Since I first began building internet firewalls in the late 1980s, I have periodically encountered claims that “the perimeter is dead” or “firewalls don’t work.” These claims are rather obviously wrong: your firewall or perimeter are simply a way of separating things so you can organize them better. An internet firewall is an organizing principle between “stuff that’s not your problem” (the internet) and “stuff that’s your problem” (your network).
At a finer level of detail, you might apply other organizing principles such as “my data center” and “the unmanaged cloud of desktops” or “our PCI cloud.” If you think of firewalls or perimeters as a way of organizing the various entities you deal with, you’ll be able to better understand your strategic objectives for where data moves, how it moves and where it sits. Without that type of organization, the idea of a network that is “yours” is purely imaginary.
If you think about firewalls and perimeters as an organizing principle, you’ll be able to see how single servers can be a “cloud of one” whether they’re on premise or off, and you can think about the trust relationships between remote servers and internal services. It’s a valuable mental tool, in other words.
We (or rather management) also can make mistakes by forgetting there is a persistent management cost for design. Organizing your computers and thinking about where data moves and how it is stored is expensive. It takes understanding and thought to design this stuff, and if it’s not done right, you wind up with a mess. A typical mess might be: “everything can talk to everything,” which is certainly easy to set up, requires no ongoing management, and is – for all intents and purposes – impossible to secure. It seems to me that a lot of executives expect tremendous cost-savings from moving to the cloud, but they don’t realize that you still need good systems people (to manage the cloud systems using the cloud providers’ interfaces) and governance/analysis (to think about where your data is moving and why). In other words, the thinking is the hard part.
Beyond security, it’s important to think about performance and reliability. If you figure out where your most important servers and data are, you can optimize your network architecture to guarantee best performance where it needs to be. Otherwise, in an “everything can talk to everything” network, your only option for performance tuning is to make everything faster. That’s an important distinction to keep in mind as we collectively move to software-defined networks. The organizing principle that leads to securing your data is also the organizing principle that allows you to optimize your data paths.
A senior IT person at a large enterprise told me, “We have web services all over the place. We use a vulnerability scanner to identify systems that are offering up data on port 80, then we track them down and analyze them.” Think about that for a second! If the organization has a purely reactive governance model like this, how will that enterprise move to a high-performance software-defined network? To map out your performance requirements, you need to know where the data is going to flow. You cannot do that if you’re permanently reverse-engineering your design using what I call “forensic network architecture.”
When we talk about disaster recovery or data backups, the same reasoning applies: you can’t back up your data if you don’t know where it is (organizing principle: data perimeter), and you can’t identify which systems need to be recoverable/reliable if you don’t know which they are (organizing principle: data center perimeter). None of this is a new problem, but, unfortunately, a lot of organizations are going to keep kicking the can down the road, so they can preserve their hard-won ignorance about what’s going on inside their perimeter.
A group of academics and researchers from leading universities and thinktanks – including Oxford, Yale, Cambridge and Open AI – recently published a chilling report titled, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation. The report raised alarm bells about the rising possibilities that rogue states, criminals, terrorists and other malefactors could soon exploit AI capabilities to cause wide spread harm. These risks are weighty and disturbing, albeit not surprising. Several politicians and humanitarians have repeatedly advocated for the need to regulate AI, with some calling it humanity’s most plausible existential threat.
For instance, back in 2016, Barack Obama, then President of the United States, publicly admitted his fears that an AI algorithm could be unleashed against US nuclear weapons. “There could be an algorithm that said, ‘Go penetrate the nuclear codes and figure out how to launch some missiles,’” Obama cautioned. A year later, in August 2017, the charismatic Tesla and SpaceX CEO, Elon Musk, teamed up with 116 executives and scholars to sign an open letter to the UN, urging the world governing body to urgently enact statutes to ban the global use of lethal autonomous weapons or so-called “killer robots.”
I wrote a 2017 ISACA Journal article to underscore that, while AI’s ability to boost fraud detection and cyber defense is unquestionable, this vital role could soon prove to be a zero-sum game. The same technology could be exploited by malefactors to develop superior and elusive AI programs that will unleash advanced persistent threats against critical systems, manipulate stock markets, perpetrate high-value fraud or steal intellectual property.
What makes this new report particularly significant is its emphasis on the immediacy of the threat. It predicts that widespread use of AI for malicious purposes – such as repurposed autonomous weapons, automated hacking, target impersonation, highly tuned phishing attacks, etc. – could all eventuate as early as the next decade.
