Developing the security leaders we need

You have probably heard that in cybersecurity we have a “skills gap.”

Given the ever-increasing degree and complexity of the global cybersecurity threat landscape, our industry has rightly prioritized and placed significant emphasis on developing a highly trained and technically-skilled workforce.

Academic and other educational organizations have risen to the challenge admirably creating new certifications, degrees, diplomas and training programs which are beginning to graduate thousands of skilled candidates for organizations to hire. Better approaches to ensuring inclusion and diversity are also widening the pool of talent entering and being embraced by our industry. All of this should be helping to close the skills gap. Except it’s not.

While we are making great progress addressing the numeric demands for highly skilled technical talent, wave after wave of newly trained and aspiring cybersecurity professionals are still left seeking work while countless open positions continue to go unfilled. On top of this failure to effectively bridge demand with an ever-expanding supply of talent, rather than diminishing, cyberattacks appear to be increasing relentlessly in number, intensity and severity.

So, what accounts for these discrepancies? What’s missing?

In our urgency to address the technical needs of the industry, little thought and attention has been given to who will lead this future cybersecurity workforce and bridge the gaps between the technical and business worlds of the organization. This has created a new and perhaps even more complex and challenging skills gap — one of leadership.

To make progress in these areas we will need skilled cybersecurity leaders who are able to craft and implement sound strategies to hire, integrate and develop new talent. And who can also raise our profession beyond its current technical limitations, focusing simply on mitigating cyberthreats, to address the more strategic challenges of merging cybersecurity into overall business strategy, operations and culture.

Cyber defence of the organization requires not only technical experts with computer science and security skills, but also leaders with an understanding of strategic concepts such as digital transformation, organizational behaviour, ethics, business economics and operations management. Additionally, these leaders must know how to unlock potential and empower both individuals and teams. Acquiring and developing skills such as one-to-one coaching, negotiation and conflict management, organizational change, emotional intelligence in the workplace and managing a culturally diverse workforce will need to be prioritized by both emerging and current leaders.

More importantly, their organizations must encourage, support and enable these efforts in order to produce real results and develop effective leaders.

Not surprisingly, today the most easily distinguishable traits of a cybersecurity leader are deep technical skills and experience. However, while organizations do continue to require individuals with skills such as cloud security, encryption and threat hunting, proficiency in these areas alone should not be the yardstick by which we measure cybersecurity leaders. Yes, leaders will continue to need to be well versed and capable in these areas and ensure that their teams are staffed with highly skilled individuals who have the capabilities and training to handle them. However, the leaders themselves need to be something different. Something beyond simply the most technically knowledgeable and experienced.

Organizations have generally promoted individuals to the role of chief information security officer (CISO) or other security leadership roles based primarily on their ability to perform as a technical expert. This approach was acceptable in the past when cyber-attacks were less common, complex and devastating, but it is no longer appropriate today. It’s time for boards and C-suite executives to reset their expectations of how cybersecurity is positioned and what a cybersecurity leader is.

What this means is that the best cybersecurity leaders may already exist within your technical teams and simply require more education, training and opportunities to develop their management competencies. It may also mean that a proven non-technical leader who knows the business and organization has built trusted relationships throughout the company and has an aptitude for cybersecurity and can also transition to a cybersecurity leadership role.

The cybersecurity leader of tomorrow must be able to not only respond to technical threats but to effectively manage teams and embed security throughout the entire organization’s operations. They must also be able to translate technical concepts into messages that engage and inform the decision-making of other senior leaders and the organization. They must act and serve as the “technical authority” on the organization’s leadership team.

But for this to happen, cybersecurity needs to be embedded across the organization. Developing the right leaders to make the function not merely effective but thrive needs to become a strategic business imperative. Only then will we begin to close the next great challenge of our industry, the leadership skills gap

Kevin Magee is chief security and compliance officer at Microsoft Canada (www.microsoft.ca).