Deidre Diamond is the founder and CEO of CyberSN, the industry’s leading career and staffing firm solely focused on the cybersecurity talent industry.
She joined us at a recent event to talk about the shortage of cybersecurity professionals, fluctuations in the cybersecurity job market and leadership roles for women within security and IT.
What’s changed with the cybersecurity job market during this pandemic?
A lot. So you know, we’ve had the general shortage of cybersecurity professionals before this pandemic, but then the pandemic hit and this push to the remote workforce and digitalization put a significant strain on cybersecurity professionals. They had the rapid shift to remote work with short security planning and high expectations. I know even from my own organization, it’s a lot that wasn’t necessarily anticipated for and security professionals were also tasked with IT-related tasks. So not only did we get an increase in attack volume and velocity, we got an increase in work for security professionals instantly, and that has forced a lot of challenges, particularly since it takes you know years to develop a security practitioner.
Another thing that’s happened to the cybersecurity professionals is they have a seat at the table with a lot of organizations so they have to be able to speak that language. Are you hearing that being a struggle?
It’s always a struggle to present to a board, but they’re doing a good job at it and they’re making it happen. In the last 12 months, we’ve increased our job categories in cybersecurity up to 45 from 35. One of the biggest areas of increase were managers, directors, and BISOs (business information security officers). You really never saw those roles, now they’re abundant out there. That means that these presentations to the board or to these other executives are working because they’re getting the budgets to hire these managers and directors, which they didn’t have before.
Talk to me a little bit about what markets are you seeing the hottest right now.
In terms of industries, it’s everywhere, but of course, healthcare is at the top and finance is also up there. Believe it or not, software companies need to have security practices that pass vendor security audits and documentation.
What we’ve seen on the job side is that the technical roles, the security engineers are no longer doing IAM and DevStack ops. They’re separated; now IAM and DevSecOps have their own functional roles. Many people are hiring these roles just to do that versus it being part of their day. So, there’s a lot more specialization as these departments need to hone in on these particular areas.
Especially when we’re seeing such an uptick in reported ransomware there’s, threat hunting has always been there, it’s just a lot more visible now. How are you seeing people who are looking to fill these roles focused on ransomware?
What’s happening is that organizations now have their own threat centers, they’re not relying on technology only. We’ve seen that organizations have these teams versus outsourcing it just having a vulnerability program. There’s a lot of investment in threat hunters and incident responders, too. Gone are the days of “Oh, incidents aren’t going to happen.” They’re happening all the time, so how are we responding to these incidents? Sometimes they’re false positives, sometimes they’re major, sometimes they’re nothing, and everything in between. During an incident, incident responders are the cool cucumber in the house. That skill that has to be trained: how to handle chaos in an emergency. What’s going on, and who’s to blame? They’re like investigators, they have to document everything and they also are high EQ and there’s not a lot of teaching of that going on in the industry.
Security professionals are marketers, they are part of the sales team, they are part of operations…
Another part of the challenge of why this industry has been so challenged with talent to begin with is that because security isn’t a one size fits all, it’s really not even an industry size fits all.
Cybersecurity professionals are protecting the company, their data, their physical being, their structures they may own or even properties. It covers the entire organization in ways that no other department does. Therefore, job descriptions have to be very different and that’s not what happens. Everybody cuts and pastes the same job. What do we really need? How do we know what we need? It’s hard for organizations to know now. They’ve got to be security experts in order to hire security experts. That’s a challenge and we find that a lot of work that we do is in that area of understanding what our organization needs you know.
As a company looking to bring on quality talent, you could go a number of different ways: a contractor, outsourcing, or bringing someone in. Bringing in that right talent is a bit of a challenge because you want to groom them and you’ve got to keep them. Because of budgets, are companies looking to bring in people or looking to contract?
I love this conversation. So you don’t see contractors in security unless it’s the SOC. The analysts, government, or energy-related firms, that’s where you see a lot of contract work. In general everybody’s permanent. I expect that it will become common over time just because it’s really a CapEx/OpEx thing, but the problem is that since we have such low EQ out in the world, contractors are treated differently and that’s not a good thing.
If you think about it, the people who are protecting us as a nation, as individuals, our health, our lives, our money, they are vulnerable right now, Because the industry is short right now and there aren’t enough people on their teams, coupled with people not loving where they work, that means they’re mentally stressed. That really freaks me out as a citizen.
Let’s say I’m a cybersecurity executive. What should I be doing differently in my job search today that I didn’t have to worry about pre-pandemic?
Companies better offer remote and not even think about messing around with it, because most people want that. Now your competition is greater, not less. With most companies offering remote, it just means that everybody’s gonna take remote, you know, most people want remote or minimally the option to be remote and come in if they wanted to.
Post-pandemic, I would say know your job so you can communicate it well and have a career plan for your employees and make sure that during the interview process everybody’s on the same page and engaged in their interview process. Caring hasn’t changed at all.
To see a full calendar of CDM Media’s events, view the calendar here. For more info, reach out to us at marketing@cdmmedia.com.