So, why has this malicious AI threat escalated from Hollywood fantasy to potential reality far more rapidly than many pundits anticipated? There are three primary drivers:
First, cyber-threat actors are increasingly agile and inventive, spurred by the growing base of financial resources and absence of regulation – factors that often stifle innovation for legitimate enterprises.
Secondly and perhaps most important, the rapid intersection between cybercrime and politics, combined with deep suspicions that adversarial nations are using advanced programs to manipulate elections, spy on military programs or debilitate critical infrastructure, have further dented prospects of meaningful international cooperation.
Thirdly, advanced AI-based programs developed by nation-states may inadvertently fall into wrong hands. An unsettling example is the 2016 incident, in which a ghostly group of hackers, going by the moniker “The Shadow Brokers,” reportedly infiltrated the US National Security Agency (NSA) and stole advanced cyber weapons that were allegedly used to unleash the WannaCry ransomware in May 2017. As these weapons become more powerful and autonomous, the associated risks will invariably grow. The prospect of an autonomous drone equipped with hellfire missiles falling into wrong hands, for instance, would be disconcerting to us all.
It’s clear that addressing this grave threat will be complex and pricey, but the task is pressing. As report co-author Dr. Seán Ó hÉigeartaigh stressed, “We live in a world that could become fraught with day-to-day hazards from the misuse of AI and we need to take ownership of the problems – because the risks are real.” Several strategic measures are required, but the following two are urgent:
There is need for deeper, transparent and well-intentioned collaboration between academics, professional associations, the private sector, regulators and world governing bodies. This threat transcends the periphery of any single enterprise or nation. Strategic collaboration will be more impactful than unilateral responses.
As the report highlighted, we can learn from disciplines such as cybersecurity that have a credible history in developing best practices to handle dual-use risks. Again, while this is an important step, much more is required. As Musk and his co-collaborators wrote to the UN, addressing this risk requires binding international laws. After all, regulations and standards are only as good as their enforcement.
This is an old story; history is repeating itself. As Craig Timberg wrote in The Threatened Net: How the Web Became a Perilous Place, “When they [internet designers] thought about security, they foresaw the need to protect the network against potential intruders and military threats, but they didn’t anticipate that the internet’s own users would someday use the internet to attack one another.”
The internet’s rapid transformation from a safe collaboration tool to a dangerous place provides an important lesson. If we discount this adjacent threat, AI’s capabilities – which hold so much promise – will similarly be exploited by those with bad intentions. Absent a coherent international response, the same technology that is being used to derive deep customer insights, tackle complex and chronic ailments, alleviate poverty and advance human development could be misappropriated and lead to grave consequences.
Author’s note:Phil Zongo is an experienced head of cybersecurity, strategic advisor, author, and public speaker. He is the 2016-17 winner of the ISACA’s Michael Cangemi Best Book/Article Award, a global award that recognizes individuals for major contributions to publications in the field of IS audit, control and/or security.
In 2016, Zongo won ISACA Sydney’s first Best Governance of the Year award, a recognition for the thought leadership he contributes to the cybersecurity profession. Over the last 14 years, Zongo has advised several business leaders on how to cost-effectively manage business risk in complex transformation programs. Zongo regularly speaks at conferences on disruptive trends, such as cyber resilience, blockchain, artificial intelligence and cloud computing.
Phil Zongo, Head of Cybersecurity, Author and Public Speaker
Editor’s note: Dottie Schindlinger, VP/Governance Technology Evangelist with Diligent and a panelist on the importance of tech-savvy leadership at ISACA’s CSX North America conference last October, recently told Forbes that cybercriminals target organizations perceived to be low-hanging fruit. Schindlinger visited with ISACA Now to discuss how organizations can avoid falling into that category and other key board-level cybersecurity considerations. The following is an edited transcript:
ISACA Now: How do board directors and executive leaders go about ensuring hackers don’t consider their organizations to be low-hanging fruit?
Board members and executive leaders of organizations are ultimately responsible for ensuring the long-term health of their organizations – and this responsibility extends to mitigating cyber risk. That doesn’t mean they have to be deeply involved in the day-to-day operations of cybersecurity programs, but they can’t be complacent.
