Creating a Cybersecurity Center of Excellence

I’ve been writing about the cybersecurity skills shortage for many years and, unfortunately, things seem to be getting worse. Here are a few data points:

• According to ESG research, 28% of organizations claim that they have a “problematic shortage” of IT security skills (disclosure: I am an ESG employee). 
• Job market analytics vendor Burning Glass states that cybersecurity job postings grew 74% from 2007 to 2013, more than twice the growth rate of all IT jobs.
• Prospective employers posted more than 50,000 jobs requesting Certified Information Systems Security Professional (CISSP) certification. Unfortunately, there are only about 65,000 CISSPs in the world, and many are gainfully employed. 
• ISC2, the organization that certifies CISSPs believes that there will be a deficit of 1.5 million cybersecurity professionals by 2020. The UK House of Lords is even more bearish, predicting a shortage of 2 million cybersecurity professionals by 2017. 
• A 2015 report from the Information Systems Audit and Control Association (ISACA) states that 86% of business and IT professionals globally believe there is a shortage of cyber security professionals. In this case, perception is reality. 
• A Raytheon/National Cyber Security Alliance report indicates that 69% of high school students do not have access to computer science classes (or other similar classes) that could help prepare them for a cybersecurity career. 

When I speak with CISOs, I always ask them if they have the right skills and an adequate staff to keep up with the cybersecurity workload. The answer is almost always an overwhelming “NO,” regardless of their organization’s location, size, or industry. Cybersecurity professionals I talk with also tend to respond with a question for me: “What can my organization do to attract cybersecurity talent?”

Based upon conversations with many enterprise CISOs, I believe that the best way to attract and retain cybersecurity talent is to build a “cybersecurity center of excellence.” To become a cybersecurity center of excellence, organizations should:

1. Have a strong cybersecurity culture. Cybersecurity professionals don’t want to work at an organization where infosec is viewed as a necessary evil and business managers/employees pay lip service to security at best. In fact, cybersecurity professionals hate this situation, as they are asked to assume a bad guy role from the day they are hired. Alternatively, cybersecurity professionals love working hand-in-hand with executives, business managers, and employees on risk mitigation and problem solving. To complete this cultural renaissance, CISOs will also want to engage with CIOs to ensure a productive and collaborative relationship between security and IT teams. 
2. Work with local colleges and universities. CISOs should work with HR managers to recruit the next generation of cybersecurity professionals. To facilitate this process, it is worthwhile to develop internship and ongoing recruitment programs with local colleges and universities specializing in computer science and cybersecurity curriculums. Smart CISOs will enlist enthusiastic infosec staffers to design and oversee structured internship programs, make college recruiting visits, and act as mentors for new hires. Note that it may also be worthwhile to participate in state and federal cybersecurity education programs, like the National Initiative for Cybersecurity Education (NICE), Cyber Maryland, or the NSA’s Information Assurance directorate, as there may be recruiting and even tax breaks associated with each. 
3. Promote career development. This is an area that too many organizations neglect, but it is critically important for recruiting and retaining the best cybersecurity talent. CISOs should start by creating, training, and mentoring programs to educate and support junior employees. These efforts will give the organization a reputation as a great place to start a career. Furthermore, organizations should develop formal job titles and organizational structures with detailed job responsibilities, metrics, and promotion guidelines. This organizational hierarchy will help cybersecurity staffers map out their growth path. Finally, CISOs should engage staff members in career development discussions and develop personal plans for advancement with each individual on a quarterly basis. Formal reviews should be supported by constant cheerleading and constructive feedback.
4. Offer benefits for continuing education. Highly driven cybersecurity professionals want to keep their skill sets up with the latest threats and technology innovations. Organizations must recognize and support this desire by encouraging infosec team members to pursue professional certifications, attend industry events, and take a variety of classes whenever possible. Firms should promote skills development by offering compensation benefits and tuition reimbursement.
5. Encourage cybersecurity staff to become active industry participants. CISOs should lead by example here by joining industry organizations like ISSA and participating in customer advisory boards with strategic vendors. Additionally, CISOs should encourage this type of broad industry participation across the entire infosec team. Cybersecurity staff members should have carte blanche to present interesting work at Black Hat, publish articles in trade journals, participate in professional organizations, collaborate with peers on threat intelligence sharing, and work with vendors to test innovative security products.
6. Push for cybersecurity process automation to keep the staff focused on what’s important. A strong cybersecurity culture and personal development won’t mean much if the infosec team is constantly running around in a panic performing mundane manual tasks. Savvy CISOs should embrace process automation and managed services to free up the security team and let them focus on high-priority, high-intelligence activities. 

CISOs who embrace this model should also become shameless self-promoters. The goal? Broadcast details about their organization’s commitment to its cybersecurity center of excellence so the word spreads across the cybersecurity professional community. 

Yes, there are some costs associated with creating a center of cybersecurity excellence, but CISOs I meet with say they are well worth it, as a cybersecurity center of excellence can deliver strong ROI. After all, the alternative is an understaffed and overwhelmed cybersecurity team, high attrition rates, and an increased risk of a devastating data breach. Since every organization can benefit from strong cybersecurity, this trade-off seems like a no-brainer to me.