan recommends.
Mid-sized businesses with IT teams need to understand that these roles aren’t inherently cybersecurity focused, either. A recruiter can help you determine how to identify tech professionals who have the right knowledge of and experience in cybersecurity. These include looking for specific certifications like CompTIA Security+ and Certified Ethical Hacker (CEH). The shelf-life of these qualifications matters, too, since cyber threats evolve along with the times, particularly as emerging technologies introduce new ways to be vulnerable. And it’s critically important to be sure the people you hire in these roles have been thoroughly background checked as well.
“You’ll also want to work with a recruiter to engineer the best interview process,” McGaughan says. “You’re looking for specific hard skills, but behavioral skills are equally important. How does the person prepare for, handle, and learn from high-stress situations? You’ll want specific examples of how they’ve managed cyberattacks in the past.”
Create An Irresistible Offer
If you’re a large or rapidly growing organization with complex digital vulnerabilities, you may be ready for a dedicated cybersecurity professional or even a full or fractional CISO. The Wall Street Journal reports that “many companies that previously didn’t have chief information security officers have hired one in the past few years, driving the need for professionals with experience, technical skills, and business knowledge.” But, WSJ adds, security leaders with these qualifications can be challenging to find, and their salaries are rising by the month.
Three-quarters of the cybersecurity professionals in the ISSA study admit that their organizations aren’t recruiting their colleagues correctly. While 75% admit they are approached by recruiters monthly, those efforts fall flat. About 38% said their organization doesn’t offer competitive compensation, 29% said their HR department doesn’t understand the skills needed for cybersecurity jobs, and 25% said that job postings at their organization tended to be unrealistic.
“Outside recruiters are imperative when it comes to identifying, recruiting, and screening people with cybersecurity skills,” states McGaughan. “Competition for talent is heavy and the landscape and requirements are continually changing. It’s critical to work with recruiters who know what certifications and qualifications are relevant and necessary as well as what compensation and other benefits are trending with top talent.”