In 2008, Meg Anderson became Chief Information Security Officer at global investment management company Principal Financial Group. From the vantage of today, the job was a walk in the park. Fourteen years ago, companies had just begun to digitally transform, ransomware was a minor security threat and most everyone physically worked at the office. “Like other companies, the InfoSec (information security) team had the usual network security certifications to secure the environment, monitor threats and ensure compliance with our policies and standards,” Anderson recalled.
Those skill sets are still the price of entry in cybersecurity, but they are just part of a much broader job description. Today’s CISOs are looking to hire people with a strategic ability to synthesize and communicate complex security information, as well as a range of technical proficiencies in automation, data analytics, artificial intelligence, encryption and cryptography.
This copious amalgamation of competencies is needed to ensure security is embedded inside every new technology introduced by the IT organization. Before a team of software designers and engineers design and develop a business app, for example, it is incumbent on the InfoSec team be at the initial meeting to apprehend the app’s purpose, how it will work and who will use it.
“Any IT decision that is made, whether it’s cloud-first, digital acceleration or IoT, has a cyber element to it that needs to be contemplated and considered,” said Kyle Kappel, U.S. leader of cyber at consulting firm KPMG. “Any time a new technology is brought on in today’s environment, InfoSec is into it.”
Ketan Pandit, Chief Information Officer at large insurer QBE North America, agreed this is the case. “There has been a shift in the cultural mindset of IT to embed cybersecurity into processes and technologies before they are designed,” Pandit said. “Given the widening threat landscape and multiplicity of threat actors, software engineers are designing the software from the outset to incorporate cybersecurity. We call this `security by design.’”
As this shift occurs, it is creating a need for specialized cybersecurity teams. “There is significant demand for people with specific technical and strategic capabilities to partner with IT as active developers in architecting and engineering business-focused technologies,” Kappel said. “I’ve got Fortune 500 clients I’ve worked with for many years whose cybersecurity teams have gone from a couple hundred people to a couple thousand and they’re looking to grow more.”
There’s only one problem: The sky-high demand for such rarefied talent cannot possibly be satisfied any time soon. In December 2021, a U.S. Commerce Department job-tracking database tallied nearly 600,000 open cybersecurity jobs. Globally, the situation is equally dire, with a shortage of almost 3 million InfoSec professionals cited in the most recent (ISC)² Cybersecurity Workforce Study.
That’s good news for threat actors, particularly cybercrime gangs like REvil and DarkSide that specialize in ransomware attacks. Last year, the number of ransomware incidents nearly doubled, rising 93 percent from 2020 to 2021. The reason for the uptick is hinged to the size of reported ransom payouts, including $40 million paid in bitcoin by the large U.S. insurer CNA Financial and $11 million in bitcoin forked over by JBS, the world’s largest supplier of meat.
As most companies continue with their “work from anywhere” plans, Kappel said the need for skilled InfoSec talent grows by the day. “Cyber criminals are taking advantage of the shift to a remote workforce,” he explained, citing the move way from VPNs for privileged access toward a Zero Trust network security architecture environment, in which access is validated at every stage of a digital interaction. “Zero Trust was talked about 10 years ago, but is now being uplifted across businesses and governments,” Kappel said. “As this occurs, it marks a shift in CISO priorities and budgets.”
On the Hunt
Chief among these priorities and capital plans is assembling a deep InfoSec team with added bench strength from third party Managed Security Service Providers partnerships. MSSPs provide a range of services—firewall management, anti-virus services, intrusion detection, threat intelligence gathering and network penetration testing—liberating internal cybersecurity professionals to focus on strategic value-added technology projects.
At the large global IT technology services and consulting company Capgemini, CIO Sudhir Reddy has forged partnerships with MSSPs to manage the Security Operations Center (SOC), handle incident preparedness and response, and conduct penetration tests through purple teaming on a biannual basis. Purple teaming is a type of ethical hacking involving two opposing teams of cyber players, one playing defense (the “blue” team) and the other offense (the “red” team).
Reddy said the public company’s InfoSec team has evolved from “waiting and watching for bad things to happen” into a proactive group of multi-certified individuals, one that could be larger. “We’re in the market for people with threat detection expertise, ethical `white hat’ hacking experience, previous SOC (security operations center) involvement, and an understanding of data encryption and cryptography to keep data safe by transforming it into forms unintended recipients can’t decipher.”
Potential job candidates also need to understand the business Capgemini is in as well as its operations (or can be easily trained in this regard), collaborate with the IT organization in securing systems and new software applications, and communicate complicated InfoSec language in comprehensible terms to business leaders, functions and departments. As Reddy explained, “We’re looking for InfoSec people who can take a ton of highly technical information and synthesize it into a narrative that makes sense to a stakeholder.”
The challenge is that other CIOs and CISOs want the same people. Anderson from Principal Financial said her recruitment objectives include “an ability to balance the taking of cyber risk with our business objectives. Our job is not to lock everything down and put so many barriers in place the business cannot move quickly.”
