Cybersecurity: Why we need to shift the narrative to build a cyber-ready workforce

Cybersecurity was named as one of the top issues facing the world at Davos 2023. Experts urged for a global response to the ‘cyber storm’, observing that the next pandemic could be the cyber pandemic. The acute shortage of relevant first responders, i.e. cybersecurity professionals, further complicates and exacerbates the issue.

It’s well known that most of an iceberg sits below the water surface, and this is a good way to think about the skills gap we are facing in cybersecurity.

At the tip are the skills that spring to mind immediately when we think of hackers and warding off those with malicious intent. But just as 90% of the iceberg is hidden, the all-too apparent need for those skills belies a wider need for competencies that support and underpin the broader goal.

These include audit skills, coding and system integration skills, an understanding of law and policies, and the ability to build relationships with multiple stakeholders and lead in crisis situations.

The cybersecurity skills gap is large and growing, as organizations struggle to fill roles and workers lack the skills required for jobs that continue to evolve with innovations in new technology.

In our July 2022 Tata Consultancy Services (TCS) Risk & Cybersecurity Study, chief information security officers (CISOs) and chief risk officers (CROs) identified skill sets to manage, engineer and support cybersecurity technology as a top challenge, followed by workplace changes and requirements, and assessing cyber risks and quantifying relevant costs.

In addition, many highly skilled cybersecurity professionals are avoiding taking leadership positions because of the ever-increasing pressure and burnout, creating a leadership gap.

Having said that, I do believe that we can harness the diverse talent-pool across workstreams – technology or not – to address the current cybersecurity skills gap.

All we need is a shift in the narrative. Here’s how:

Enterprises can greatly reduce the demand on their cyber-focused teams by deploying integrated cybersecurity platforms that improve visibility and control of their threat landscape and automate workloads for proactive defence.

Shifting to cloud platforms is another option. In our study, a majority (60%) of CISOs and CROs said they feel confident they can avoid serious financial or reputational fallout from a major cyber attack in the next three years.

A significant source of that confidence, it appears, stems from the fact that 62% of the officers say cloud is at least as secure as on-premises servers, or more so.

Further, they could leverage the scale and expertise of managed security service providers who are continually equipping themselves with the latest technologies.

Hiring for skills, not degrees is a movement backed by US President Joe Biden, and one he singled out in his State of the Union Address late last year. It’s a pathway that can unlock a wealth of latent talent, both from within organizations and from outside them.

Cybersecurity requires a variety of skills besides technology. A strong cyber team needs a combination of in-depth knowledge, advanced skills, and experience in multiple areas such as dealing with regulators and compliance officials, coordinating with law enforcement, and navigating interactions with various government bodies and policy-makers.

Given this, unconventional as it sounds, cybersecurity could leverage the best of what professionals such as mathematicians, statisticians, lawyers, or retired military officers have to offer.

When you hear the word cybersecurity, what do you think of? A group of nerds sitting in a room fighting an invisible enemy? A team of white men dressed in hoodies? Or perhaps a swathe of grey suits, talking in jargon that’s hard to penetrate?

Each of these outdated tropes is part of the reason that cybersecurity has not often enjoyed the kind of appeal associated with other technology professions. People don’t recognize the variety it offers. We, as a profession, need to do more to talk directly to them – going to meet them where they are, with messages that will resonate.

To me, the scope to promote diversity represents an opportunity to bring more people into the conversation, widening and broadening the range of opinions and skills on offer. Promoting diversity through campaigns featuring women, associates from under-represented communities, young cybersecurity hires and others will encourage more people to consider cybersecurity as a career choice.

Candidates, for too long, have been locked out of opportunities in which they might thrive because they didn’t have the right degrees or certifications. A shift towards seeking open and inclusive hiring can help address this.

Employers must evaluate whether certifications are necessary for certain roles, or if apprenticeships are good enough to get started, and clarify the skill set requirements used in job descriptions accordingly.

Enterprises could collectively work towards enhancing the entry level talent pool, by targeting university students with campaigns that excite them for a career in cybersecurity, alongside programmes to train them early for the same.

At TCS, we’ve participated in such efforts – we offer training programmes through select universities, to help students gain industry-ready skills for a cybersecurity career. With six weeks of focused training during the university course, and an additional four to six weeks of on-the-job experience, participants can rapidly gain the skills necessary to support cybersecurity goals inside an organization.

Efforts to create a more cyber-ready workforce also need to be scaled up with support from governments. This approach can be two-pronged, with a formalized function run through universities and another aimed at lowering the entry level barriers for school leavers and undergraduate students.

The current steep rise in demand will pare down once maturity kicks in. Automation will also play a key role in neutralizing the demand.

With support through paid internships and apprenticeships, a systematic recruitment and hiring programme can create a far more robust talent pipeline to help fill the open roles and shore up our systems.

We need fresh perspectives on the convoluted matrix of modern cybersecurity threats, which, I think, is most likely to come from a diverse team with a variety of skills and life experiences.

Having an inclusive approach is key to harnessing the widely available talent and building a diverse cybersecurity workforce, thereby ensuring the best people are on hand to address the existential threats organizations face every day.