Last year’s cybersecurity scorecard did little to reassure consumers that large companies are serious about security and privacy
Massive data leaks hit the news every month against the background buzz of hundreds of smaller breaches that didn’t make the front page. As the first quarter of 2019 comes to a close, it looks like this year will be no different. By the end of January, the IT Governance Blog was able to report the leaking of over a billion records in four weeks. To a casual observer, it seems businesses aren’t doing their part to protect customer data. In some cases that’s true, but the reality is more complicated.
Many businesses are committed to security and privacy in principle but struggle to hire the cybersecurity talent they need to keep data out of the hands of criminals.
The cybersecurity skills gap makes it hard for companies to implement security best practices. In 2017, the Global Information Security Workforce Study reported that two-thirds of the 20,000 organizations surveyed lack experienced professionals who can combat cybercrime threats. The situation has become even more challenging in the intervening year. Fewer than 20% of IT security managers believe that there are enough trained cybersecurity professionals to meet their needs.
The scarcity of cybersecurity professionals means that the best in the business can pick their ideal employer. If they are dissatisfied, they are confident they will find a rewarding position elsewhere. It’s a candidate’s market, and that makes it hard to hire and retain qualified employees. Businesses have to compete for the best, and that means making a conscious effort to improve the attractiveness of their organization to cybersecurity pros.
Cybersecurity professionals care about the culture of the organization they join. They express frustration when hiring organizations don’t understand cybersecurity issues and don’t give security the priority it deserves. (ISC)²’s Hiring And Retaining Top Cybersecurity Talent Report showed that more than half of security professionals decide not to apply for a job when the job ad shows a lack of understanding about the realities of cybersecurity.
Cybersecurity culture is largely a function of executive leadership. Strong cybersecurity leadership can help to create a culture that prioritizes security and privacy.
Security goes beyond technology, and cybersecurity leadership requires more than technical expertise. Security best practices must be woven into a business’s operations at every level, from the C-Suite to the cubicle to workers in the field. Security is a collaborative process. Building a cybersecurity culture requires soft skills as well as technical expertise. As Brian Contos recently wrote: “establishing a cybersecurity culture advocates the need that everyone – including executive leadership and management – has an equal part in cybersecurity.”
Without a strong advocate for security in the C-Suite, it’s unlikely that a cybersecurity culture attractive to skilled professionals can develop. No professional wants to work for an organization that doesn’t support their expertise. To entice cybersecurity professionals with the expertise to keep data safe, businesses must create a culture of cybersecurity within their organization, and that requires talented and committed cybersecurity leadership.
About the Author
Dean Madison is the president of TD Madison & Associates. The company is founded on the principle of providing a more predictable approach for evaluating the culture, strategic fit and qualifications of potential candidates for key senior level positions within the cybersecurity and telecom industries. Follow them on Twitter @TD_Madison.