Are We Solving The Right Problem?

By Mac McMillan, CEO, and President of CynergisTek

If you do not live and work within the cybersecurity profession, it won’t take much research to find out just how far behind we are in having enough qualified cyber warriors. A quick Google search will yield scores of articles decrying just how bad this workforce shortage is, how it’s getting worse, and some even offering creative solutions. In most cases, these “creative solutions” amount to little more than gimmicks or futile attempts to find a different way to say what everyone else had already said: there just aren’t enough cybersecurity professionals to go around. All too often we seem to focus too much attention on the number of professionals and not the quality of the talent, which again is missing the mark in my opinion.

The interesting aspect of this workforce shortage is it’s nothing new.  Nearly four decades ago in the late 80s, before some reading, this was even in the business and I was managing a large security team, I learned this first-hand. Back then cybersecurity wasn’t a term and computer security wasn’t even a real career field yet, and there was no such thing as a pipeline of cybersecurity professionals. We had to create them by drafting talented and experienced network engineers from IT, send them to multiple training courses in security, and then invest the time necessary for them to gain experience. They were literally several years in the making. At that time, the workforce problem was a lot simpler so the shortage was not as pronounced. That, however, is not the situation we find ourselves in today, nor will it be where we will find ourselves in the future.

Healthcare has been transformed by information and technology much like most other industries. Healthcare is now capable of doing amazing things by harnessing information through automation and advanced analytics.  From predictive disease management to better patient engagement, deeper and more dynamic research, more accurate diagnosis, more precise surgical procedures, and on and on. Society has benefited immeasurably by what technology and information have done and will do for healthcare. Well, over 90 percent of providers use an electronic health record, along with hundreds of other systems and applications that automate just about every process in the hospital today. Every practitioner relies on multiple devices to do their jobs and every patient has his or her own health-related apps or devices. Information is shared, repurposed, de-identified, studied, used a thousand different ways, and with countless others. Information transfers back and forth between systems,  in and out of organizations, to and from individuals in a constant maelstrom of activity.

Patient information is concentrated in huge databases, spread over thousands of systems, transmitted and processed at increasing speeds. Who actually thinks that one person, the CISO, is capable of knowing or managing all of the risks associated with this new paradigm alone? And there lies the problem for today and tomorrow…a single individual, or even a group of highly dedicated and capable individuals, is not going to succeed in today’s digital environment. Just like healthcare itself, it takes a care team. Each team may have specialists and sub-specialists, for example, but every member of the security team needs to understand the basic concepts around cybersecurity. If you touch “the system” in today’s healthcare world, you touch the patient.

As a society, we need to understand and embrace the fact that cybersecurity knowledge and skills are becoming a necessity, not a “nice-to-have.” The acquisition of these skills and this knowledge needs to begin the minute we had a child his or her first device and must continue throughout their connected lives. We need to understand that every individual who comes in contact with information technology has an inherent responsibility to know how to use it responsibly, and should understand the risk if they don’t. Every person that works in information technology — be they network engineer, database administrator, code developer, system administrator, etc. — needs to have cybersecurity training and knowledge of cybersecurity-related to what they do. For companies or healthcare organizations, it means shifting away from the notion that one person, the CISO or CIO, is going to protect their entity, or that cybersecurity is simply an information technology problem. The CISO today and in the future needs to be a visionary, an architect, and a business manager, as well as a  cybersecurity generalist who understands the total picture and can apply security principles to orchestrate the right solutions for the business.

The CISO must be someone capable of working collaboratively with others within the institution to secure systems and data; someone who understands the nuances of the business as well as security. In fact, security is part of the business of healthcare, and every organization across the continuum care must understand their specific security requirements. If we are going to be an informational or technologically driven society, then we need to embrace the fact that cybersecurity is an integral component of designing, building, deploying, administering, coding, managing, and using an information system or device.

At the same time, we need to retool cybersecurity experts to focus on the higher, more advanced skills needed to address cybersecurity challenges. We need them to be the analysts, the researchers, the developers, the monitors, the testers, the architects, the policy designers, the consultants, and the program managers.

