There has been a consistent message over the past few years with regards to cybersecurity education. Namely, that the field is dangerously understaffed and that there are over 1 million unfilled jobs globally.This hype has contributed to a significant number of new cybersecurity programs being created at all levels of higher education, from community colleges all the way up to institutions such as MIT, Penn, and Brown. According to ISACA\u2019s 2016 Cybersecurity Skills Gap infographic, there will be a global shortage of 2 million cybersecurity professionals by 2019.\u00a0 Frost & Sullivan indicate a shortage of 1.8 million professionals by 2022 in their 2017 Global Information Security Workforce Study.\u00a0 Combined with this is a focus on data breaches and hacks, with large numbers used to communicate that this is a serious issue.At the same time, according to the Online Trust Alliance, 93% of all breaches could be stopped by basic cyber hygiene. Verizon\u2019s 2017 Data Breach Information Report indicates that 81% of reported breaches used as data in their report came from stolen or weak passwords. The FBI has indicated that two-factor authentication dramatically reduces the risk of data breaches or hacks.\u00a0Combined with that, a large number of vulnerabilities that have been discovered over the past year that have engineering issues as their root cause. The two most glaring examples of this were Meltdown and Spectre. However, the Microsoft vulnerabilities that led to the WannaCry and Petya\/NotPetya attacks cannot be discounted. Neither can Heartbleed or the other attacks on secure communications.What we need to focus on with training and engagementWhen you combine these two factors, which are basic hygiene and engineering issues, the question becomes one of focus. Instead of focusing energies on developing new analysts and new cybersecurity jobs, perhaps we should be focusing where we have the greatest potential effect. \u00a0There are several areas where I think we could have the greatest effect on improving security.The first is reducing end user training overload.\u00a0 As part of my job, a major component of it is to develop training and communication plans for our team.\u00a0 We have very high variety and a very diverse workforce.\u00a0 One commonality is workload and workflow.\u00a0 Team members don\u2019t have the time to sit through training, and they don\u2019t like being lectured to.\u00a0 What happens, in my observation in general, is that people tune it out because they feel it is not relevant to them.An important lesson I learned from a Chief Medical Officer I worked with is that current training methods weren\u2019t enough.\u00a0 You have to get out there and engage and work very hard to establish two-way communications with the workforce.\u00a0 What I learned from her was to redevelop our training plans to focus on short communications that are relevant and reinforced with communication on who to contact in case of an issue.\u00a0 Further work with multiple public relations and communications teams has reinforced everything she said.We need to be focusing on how we communicate and integrate with our users, so that we can do a better job of providing them relevant information they can use.\u00a0 We also have to make sure that we\u2019re not being onerous.Secondly, it\u2019s about evolving the engineering and design processes.\u00a0 We believe security to be critically important, and it\u2019s important to have vendors and internal development match that ideal.\u00a0 While cybersecurity analysts are critically important to analyze potential issues, the current focus has not been on how to address these issues from a design or engineering perspective.\u00a0One of the companies that got this right was Microsoft, who in response to significant issues with Windows XP, redeveloped their entire product development lifecycle to address core vulnerabilities, and empowered key engineering leaders like Mark Russinovich to re-engineer their products to improve security.\u00a0 Microsoft was able to address entire classes of vulnerabilities, and developed a significantly more secure code base because of it.\u00a0 Most importantly, vulnerability management at Microsoft greatly improved.Understand the entire development process.\u00a0 Sit down with the project managers and team, and talk with them about what they do.\u00a0 One item you will find is that more often than not, they do have a basic understanding of security.\u00a0 What they will most likely need is guidance and advice from you and your team.\u00a0 Whether or not it\u2019s the internal team or a third party, speak with them and find out what they do, and address their needs and concerns.Incorporating risk management and securityWhat we\u2019ve observed is that organizations who are the most successful with addressing security and risk are the ones that incorporate risk management, and by extension, security, into their product management processes.\u00a0 When you build security into every step of the workflow and educate the team members on what they need to do, you get immediate benefits.Include team members in the overall risk management program as your third step.\u00a0 Security can\u2019t be a black box to them.\u00a0 The one thing that can disengage people the most is by asking them to do tasks or change their processes without explaining why the changes are needed or what they really mean to them.\u00a0 Instead of spending your educational budget on developing more analysts, get the whole team up to speed on the basics so they understand what it you are asking for and why.\u00a0 Target the education to improving the team\u2019s knowledge of security.\u00a0 Develop appropriate metrics to define and measure success.\u00a0 Empower them to work toward a common goal of lower risk.This leads to developing workflows for the teams that integrate into your risk management plan which paint an accurate picture of your environment.\u00a0 This gives you something that can demonstrate success using the metrics we described before.\u00a0 More importantly, this give you a view into it that you didn\u2019t have before to accurately assess and address risk, plus you\u2019ve educated the team at the same time.\u00a0 You\u2019ve also created those feedback loops to monitor, review, and course correct security across your organization.We do have a job shortage in cybersecurity.\u00a0 It\u2019s not a lack of analysts or specialists.\u00a0 It\u2019s a lack of professionals who know how to assess and address risk, and who know how to span traditional boundaries to engage and educate customers on how they can be empowered to improve.\u00a0 Adding people dedicated to cyber security doesn\u2019t correct the engineering issues or development processes that generate the holes in the first place.\u00a0 Engaging teams and doing the hard work does.