The simplest thing directors can do to mitigate cyber risk is to ask questions and hold themselves to a higher standard. First, boards should ensure their organizations are providing the right set of tools to ensure the board’s communications are kept secure – for example, moving away from email in favor of a more holistic “Enterprise Governance Management” solution.
Additionally, boards should receive a quarterly high-level summary from the organization’s IT/data security team explaining the main components of the organization’s cybersecurity program. This should include a review of the current threats and thwarted hacking attempts, and a review of the training and education taking place across the organization. The CIO or CISO should be present at every board meeting to deliver the report, answer questions, highlight concerns and discuss ongoing investments in cybersecurity.
Furthermore, board members and senior executives should be required – along with anyone granted access to the organization’s sensitive data – to receive cybersecurity training and support. Far too often, senior leaders are prime targets for hackers because they have access to highly sensitive data with little IT oversight.
ISACA Now: Are boards becoming more sophisticated about providing cybersecurity leadership?
Yes and no. When asked, most directors voice strong concerns about data security – they are clearly worried about the stories they hear about in the news. But that concern doesn’t necessarily lead to action. For example, far too few directors are required to receive cybersecurity training on a regular basis. Our last survey – conducted in 2017 – showed that fewer than one-third of directors receive regular cybersecurity training and, even then, it’s most likely to be conducted very infrequently.
We also learned how heavily directors rely heavily on email for communication. More than two-thirds use email as their primary form of communication about board business. This is worrisome in light of the explosion of ransomware and malware attacks targeted at high-ranking individuals throughout 2017. If directors are using unsecured, unencrypted email to share sensitive data, the directors themselves become sources of cyber risk, rather than stewards of cybersecurity.
I believe the needle is finally beginning to move in a positive direction. Fear is a strong motivator, but so is the potential for revenue growth that comes when an organization’s leaders are more tech-minded.
ISACA Now: Given the growing understanding of the importance of cybersecurity, why are many organizations still reluctant to invest in training, both for board members and for their staffs?
Partly I think this has to do with a lack of understanding of the immediacy and severity of the threat. Considering that it typically takes a few months for a breach to even be detected, it’s highly likely more organizations have been breached than we know. I think many organizations want to believe they aren’t as vulnerable as they really are. In my conversations with directors, I’ve heard the phrase, “Our IT team is top-notch and we have cyber risk insurance.” Those two statements might be absolutely true – but neither one can prevent an organization from being hacked 100% of the time.
I think it’s fair to say that some complacency is born from a lack of familiarity. The vast majority of directors and senior leaders are not digital natives. The average age of directors is still north of 50, meaning senior leaders are much more likely to have grown up using typewriters than mobile devices. This means that technology can feel like a foreign topic (and a sore subject) for many directors, causing them a good deal of discomfort. I think that when CISOs approach technology discussions from the perspective of enterprise risk and business growth – and don’t stray too deep into the technology “weeds” in their reports – they will find directors and senior leaders are much more open to engaging deeply in the issues.
ISACA Now: What role should CISOs play in working with the board to elevate an organization’s security protocols?
Ideally, the CISO or other data security leader collaborates with the board and other senior leaders in the following ways:
Ensure the board and senior leaders have secure communication tools available and know how to use them appropriately;
Provide an update at each board meeting on the current state of cybersecurity programs, changes in the threat landscape, updates on cybersecurity investments, and highlight of any technology developments worth the board’s attention;
Answer the board’s questions and provide support on cybersecurity questions;
Work with the general counsel or audit committee to develop secure communication policies for the board, and brief the board on these policies – and any recommended changes – at least annually;
Coordinate an annual tabletop exercise for the board, simulating a cyber event and testing the board on their response prowess;
Conduct a periodic review of the board and senior leadership’s communication methods and norms – to ensure adherence to policies and reduce reliance on any unsecured communication channels.
ISACA Now: For C-suite leaders who might be frustrated by their board’s lack of urgency when it comes to providing strong cybersecurity and risk management oversight, what are some ways they can deliver a wakeup call?
If a director has had personal exposure to a cyber event, he/she suddenly has a much greater level of awareness about the risk and a greater desire to learn how to ensure security. I don’t believe this “personal experience” has to be an actual cyber-attack – rather, a good simulation exercise, deep discussion at the board table, or a guest speaker who can share some “horror stories” should be enough to spur greater action. I’d recommend any activity that gets leaders asking questions like: Do we know which branch of law enforcement to call, and who is our main point of contact? What sort of cyber risk coverage do we have, and what services will our insurance carrier provide to help us during the breach notification period? What is our level of personal legal liability in this case? Do I need to wipe any of my own personal devices or drives and change any of my passwords?
