Trying to fill the demand for cyber security talent is arguably the second most important job a CISO faces. But not only is there a shortage of experienced infosec pros around the world, let alone in Canada, colleges and universities may not be churning out what industry needs.
The solution, according to a Deloitte Canada report released this week, is for CISOs to think of the people needed across seven broad categories, or personas. However, these personas aren’t job silos. Some share capabilities and skills – like problem-solving — so a person who fits one ‘persona’ could switch to another.
The point, says Marc Mackinnon, the consulting firm’s cyber security leader, is that hiring managers should stop thinking an infosec pro is a generalist who can do anything cyber-related.
“A lot of organizations really weren’t completely clear on the problem they are trying to solve: What truly is a security professional to them?,” he said in an interview. “Based on our research there tends to be a disconnect between the talent, the human resource function, the needs of the business, but also the needs of IT and security.
“What that led to is a lot of mismatch in terms of when they would try to go to market to attract a certain level of individual. They were either trying for more of a generalist or not really matching the skill sets or the capabilities of the problem they were trying to solve.
“When it came time to retaining people, they were trying treat them almost like a broad brush: ‘A cyber professional is a cyber professional.’ What we recognize is there are different needs and different requirements of these people in terms of how you retain them within the organization.”
The seven personas are Defender, Scientist, Sleuth, Hacker, Firefighter, Strategist and Advisor
But each should be looked at as having transferable capabilities, rather than positions needing specific skills. “Although skills remain important, they need to be viewed in a supporting role, not as the lead act,” says the report. “This means that instead of focusing their hiring and training efforts around specific technical skills, Canadian organizations would likely be better served by thinking in terms of broad “personas“ with sustainable capabilities that are portable across different occupations and roles.”
So for example, an Advisor, with skills like critical thinking, communications and influence, could eventually move up to the roles filled by a Strategist (CISO, cyber strategy analyst, policy analyst or cyber program/product manager).
Similarly. a Firefighter, whose job is to identify, analyze and mitigate threats to internal systems, could become a Defender, who supports administrators and maintains the security of systems.
Strategists and Scientists are expected to be the hardest to find and recruit.
To take advantage of this model organizations will have to consider the kinds of career paths offered to infosec pros, formal and informal training opportunities, incentives and compensation and team structures.
Advisors are both the most common cyber security professional today and as one of the personas that will become more important in the future, the report adds. However, the specific role of an advisor is expected to evolve as hands-on experience with emerging tools (e.g., virtualization, containerization, cloud) becomes increasingly important.
Over time, the report adds personas will likely evolve due to disruptive technologies such as robotic process automation, artificial intelligence (AI) , and cloud. Defenders may see a reduction in the number of control assessments they need to perform, thanks to automation and AI, along with a shift toward cloud-based managed services. Meanwhile, firefighters might evolve toward becoming scientists, as lower-level analysis tasks are increasingly automated.
The report also notes that different organizations will have different needs, a different mix of personas and, potentially a different set of skills.
“Every organization must shoulder some responsibility for addressing the cyber workforce challenge by working at an ecosystem level to grow the future supply base,” the report adds. “This includes educating young people about cybersecurity risks and practices, and building interest in cyber careers.”
Emerging technologies such as automation, AI, machine learning, and advanced analytics can help augment an organization’s traditional cybersecurity efforts, the report concludes. “However, those technologies will not eliminate the need for human experts—at least, not any time soon.”
The report was compiled after discussions with more than 40 Canadian cybersecurity leaders as well as an in-depth survey of more than 110 Canadian executives. It was partly sponsored by the Toronto Financial Services Alliance, which promotes the city as a financial hub.