Understanding the Link Between HR and Cybersecurity Staffing in Organizations
The global cybersecurity workforce is bucking all economic trends. In a turbulent world where the threat of a deep and damaging recession is casting a dark shadow on all governments and businesses, employee numbers in cybersecurity are exploding. So, too, is the demand for professionals in the field.
The result? Despite a considerable increase in cybersecurity employees, organizations are finding themselves shorter of the expertise they need. That puts more pressure on existing staff and increases the organization’s risk.
If your organization fails to respond appropriately to this evolving cybersecurity landscape, the consequences could be catastrophic.
The question is, what can you do to mitigate your risk?
Understanding the Cybersecurity Workforce Shortfall
The newly released (ISC)2 Cybersecurity Workforce Study estimates that there are now 4.7 million people employed in the global security workforce – an increase of more than 11% over the previous year.
However, the demand for expertise in the field has grown even faster than jobs could be filled. The shortfall between employed numbers and this demand is up 25% over the same period, to a record 3.4 million.
While some of the factors underlying this workforce shortfall may be out of your control – geopolitical and macroeconomic elements are events that no company or even single government can contain – developing your workforce strategy effectively should be prioritized to mitigate security risks to your organization.
A weak link between HR and security managers is one of the major internal factors damaging organizations’ ability to hire cybersecurity expertise. In its survey of almost 12,000 cybersecurity internal practitioners and decision-makers, (ISC)2 found:
- Only 52% of respondents said that hiring managers have a strong working relationship with HR
- 40% of hiring managers said that the HR department at their organization does not add value to the recruiting process
- Security managers with a weak relationship with their HR department are more than 2.5x more likely to have significant staff shortages compared to security managers with a strong relationship with HR
The Real Threat to Your Cybersecurity Workforce Isn’t External
We can discuss how the external landscape is damaging your ability to fill your cybersecurity roles all day – and longer. The skills shortage is well documented, but it has been with us for decades. The world’s political and economic climate is in constant flux. These are factors that are beyond your control.
What you can control is your internal strategy, policies, procedures, and culture. Indeed, in its survey, (ISC)2 found the factors that had the most significant negative impact on cybersecurity staffing were internalized issues and included:
- A lack of prioritization for security
- Insufficient training of staff
- A lack of opportunity for professional development and promotion
- Misalignment of staff resources
- No plans to backfill roles
Other factors affecting attracting and retaining cybersecurity staff include uncompetitive pay and inadequate budgeting.
Where does the ability to find talented candidates come on the list?
It was ranked at the bottom of the ten most significant causes of the cybersecurity staff shortage.
What Does a Shortage in Cybersecurity Staff Mean for Your Organization?
70% of respondents to the (ISC)2 survey feel that their organization lacks the staff to be effective in cybersecurity. The worst shortfalls are in aerospace, education, insurance, transportation, and government.
Organizations with staff shortfalls are putting themselves at risk. For example, the ability to conduct adequate risk assessments, implement necessary patching to critical systems, and monitor those systems effectively is severely jeopardized.
Staff shortfalls also have a significant negative impact on your existing security employees. They must work longer hours, achieving more with fewer resources. They have less time to learn new skills and keep pace with change. The risk of burnout and departure is very real. And every employee who quits leaves a further shortage in your workforce. The downward spiral begins and then snowballs.
To Close: the Workforce Shortfall, Close the Divide Between HR and Security Teams
What is your organization doing to reduce the cybersecurity workforce shortfall?
The most common strategies include automating security processes, hiring and onboarding new employees, investing in certifications, and providing more flexible working arrangements. Yet in the (ISC)2 survey, these were found to be among the least impactful measures.
It was found that the organizations least likely to suffer from a staffing shortfall were those that have strategies such as:
- Internal training initiatives
- Rotating job assignments
- Mentorship programs
- Pathways for employees outside of cybersecurity to join the field
Further, the more of these initiatives an organization implements, the less likely it is to have a staff shortfall.
Here’s the thing, though: all these strategies require close collaboration between HR and cybersecurity teams. HR must understand the issues at hand. Decision-makers must also listen more closely to their teams to better understand the nature of the shortfall and measure the pulse of the cybersecurity team.
When hiring, HR and security managers must work closely together. The security manager knows what skills and personality qualities they must hire. HR has the experience and expertise to find the talent required.
The bottom line? You are much less likely to have a cybersecurity workforce shortfall when your cybersecurity and HR teams work as one.
To learn how Tiro Security and our partners can help you achieve your strategic goals, contact us today.
Stop Press! The Role of HR Professionals in Strengthening the Cybersecurity Workforce – Workshop at the 2023 NIST/NICE Conference
Our CEO Kris Rides has been invited to host a workshop on behalf of the National Cybersecurity Training & Education Center (NCyTE) at the 2023 NIST/NICE Conference. The workshop will focus on addressing hiring procedures related to entry-level and mid-level cybersecurity/IT jobs, answering questions such as:
- Does HR use different hiring procedures for entry-level and mid-level cybersecurity/IT jobs than other tech jobs? What drives this?
- Are entry-level experience/Education Requirements hurting your hiring?
- What are innovative approaches that work to fill the cybersecurity workforce gap?
- Is a Bachelor’s Degree requirement increasingly not needed in your industry? What are surrogates to indicate preparation and competence?
- What role are workplace teams having in supporting entry-level skill development?
For more information about the workshop, please email Kris Rides direct with the subject line “Request for information re Role of HR Professionals Workshop at the 2023 NIST/NICE Conference.”