1 00:00:00,05 --> 00:00:03,03 - [Tia] The cybersecurity skills gap, 2 00:00:03,03 --> 00:00:05,00 a challenge the industry has been faced 3 00:00:05,00 --> 00:00:06,06 with for several years 4 00:00:06,06 --> 00:00:09,08 and does not appear to be going anywhere anytime soon. 5 00:00:09,08 --> 00:00:12,08 In fact, study after study supports the idea 6 00:00:12,08 --> 00:00:14,09 that the skills gap will continue to grow 7 00:00:14,09 --> 00:00:17,02 and security leaders will continue to struggle 8 00:00:17,02 --> 00:00:20,00 with hiring and retaining security talent. 9 00:00:20,00 --> 00:00:23,07 ISC-squared 2021 workforce study revealed 10 00:00:23,07 --> 00:00:25,07 that security professionals view the gap 11 00:00:25,07 --> 00:00:27,06 as the number one barrier to meeting 12 00:00:27,06 --> 00:00:29,05 organizational security needs, 13 00:00:29,05 --> 00:00:32,05 with 60% of the participants citing the shortage 14 00:00:32,05 --> 00:00:35,00 as a source of organizational risk. 15 00:00:35,00 --> 00:00:37,03 The study also showed that even though roughly 16 00:00:37,03 --> 00:00:39,01 700,000 professionals joined 17 00:00:39,01 --> 00:00:40,08 the cybersecurity workforce, 18 00:00:40,08 --> 00:00:42,05 the demand for talent stretches 19 00:00:42,05 --> 00:00:45,00 far beyond the available supply. 20 00:00:45,00 --> 00:00:47,01 Oddly enough, on the other side 21 00:00:47,01 --> 00:00:48,09 of the skills gap conversation 22 00:00:48,09 --> 00:00:51,01 is a growing number of individuals entering 23 00:00:51,01 --> 00:00:54,03 into the cybersecurity industry to help close the gap, 24 00:00:54,03 --> 00:00:56,02 but finding it extremely difficult 25 00:00:56,02 --> 00:00:58,01 to land gainful employment. 26 00:00:58,01 --> 00:01:00,09 While the industry tied to 0% unemployment rate 27 00:01:00,09 --> 00:01:02,04 for cyber security professionals 28 00:01:02,04 --> 00:01:05,08 and the demand for qualified talent continues to rise, 29 00:01:05,08 --> 00:01:08,00 many candidates for security roles are passed 30 00:01:08,00 --> 00:01:10,03 over due to lack of experience, 31 00:01:10,03 --> 00:01:12,02 non-technical backgrounds, 32 00:01:12,02 --> 00:01:14,09 insufficient education and/or certification, 33 00:01:14,09 --> 00:01:17,02 and the list goes on and on. 34 00:01:17,02 --> 00:01:19,09 Let's take a step back for a moment and ask ourselves. 35 00:01:19,09 --> 00:01:22,06 Where is the real problem? 36 00:01:22,06 --> 00:01:25,05 On one hand, we have a growing demand for talent 37 00:01:25,05 --> 00:01:27,00 and a highly competitive market 38 00:01:27,00 --> 00:01:29,03 with a 0% unemployment rate. 39 00:01:29,03 --> 00:01:30,05 And on the other hand, 40 00:01:30,05 --> 00:01:32,07 we have a pool of entry level talent 41 00:01:32,07 --> 00:01:35,05 struggling to find jobs with organizations 42 00:01:35,05 --> 00:01:38,07 that by all accounts are desperate for talent. 43 00:01:38,07 --> 00:01:40,04 So where's the disconnect? 44 00:01:40,04 --> 00:01:42,03 Should entry level job seekers 45 00:01:42,03 --> 00:01:44,07 do more to be considered qualified? 46 00:01:44,07 --> 00:01:46,06 Should hiring managers assess 47 00:01:46,06 --> 00:01:48,02 and redefine the qualifications 48 00:01:48,02 --> 00:01:51,03 for cyber security talent in their organizations? 49 00:01:51,03 --> 00:01:53,01 Maybe security leaders should design 50 00:01:53,01 --> 00:01:54,09 their cyber security programs in a manner 51 00:01:54,09 --> 00:01:57,02 that is more open to the continuous hiring 52 00:01:57,02 --> 00:02:00,04 and development of security professionals at all levels. 53 00:02:00,04 --> 00:02:03,08 Or perhaps it's a bit of all the above. 