At the same time, many CISOs do themselves a disservice by not focusing on the right issues in their reports to senior leaders. The CISO’s report should remain high-level and jargon-free (or with easy-to-comprehend explanations). Keep the focus on the enterprise risk and business growth side of cyber risk, not on the nitty-gritty of the CISO’s day job.
Bottom line, if a board doesn’t seem to have much motivation to discuss these serious issues, then the C-suite team should find a way to provide that motivation. The stakes are far too high to just hope for the best.
Nestled in William Craig’s book Enemy at the Gates, which recounts World War II’s epic Battle of Stalingrad, is the story about a Soviet division that was plagued by failure in the face of the enemy. Desertions were rising, officers’ orders were not being followed, and the invading enemy was making gains. Faced with this calamitous condition, the regimental commander called the troops into formation and let them know that collectively, they were failing and would be held responsible. Then, in an outrageously cold manner, he walked through the ranks and summarily executed every 10th soldier until six soldiers lay dead on the field. He got their attention, and the unit was instrumental in the subsequent Soviet counterattack that led to victory against the Nazi invaders.
Obviously, I do not support such extreme and violent methods of accountability, yet the example does make you pay attention. As we grapple with today’s digital “enemy at the gates” or even the “enemy inside the gates,” the importance of accountability for failure to properly protect the information our national prosperity and security depends on has never been more important. Firing CEOs and CIOs is typically a public gesture enacted to diffuse blame rather than address the root causes. Sadly, accountability and ownership often are missing components in cyber strategies and risk management planning at a time when risks are ever-increasing. Therefore, it is critically important that all organizations better manage cyber risk by embracing a culture of accountability and ownership that guides the implementation of due care and due diligence measures.
I define due care as “doing the right things” and due diligence as “doing the right things right.” Unfortunately, I’ve found too many organizations where due care and due diligence are not occurring. For example, ask most cyber incident responders about the root cause of cyber incidents and they likely will sigh and point to the “usual suspects” – failure to patch, misconfigured systems, failure to follow established policies, misuse of systems, lack of training, etc. As someone who led incident responders in both military and civilian government organizations, I found one of the great frustrations of cyber professionals is when they see leadership ignoring or tolerating the so-called “usual suspects” and not holding people accountable for a glaring lack of due care and due diligence.
While many media reports these days focus on the very real and present threat of well-funded nation-state actors, I contend that the greatest cyber threat we all face is what I refer to as the “Careless, Negligent and Indifferent” in our own ranks. Failing to properly configure a system so that it exposes information to unauthorized personnel is an example of carelessness. Failing to patch critical vulnerabilities quickly or implement additional compensating controls until the patch is ready for promotion could be considered negligence. Failure by personnel indifferent about following established policies such as prohibiting password-sharing exposes organizations to increased cyber risk. While nation-state actors get all the hype, I contend that more than 95% of all cyber incidents are preventable and are the result of the Careless, Negligent and Indifferent in our own ranks. We should not accept this!
Do we need more legislation, regulation or policies to thwart the threat posed by the Careless, Negligent and Indifferent? Do we need to continue our habit of buying the next neat technology in hopes that its “silver bullet” defense will save the day? I don’t think so. I believe what is needed is to execute our existing policies better and hold those who do not follow those policies accountable. While we can’t eliminate our cyber risks, we certainly can reduce our risk exposure by executing our plans, policies and procedures with greater velocity and precision. When we do so, we are exercising due care and due diligence that protects our brands, reputations, customer data, intellectual property, corporate value, etc.
Accountability must be clearly defined, especially in strategies, plans and procedures. Leaders at all levels need to maintain vigilance and hold themselves and their charges accountable to execute established best practices and other due care and due diligence mechanisms. Organizations should include independent third-party auditing and pen-testing to better understand their risk exposure and compliance posture. Top organizations don’t use auditing and pen-testing for punitive measures, but rather, to find weaknesses that should be addressed. Often, they find that personnel need more training, and regular cyber drills and exercises to get to a level of proficiency commensurate with their goals. Those organizations that fail are those that do not actively seek to find weaknesses or fail to address known weaknesses properly.
