A single infographic released recently by the National Institute of Standards and Technology (NIST) revealed the extent of the current cybersecurity staffing crisis. One stat that rang alarm bells everywhere was this: At a time when there is acute demand from corporate boards to increase cybersecurity headcounts, the worldwide shortage of skilled resources last year alone totaled a staggering 3.4 million professionals.
How best to help solve the issue was the subject of a presentation this morning at MapleSEC 2023 by Dr. Satyamoorthy Kabilan, senior executive at Gartner, whose theme revolved around a new concept called “quiet hiring.”
Quiet hiring, he said, is a term coined by Gartner analyst Emily Rose McRae, who leads the firm’s Future of Work research team, and is the polar opposite to quiet quitting, which is defined as doing the minimum requirements of one’s job and putting in no more time, effort, or enthusiasm than absolutely necessary.
“The World Economic Forum found out that few business leaders in critical sectors feel confident that they have the talent that they need to protect their organization. On top of this, my colleagues in the research area of Gartner have a little prediction for 2025. In it, they believe that a lack of talent or human failure will be responsible for over half of the significant cybersecurity incidents that we will experience.
“This means that we have a big gap in talent that we are trying to fill, we have a real nervousness about what that means for organizations, we have a demand from leaders to fill these gaps. And on top of that, it comes with a huge risk.”
That is, said Kabilan, why quiet hiring is so important, and if an organization gets it right, it will end up with a far more engaged employee base than it had before, without having to add headcount.
“This is not about adding work on to an already small pool of talent that you have. That was one of the questions that was raised when we came up with this term. And we need to be clear here that this is not about adding more work. It is about focusing the talent that you have on the areas that are most important. And for those scarce cybersecurity resources, that is really important.”
In an article that appeared on the Gartner web site earlier this year, McRae wrote that the strategy, if carried out correctly, is not just a win for the organization. It provides employees with the opportunity to work stretch assignments, grow their current skills, learn new skills, extend their careers — and ultimately become invaluable to their current organization and more marketable to others.
“There are also more immediate benefits to employees – quiet hiring does not mean employees who volunteer for these kinds of assignments should not be compensated or rewarded in some way. To capture the benefits of quiet hiring without risking attrition, organizations should expect to offer incentives, such as additional compensation, one-time bonuses, extra personal time off, flexible hours and working conditions.”
In order for it to work, said Kabilan, there are three key strategies that must be followed, and they are: ruthless prioritization, leveraging internal skills, and upskilling:
“Let’s start with ruthless prioritization. Going back to the point that I made earlier, that this is not about adding more work on top of an already potentially overworked cybersecurity team, it is about understanding what is most important to the organization, its mission, its goals, and what it needs to achieve. And then focusing your scarce resources on achieving the most important pieces or the most important priorities in the organization.
“Conceptually, this sounds really simple, but I can tell you from experience, organizations I have worked with in the private sector, and in the public sector actually find this hard to do. We need to understand what is truly important, what needs to go to the top, and what needs to be dropped off, to make room for us to do the things that are most important.”
Leveraging skills more effectively involves breaking down roles not as jobs, but as tasks. Gartner, said Kabilan, conducted case studies around quiet hiring, and “one of the examples that an organization gave us around how they leverage their internal skills was really interesting. What they did was they started breaking down their jobs into tasks.
“And they did this with two broad categories. One being in-demand roles, or high demand roles. Think of cybersecurity as a high demand role. Plenty of gaps in there to get people. They did the same for high supply roles, roles, which they could fill more easily. What they did was look across the set of tasks being done in the high demand roles and the high supply roles and look for overlap.”
The third and final component is the carrying out of a “skills audit, to find out what skills you actually have in your organization; you may have hidden pools of talent in high supply roles, which you are not aware of. Those might be skills and resources that you could be using in high demand areas.”
To view the entire presentation click on the following link