Such individuals should have more than a dose of curiosity, an ability to continuously learn and exhibit resiliency, she said. “There’s a lot of fires to put out in cyber; the stress can be high,” Anderson explained.
Pandit at QBE North America said he is in the market for technically skilled InfoSec professionals with a deep awareness of the types of data the large insurer protects, who have the potential for leadership. “My interest is in people who understand our cyber exposures and are focused on high-value security as opposed to the low hanging fruit,” he said. “Something like threat monitoring can be handled by our MSSP partners.”
John Roman, CIO and cybersecurity expert at top 50 national accounting firm The Bonadio Group, is pursuing similar capabilities. “First and foremost, we’re always looking for people with a broad range of cybersecurity certifications, but we increasingly need them to have good presentation and verbal skills and be analytical thinkers able to ask the right questions,” he said. “Since every business today is a digital business, strong professional skills like listening, writing and speaking are becoming just as important as technical proficiencies.”
At Jack Henry & Associates, CISO Yonesy Núñez tallied up his InfoSec professional needs: competencies in governance, compliance and risk management; security architecture, engineering, apps development, automation and data access management; and the ability to convey information on security strategy and awareness to internal and external stakeholders. Jack Henry & Associates is a technology company and payments processor with more than 8,500 bank and credit union clients.
“I need to be sure our information technology and cybersecurity efforts are in alignment with our business objectives,” Núñez explained. “The elephant in the room is the Great Resignation—people leaving InfoSec organizations for better opportunities elsewhere, at double and triple the salary. My team keeps growing and is twice the size it was eight years ago. I’m making sure we nurture a meaningful work environment to keep it that way.”
Make Work Meaningful
With cybersecurity essential to corporate strategy and job candidates few and far between, cybersecurity chiefs are doing everything they can to build and maintain superlative InfoSec teams. To bolster InfoSec retention at Des Moines, Iowa-based Principal Financial, Anderson encourages her team to “share hacks” with like individuals at other companies in a network and information security group based in the city called SecDSM. “The group meets on a monthly basis to share security experiences and best practices, giving them continuous learning experiences that extend our culture of security awareness,” she said.
At public company Pega, a provider of business outsourcing software solutions, CISO Carlos Fuentes is offering educational opportunities including a fully paid master’s degree in cybersecurity at the Georgia Institute of Technology. “We pay the tuition in advance for all three years of the virtual program,” said Fuentes, explaining that “knowing someone will come and stay put here for three years is worth the upfront expense.”
Fuentes also engages a diverse technical group of external cybersecurity instructors to teach virtual classes to InfoSec staff and other IT professionals interested in acquiring different network security certifications like ISO 27001, ISO 2301 and CISA. The company sponsors a CISSP Certification boot camp as well.
“The various classes are open to InfoSec team members as well as mid-career people in IT interested in a job in cybersecurity,” Fuentes said. “Depending on the certification, once they receive it, they might spend three to six months at an SOC responding to alerts, followed by another three to six months working with our outside pen-testing partner doing purple teaming exercises.”
More than technically inclined individuals are invited to learn the intricacies of cybersecurity, he noted. “People from our compliance, audit and even the facilities function have signed up for classes,” said Fuentes, adding that the facilities management personnel make up the largest number of non-IT individuals taking the certification coursework. Asked why this is the case, he pointed to the massive 2014 data breach of retailer Target, in which an HVAC vendor was the vector through which hackers entered the computer network. “The facilities staff came to me and asked how they could secure our `smart’ building features; the certification classes were the solution,” he said.
Núñez at Jack Henry & Associates also is fighting the good fight in what he called “a clear and present war for InfoSec talent.” One thing he does is recruit early, he said, offering internships to freshman and sophomore technology students in colleges and universities across the country, through online platforms like LinkedIn, Handshake and the company’s career website. “By leveraging our platforms and communities and embracing remote work, we’ve been able to connect with students from coast-to-coast,” Núñez said, citing partnerships with Missouri State, Southwest Baptist University, Missouri Southern State University, University of North Texas, University of Texas at Dallas and others.
The Bonadio Group has cultivated similar affiliations at the Rochester Institute of Technology (RIT) and Monroe Community College, located near the accounting firm’s corporate headquarters in Rochester, NY. Roman is an adjunct instructor at RIT, where he teaches classes on information security technologies, tools and processes. “We also fund scholarships to students interested in pursuing a career in the cybersecurity field,” he said.
KPMG’s Kappel commented that more colleges and universities need to refocus their curriculums to prioritize cybersecurity training. Most schools have just begun to include cybersecurity in their IT curriculums, he said, “suggesting that CISOs are not going to solve their recruitment needs any time soon. Challenges (for schools) include the development of relevant curriculums around cyber and a faculty trained to teach these topics. Financial aid programs also need to be expanded to welcome more diverse students interested in the field.”
Waiting amidst a shortage of 3 million InfoSec professionals worldwide to fill nearly 600,000 cybersecurity jobs in the U.S. is not a solution in an era when cybercrime gangs have the upper hand.