Sound execution of cyber best practices buys down your overall risk. With today’s national prosperity and national security reliant on information technology, the stakes have never been higher.
Brigadier General, USAF (ret) Gregory Touhill, CISSP, CISM, Former US CISO, President, Cyxtera Federal Group
As cyber threats proliferate, organizations looking to fill cybersecurity vacancies need to take concrete steps to reboot recruiting and hiring efforts. Qualified candidates for cybersecurity jobs are scarce and getting scarcer, creating a challenge for companies to properly defend themselves against threats. By 2022, an estimated 1.8 million cybersecurity jobs will go unfilled, according to research by (ISC)2.
It’s a classic supply-and-demand challenge, with too many vacancies for too few candidates. Currently it takes 55% of organizations at least three to six months to fill a cybersecurity vacancy, and 32% spend even more time to find qualified candidates, ISACA has found. In the United States, 27% of companies say they cannot fill cybersecurity vacancies.
To reverse this trend, employers should work on offering attractive compensation packages and creating a career advancement path for qualified candidates. Cybersecurity workers are more likely to accept jobs with companies willing to invest in training and education to update their cybersecurity skills. And as revealed in a recent (ISC)2report, a greater investment in technology to protect against cyber threats also is needed, since 51% IT workers in charge of security fear their organizations aren’t prepared enough to respond to cyberattacks.
Employers also should work on expanding the talent pipeline, identifying candidates from other fields who can quickly adapt to the cybersecurity profession and stepping up recruitment efforts in demographics that traditionally have been underserved for cybersecurity work – millennials and women. Tapping these sizable talent pools could help reduce the skills shortage.
The State of Cybersecurity Employment
Skills gaps have persisted in the IT industry for decades; something industry trade organization CompTIA has sought to address along the way. At least eight in 10 of U.S. businesses feel adverse effects of this shortage, according to CompTIA. The problem is especially acute – and worrisome because of what’s at stake – in cybersecurity.
The U.S. Bureau of Labor Statistics estimates the number of IT security jobs is expected to have increased 18% by 2024, but as (ISC)2 has discovered, there will be nowhere near enough skilled candidates to fill those jobs. ISACA has found one in five organizations draw fewer than five candidates for each cybersecurity position.
Meanwhile, cyber threats get progressively worse, becoming more frequent and damaging. Studies suggest many organizations need to better prepare to address the cybersecurity challenge. For instance, a Crowd Research Partners study released in early 2017 shows 62% of respondents had moderate to no confidence in their security measures.
The Recruitment Challenge
What makes cybersecurity recruiting such a vexing challenge? It’s a confluence of factors:
Cybersecurity careers remain relatively novel. Most cybersecurity professionals (87%) start out in different work. A student envisioning a technology career is more apt to think about web or mobile app development, not protecting an organization from cyber attacks. However, this dynamic is changing rapidly as colleges expand their cybersecurity curricula, and the cybersecurity field matures.
Hiring practices are problematic. Admittedly, when demand far exceeds supply, even the best recruiters will struggle. That isn’t to say improvements are impossible. Protracted hiring processes can discourage jobseekers, who will find employment elsewhere. In a highly competitive market, hiring must be quick and efficient. Another issue is too often the people recruiting and hiring lack cybersecurity expertise, which can make it difficult to identify the right candidate.
Employers have unrealistic expectations. Employers need to make sure descriptions for cybersecurity positions accurately match the knowledge, skills and abilities the role requires. (ISC)2 research indicates this is an area for improvement, and the same is true of employers’ investment in training and certifications. Only about one-third of respondents (34%) said their company pays for all of their cybersecurity training.
Women are underrepresented. Female cybersecurity workers remain relatively rare. In North America, only 14% of the region’s cybersecurity professionals are women. That compares with 10% in Asia-Pacific, 9% in Africa, 8% in Latin America and 7% in Europe.
Millennials also are scarce. Millennials make up a small fraction of the cybersecurity job market. Millennials are a diverse group with a strong interest in training, mentorship and apprenticeships, areas in which too many of today’s budget-conscious employers could do a better job.
High Stakes
Solving the cybersecurity hiring challenge will take time and effort. In the short term, employers can make progress by adjusting their hiring expectations, streamlining the recruitment process and tapping underserved talent pools.
