When the COVID-19 pandemic hit in March, cybersecurity priorities changed nearly overnight. Instead of trying to protect employees and data within the confines of corporate offices, workers scattered to remote and home offices, taking devices with them and trying to connect to corporate networks with less-than secure connections.
At the same time, security research began tracking an upsurge in attacks that played on the uncertainty of the crisis, including phishing emails with COVID-19 themes that attempted to entice victims to click. Ransomware attacks spiked as more sophisticated hackers took advantage of vulnerabilities in Remote Desktop Protocol connections, VPN servers and other buggy equipment to leapfrog from compromised devices into corporate networks.
Even as all this happened, organizations continue to have trouble hiring and maintaining cybersecurity talent, according to numerous studies, including a recent survey by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA).
Despite these challenges, there’s hope among security professionals, especially CISOs, that 2021 could jumpstart a change in cybersecurity. For cybersecurity experts, technologists, and executives, now is the time to prepare.
Earlier this month, security firm Thycotic, along with Sapio Research, surveyed 900 security professionals in the U.S., U.K., and parts of Asia and Europe, and found that 58 percent believe that they will have more budget in 2021 compared to this year; half believe that their organization is prepared to move totally to the cloud over the next 12 months.
Joseph Carson, chief security scientist and advisory CISO at Thycotic, noted that if organizations want to invest more in security to combat some of the issues that have played out during the pandemic, CISOs must have new flexibility to hire more skilled workers. A big advantage is that organizations no longer have to limit where they look for cybersecurity talent, thanks to the cloud and the rise of remote and hybridized work.
“Previously, some organizations focused on office-based employees, however, with COVID-19 that has changed that perception greatly,” Carson told Dice. “This will change the hotspots where many organizations found it challenging to compete for local talented employees, such as in California. Organizations can now look further and source talented employees from all around the country.”
In his view, the types of skills that CISOs are looking for in 2021 will be the same as 2020, but a greater emphasis will be placed on those who can thrive in their jobs remotely and adapt to a post-pandemic working environment.
“CISOs will look beyond limiting the search for office-based employees and will expand to include opportunities for employees to work remotely as virtual teams continue to be on the rise. Social skills will be the focus of change, meaning employees must be self-motivated and adaptive to remote working,” Carson said. “CISOs will need to enable and empower remote teams to work effectively and efficiently, meaning that the need for more cloud security skills will increase in demand, as well as strong privileged access management solutions so employees who work remotely can continue to add business value and reduce the risks from cyberattacks.”
Tech Skills Vs. Soft Skills
For many in the cybersecurity field, the types of skills that security professionals need next year will break down between “hard” technical ones and “softer” people skills that can prove beneficial when working with other teams or communicating with C-level executives.
Rick Holland, CISO and vice president at security firm Digital Shadows, noted that even with increases in budget, security leaders and their organizations will not be able to recruit and hire their way out of the cybersecurity skills gap.
“There aren't enough experienced candidates to go around, and their salaries can be cost-prohibitive,” Holland told Dice. “Continually growing and developing less experienced individuals should be a vital component of any cybersecurity staffing strategy. Looking for candidates with upside, initiative, and the ability to grow is essential.”
As a CISO at a security company, Holland said that his priorities for hiring talent will likely remain the same, which means an emphasis on those skilled in DevSecOps and Identity and Access Management, as well as those workers with incident response abilities who specialize in cloud services such as IaaS and SaaS.
On the other side of the spectrum, Lisa Plaggemier, the chief strategy officer at MediaPro, which provides cybersecurity training services, believes that CISOs also need staffers who know how to work with other parts of the organization to ensure that cybersecurity priorities are followed and carried out.
“Too many security professionals still have an ‘us’ versus ‘them’ mentality,” Plaggemier said. “They can be too rigid in their approach and fail to see the larger context around issues. This can cause the business to leave the security team out of critical meetings because they fear the security team will be unreasonable and slow them down. It takes strong interpersonal skills to form relationships, be included upstream instead of at the last minute, and be seen as an asset to the business, not a hindrance.”
In addition to hiring cybersecurity talent with the right technical and people skills, Mark Ward, a senior research analyst at the not-for-profit Information Security Forum, believes that CISOs also need a management team to help execute on security plans for 2021.
ISF recently published a study on CISO priorities for 2021, and Ward notes that the analysis showed that security leaders need to hire deputies who specialize in three areas: incident response, contract management and human resources.
Incident response skills are needed to help blunt the effects that the pandemic has had on cybersecurity, as well as help organizations become more resilient to threats. This includes attacks from the outside or insider attacks that can result in breaches and other issues.
Contract management is another key, as organizations rely more and more on third-party suppliers that might not have the same security standards and need close monitoring and supervision.
Finally, human resource skills will matter as managing and securing remote workforces becomes more stressful and security teams increase their workload.
“All infosec teams have been under huge pressure lately and good CISOs acknowledge that and look for ways to help staff handle the stress,” Ward told Dice. “It's an area few CISOs are good at naturally, so having a deputy or senior manager who is familiar with these issues ensures staff can cope, get the downtime they need and will aid retention. New security folks are hard to find and expensive to employ—far better to do well by the ones already in place.”