54 00:02:03,08 --> 00:02:06,05 If you said to yourself all of the above, 55 00:02:06,05 --> 00:02:07,09 you're spot on. 56 00:02:07,09 --> 00:02:09,01 Think about it. 57 00:02:09,01 --> 00:02:11,05 If security leaders restructure their security teams 58 00:02:11,05 --> 00:02:14,07 to create more opportunity for entry level talent, 59 00:02:14,07 --> 00:02:16,04 and to find qualifications based 60 00:02:16,04 --> 00:02:18,00 on the functions of the role, 61 00:02:18,00 --> 00:02:20,02 then job seekers new to the industry 62 00:02:20,02 --> 00:02:21,07 will begin to have a better understanding 63 00:02:21,07 --> 00:02:23,09 of the skills that are actually required 64 00:02:23,09 --> 00:02:26,05 for a given role versus trying to cast 65 00:02:26,05 --> 00:02:30,00 a wide net and touch on a long list of nice to haves, 66 00:02:30,00 --> 00:02:32,01 this in turn will enable newcomers 67 00:02:32,01 --> 00:02:34,01 to hone in on specific skills 68 00:02:34,01 --> 00:02:36,09 leading them to be more qualified and a better match 69 00:02:36,09 --> 00:02:39,08 to the needs of security teams with open roles. 70 00:02:39,08 --> 00:02:42,01 Quite frankly, this approach could even influence 71 00:02:42,01 --> 00:02:44,02 the decisions of certification bodies 72 00:02:44,02 --> 00:02:46,02 and academic institutions task 73 00:02:46,02 --> 00:02:48,04 with educating and validating the experience 74 00:02:48,04 --> 00:02:50,01 of cyber security professionals. 75 00:02:50,01 --> 00:02:52,00 Everybody wins. 76 00:02:52,00 --> 00:02:53,08 I bet I know what you're saying to yourself 77 00:02:53,08 --> 00:02:55,03 as I'm talking through this, 78 00:02:55,03 --> 00:02:57,04 something along the lines of, 79 00:02:57,04 --> 00:02:59,08 "Okay, Tia, this all sounds great, 80 00:02:59,08 --> 00:03:02,08 but unfortunately I can't just wave a magic wand 81 00:03:02,08 --> 00:03:03,09 and make all this happen." 82 00:03:03,09 --> 00:03:06,03 And once again, you're 100% correct, 83 00:03:06,03 --> 00:03:09,05 but trust me, it's not nearly as heavy a lift 84 00:03:09,05 --> 00:03:11,02 as you might be thinking. 85 00:03:11,02 --> 00:03:13,04 As we progress through the remainder of the course 86 00:03:13,04 --> 00:03:15,02 and unpack some common challenges 87 00:03:15,02 --> 00:03:17,07 security leaders face and how to solve for them, 88 00:03:17,07 --> 00:03:18,08 keep the following questions 89 00:03:18,08 --> 00:03:20,07 in mind to help you remain grounded. 90 00:03:20,07 --> 00:03:23,09 Number one, what is your security team's top priority 91 00:03:23,09 --> 00:03:25,03 within the organization? 92 00:03:25,03 --> 00:03:27,07 And number two, what are the team's high level 93 00:03:27,07 --> 00:03:29,06 roles and responsibilities? 94 00:03:29,06 --> 00:03:32,01 Now there's certainly other very important questions 95 00:03:32,01 --> 00:03:34,00 you'll eventually need to ask yourself, 96 00:03:34,00 --> 00:03:36,01 but the goal of these two questions 97 00:03:36,01 --> 00:03:37,08 is to ensure you remain focused 98 00:03:37,08 --> 00:03:40,04 on the desired outcomes of the security program 99 00:03:40,04 --> 00:03:42,08 and your team's alignment to those outcomes. 100 00:03:42,08 --> 00:03:45,05 This way, whether you're a CSO responsible 101 00:03:45,05 --> 00:03:47,07 for leading several functional teams 102 00:03:47,07 --> 00:03:49,03 or a SOC manager responsible 103 00:03:49,03 --> 00:03:50,09 for a specific functional team 104 00:03:50,09 --> 00:03:52,06 within the security program, 105 00:03:52,06 --> 00:03:54,06 keeping the desired outcome 106 00:03:54,06 --> 00:03:57,08 or the why we're here in mind will help inform 107 00:03:57,08 --> 00:04:00,03 both the strategic and tactical decisions 108 00:04:00,03 --> 00:04:02,04 you'll be making as you evaluate 109 00:04:02,04 --> 00:04:05,00 and continuously improve your teams.