There’s a lot at stake because organizations need to protect their critical IT assets. As threats proliferate, new tools to combat those threats become available. Companies need to invest in those technologies and the people who run them. This is an ongoing endeavor, which will benefit from upfront investments in hiring and recruiting and in skills development for members of the cybersecurity team. Keeping the skills of cybersecurity workers up to date is essential to the execution of an effective cybersecurity strategy.
How to Attract Qualified Candidates
Successfully filling cybersecurity jobs in such a wildly competitive field takes a refined approach. Here are some recommendations for employers to follow during the recruitment process:
Invest in training and certifications.
Investment in cybersecurity skills through training and certification benefits both the individual and the employer. The cybersecurity field is evolving rapidly to keep up with an ever-changing threat landscape, so security workers need ongoing training to update their skills. Training also has a positive effect on retention. Workers will be less tempted to seek employment elsewhere if they believe their current employers understand the importance of skills development.
Offer career advancement.
Employees view career advancement opportunities as a reason to grow professionally with their employers.. That’s true of any field, including cybersecurity. Too often, employers resist advancing workers when they are doing a good job because they want to protect the organization. But this may have the effect of demoralizing employees who deserve to move up as well as those behind them who are ready take over their positions. Employers should offer advancement paths based on clearly defined achievements and goals, and make that known during the recruitment and hiring process.
Engage cybersecurity workers in decision-making.
Employers are more likely to attract cybersecurity talent by correctly setting expectations and defining responsibilities. This means clearly articulating you recognize the role of cybersecurity professionals is primarily to advise senior management on how to minimize risk. (ISC)2 has found employers often ignore advice from workers in charge of IT security, with only about one-third (35%) of those workers saying management follows their advice. Employers should be realistic with cybersecurity jobseekers about the organization’s culture and willingness to accept advice, all of which directly contribute to the success of the cybersecurity program. Position the cybersecurity role as a valued contributor and advisor to leadership, but don’t oversell it.
Fine-tune recruitment processes.
As already noted, protracted hiring processes discourage job applicants. Managers can improve the likelihood of hiring the best candidates by making a decision as quickly as possible, and not forcing candidates to wait for an answer for weeks or months. To streamline processes, HR and cybersecurity managers should work together to maintain a pool of resumes they can use when needing to fill a vacancy. In addition, keeping staffers with cybersecurity expertise involved in the hiring process is crucial to hiring the best-qualified candidates.
Target untapped talent.
Millennials and women are a largely untapped talent pool for cybersecurity. Employers can get a jump on the talent market by reaching out to female and millennial candidates, both internally and externally. Another area worthy of exploring is to identify professionals in other fields, such as communications, accounting and law enforcement, who could easily adapt to cybersecurity work. The more diverse your cybersecurity team, the more likely it is to develop effective, innovative practices and approaches to the defense of your IT environment. Homogeneous teams tend to get stuck in repeating tired practices, sometimes even after those practices become ineffective.
Partner with school districts and universities.
The IT industry – and by extension the cybersecurity field – can partly address skills gaps by forging partnerships with schools. Getting students interested in cybersecurity in their formative years is an investment in the future, and there are multiple ways to accomplish this:
Sponsor and participate in career days.
Offer internships and apprenticeships.
Actively participate in the educational process with guest lectures at local schools.
Sponsor field trips to data centers and other locations where students can meet cybersecurity workers.
Offer scholarships to deserving students, and target girls and other groups that are underrepresented in the industry.
Offer attractive compensation packages.
Competitive pay isn’t the only way to attract good talent – especially among millennials, who also put a premium on corporate values and career development. Still, compensation is a major factor. When talent is so scarce, employers may have no choice but to offer compensation above the average, coupled with an attractive benefits package and bonus schedule. Employers should also make it a practice to adjust compensation for existing cybersecurity staff to prevent poaching.
Competition for cybersecurity talent is fierce and will get more intense in years to come, as employers try to fill positions from a limited talent pool. In the meantime, cyber threats are likely to continue getting worse, adding pressure to fill vacancies. Organizations need to adopt hiring and recruitment best practices, promote from within when possible, and partner with educational institutions to find and develop cybersecurity talent. Hiring cybersecurity workers is a major challenge that shouldn’t be ignored because there’s so much at stake.
(ISC)² will soon have a report, based on survey research, on how job seekers – and those hiring – can come together to help mitigate the challenge of hiring in cybersecurity. Stay tuned!
