Strengthening the Cybersecurity Workforce: Meeting Today’s Challenges

Despite the largest cybersecurity workforce in world history (5.5 million), demand is still dramatically outpacing supply — the cybersecurity workforce gap reached 4 million in 2023. Additionally, the threat landscape is more challenging than ever with over half of cybersecurity professionals believing their organization is not adequately prepared to respond to cyber incidents.

In a recent panel discussion at Secure Iowa 2023, several top CISOs gave some career advice to current and aspiring cybersecurity professionals as the importance of cyber threat defense continues to grow.

Desirable Cybersecurity Skills

Ben: As you bring on cybersecurity or governance personnel, what are some of the skill sets that you are looking for?

Carol: I always like to look beyond just your traditionally trained security person. I hired someone with a law degree because I thought she might look at things differently. She was a little bit lacking on the technology side because she did not grow up in technology, but she more than made up for that with her knowledge of the law, being able to dissect contract language, etc.

I also have a heart for bringing people into cybersecurity because we are an underemployed industry. I like to try to mentor people. I also used to teach at the college level, so I like seeing the light bulbs go off. It is good to think about diversity, not just in a traditional way, but also in a diversity of thought.

Jake: We are at a crossroads right now. I have been to a couple recruiting events for different universities here in the state of Iowa, and for a number of years now, we have started to see first classes come out that are educated cyber professionals, and we are at a pivotal moment in talent attraction.

I think what we will see is people that lack depth from other parallel IT practices, like development, database, and infrastructure. There is a baseline fundamental there that is important for us as cyber practitioners to understand how to protect these systems. What I am looking for is depth in some of those other parallel tracks. And then also: interpersonal skills. You are hearing some common themes up here about relationships and communication with our partners, with different IT departments outside of our organization; those are critical skills in this field.

And there is nothing wrong with coming straight out of university with a cyber degree. It is great that universities have cyber programs these days, but it is just something different that we have to work through and understand.

Christina: Interpersonal skills are even more important than cyber knowledge. The ability to learn is another thing that I value. Does a person have the desire to take on those skills and learn those skills and really dive into that position; and do they possess the ability to communicate?

Career Advancement Advice for Current and Aspiring Cybersecurity Professionals

Ben: What advice do you have for aspiring cyber security professionals looking to advance their cybersecurity careers?

Christina: Have a willingness to learn, to dig in, to rip something apart and figure out what happened, and to obtain the knowledge that you do not currently have. How can you obtain that knowledge on your own, do you know who to talk to, where to go, are you utilizing the resources that you have available to you?

Carol: I would say we still have a long way to go as far as getting people interested in cybersecurity at a younger age. The advice that I give people who are just starting out is to have that engineering mindset. I like to mentor younger people who do not even think about cybersecurity as a career, but I can see that they think about things differently. They analyze, dissect, and try to use things in a way that was never intended, so let us use that skill set for good instead of evil. Another piece of advice is to always have a security mindset, just be safe online. We all teach our kids that, and I try to give that advice to all my nieces and nephews, whether they want it or not: be safe online.

There are different aptitudes for different things, and you can be in cybersecurity and not necessarily technical. You might be strategic, good at writing policies, or enjoy it. Thinking about things differently is extremely important and we should be making sure that cybersecurity is seen as just as cool as being a developer.

Jake: Understand the business you work for. Our skill set is very transferable across industries. Get to know the industry you work in. Understand their pain points, their challenges. That goes a long way.

From a technical perspective, AI is a hot topic right now. If you are not exploring that right now as a practitioner, you need to do some work.

Personal Experiences Reshaping Cybersecurity Perspectives

Ben: What was an experience that reshaped your perspective and how did you know better and do better because of it?

Jake: I am a victim of identity theft, and I spent about four or five years dealing with that. I received a call one evening from a car dealership in Tulsa, Oklahoma that said, “Congratulations on your new Corvette, you're coming in to pick it up tomorrow, right?” I said: “No, I'm not.” And he said, “I didn't think so.” It was the business manager, and he did not feel right, so he called me. This is before a lot of the current privacy identity awareness; this was right at the beginning of all of that. That experience really helped shape this career for me. I take it very personally to protect that information.

Carol: Thinking back to the ransomware attack on Des Moines Public Schools, I had not heard of synthetic identity theft until about eight years ago when I started working for a credit card processing company. Your kids' information, because they do not have a credit history, is more desirable and easier to steal that information. And these bad actors can be very patient, I was surprised by that; they will build up these credit scores for these kids and make a fake person or identity based on your kid's social security number.

That was eye-opening for me. I had been in security for a really long time, but that particular vulnerability had never occurred to me because I don't think like a bad actor — somebody would want my kid's data or be able to use that in a lucrative way and that his credit was worth more than mine because his had never been used before.

Christina: My original degree was in accounting, I am a licensed CPA, and I was in public accounting for four years. I went back to get my master's before I could get my CPA license, and during that program I was exposed to fraud examination. One of my professors during my master's program suggested CFE certification to me. I really do think that that Certified Fraud Examiner certification was what started me down this path — the methodical process of the fraud perpetration cycle and how it comes about, how you investigate it and find it led me into internal audit, then security, and now governance. Where I am now is miles away from where I thought I was going to be when I graduated from college.

Bridging the Gap in Cybersecurity’s Evolving Landscape

The cybersecurity landscape is constantly evolving, and threats are becoming more sophisticated — the industry faces a critical challenge: closing the 4-million-person cybersecurity workforce gap. This situation calls for innovative approaches to talent attraction and development, including valuing diverse skill sets and fostering a culture of continuous learning. The insights shared by Christina, Carol, and Jake at Secure Iowa 2023 highlight the importance of interpersonal skills, business understanding, and adaptability alongside technical expertise.

As we look to the future, those in cybersecurity careers must not only expand their ranks but also deepen their collective skill set, embracing diverse backgrounds and perspectives to effectively safeguard our world.

Interested in joining the cybersecurity workforce? Visit our Careers page to learn more about working at HBS.