So how and where do we begin to fix this problem? One approach already mentioned is changing the culture to recognize that cybersecurity is a fundamental aspect of any information system. A core knowledge required for every user is way overdue. This should begin at an early age and reinforced through learning in schools, K – 12 and beyond. This is as much a personal issue as it is a business issue.

There are some excellent programs out there that promote learning around cyber defense like the Cyber Warrior program. This innovative program makes learning about cybersecurity fun and practical for kids and provides a launching path for those who might be interested in further study and/or a career in cybersecurity. Each year the Cyber Warrior program facilitates sponsored educational programs and contests for student teams across the country involving thousands of young people learning and practicing positive cyber defensive skills. Thinking on a grand scale, every elementary, middle, and high school in the country ought to have the opportunity to provide this experience for interested students.

Next, we address it in our technical schools, colleges, and universities. Basic cybersecurity learning should also be incorporated into every college curriculum,  as most higher learning environments include course work using a computer — plus, most students are in school to prepare for a job that also uses a computer. For some, this will be the first real immersion into an environment where their computer is something other than a platform for social media. The number of undergraduates, master’s and doctoral programs in cybersecurity are growing, and both classroom and online curriculums are available, but we need to recruit more proactively and promote these degree programs. One way to do this would be to offer tuition assistance, career jumpstart opportunities, paid intern programs, etc. Curriculums should also become more specialized offering classes in specific skills such as cyber analysis,  security engineering, secure architecture design, and security management. We need to read the next generation of cyber warriors to be more prepared to hit the ground running and capable of making an impact when they arrive in the workforce.

Starting cybersecurity education early can also address cybersecurity challenges that arise in office environments, as workforce members arrive with an inherent appreciation for cybersecurity principles already ingrained. Organizations can cultivate their own cybersecurity talent by providing basic cybersecurity training to IT staff, and recruiting within for younger IT professionals to fill the more tactical jobs in security. This will allow more senior cybersecurity professionals to focus on more strategic tasks and be more proactive. We also need to give security professionals more time to increase their knowledge and skills. Professional development and skill enhancement are key determinants of job satisfaction for most cybersecurity staff, yet nearly half report that they have precious little time for this pursuit.

To put that in perspective, in terms of importance, 66 percent of cybersecurity professionals in healthcare receive at least one recruiter call per week.1 Cybersecurity professionals also need to feel what they do makes a difference and is appreciated and supported. Thought should be given to where these individuals report in the organization, the visibility both they and the security mission are given, and the resources and support the program receives. These are people who work in an incredibly dynamic field, have many different interesting paths, belong to a workforce segment with zero unemployment, and constant inducement to go elsewhere.  In short, you need them more than they need you.

Organizations need to also look at their strategies for recruitment and retention. Broaden the focus, or more appropriately stop focusing. Look at cross-training opportunities with motivated individuals, get involved with local schools and technical schools, sponsor cybersecurity events to pull in other interested candidates. Create a cybersecurity support ecosystem for staff by connecting with local government and professional associations like ISACA. Create diversity in assignments and opportunities to learn new skills. Commit to supporting professional education, certifications higher learning. Give serious consideration for career progression and incentive programs tied to continuous learning and acquiring new skills. Pay attention to pay scales and geographic norms for compensation. Cybersecurity professionals want and expect fair pay, but more than anything they want to be challenged, they want to continue to learn,  and they want to make a difference. Organizations that want to attract and retain high caliber cybersecurity professionals need to create this environment.

The solution to the workforce problem is not the minting of an army of cybersecurity professionals, as if we expect the supply of talent to catch up to the demand. We also can’t wait for the military or colleges to produce what we need unless you have another decade to wait. If we want to solve this shortage now we need to think more

strategically and more broadly with respect to where applicants for roles might come from, and we need to act tactically and get serious about designing and providing workplaces that will attract and retain cybersecurity professionals. In the short run, we need to remember that this workforce has options and is highly sought after, and conventional recruitment and retention is not going to be enough.

About the Author

Mac McMillan, CEO, and President of CynergisTek

1. CSO Magazine, Cybersecurity Snippets, John Oitsik, Nov 28, 2017