You can’t have solid cybersecurity without the right people. You’ve heard that before. Organizations need people with the right skills and they need to pay them commensurate with that skill. Yet, the skills shortage continues driven, according to one new study, by low pay. For more, Federal Drive with Tom Temin turned to study authors Jon Oltsik, a senior principal analyst at the Enterprise Strategy Group, and the president of the International Systems Security Association, Candy Alexander.
Tom Temin: Jon Oltsik senior principal analyst at the Enterprise Strategy Group. Mr. Oltsik, good to have you on.
Jon Oltsik: Thank you, Tom. It’s nice to be here.
Tom Temin: And Candy Alexander is president of the International Systems Security Association. Ms Alexander, good to have you on.
Candy Alexander: Good morning. And thank you for having me.
Tom Temin: So what did you study, how did you study it, and what are your main findings here with respect to people that are supposedly doing cybersecurity for large organizations? Jon?
Jon Oltsik: This was our fifth annual study, Tom. And we surveyed 469 cybersecurity professionals from around the globe. And we were really trying to get inside their heads. So what’s their job like? What’s their career like? How do they relate to their organization, what motivates them, and what doesn’t motivate them? And, there’s a lot of research around technology in cybersecurity, but much, much less around people. And as you said, the technology’s pretty much no good if the people aren’t there, if they’re not trained, if they’re not skilled and motivated. And so that’s really where we come in as researchers and can be leading up by SSA. That’s an international group of cybersecurity professionals. So we were able to tap into those people.
Tom Temin: And Candy, you are also a practitioner of cybersecurity, as well as an association president. So, give us your perspective on the findings.
Candy Alexander: I have actually grown up in the profession, serving 30 years as a cyber professional, or back in the day we called it information security professional. I think that in regards to the results of the research that we’ve discovered, it is true to what the professionals are feeling, thinking, and seeing out there — experiencing. However, I think there’s a lot of uncovered truths that we as a profession have not really stopped and recognized. And I’m sure we’ll get into that conversation as we unfold our chat this morning.
Tom Temin: Well, it sounds like the theme here is if you take a company like the now famous Colonial Pipeline, which nobody ever heard of until the cyber attack and the ransomware, they’ve had to spend millions and millions on ransomware. They’re not the only one in recent months. Imagine what a small percentage of that devoted to cybersecurity staff might have made the difference. Is that what we’re seeing here, do you think?
Candy Alexander: Absolutely. I think when it comes to the ransomware issue, it is frustrating for me as a professional. For I too, am a CISO of an organization that was recently hit by ransomware. And we had not suffered nearly as much damage because we did implement the basic safeguards. I also have a very close relationship with the executive leadership, so they have full trust in me. And so when I go to approach them to say I need “X,” “Y” and “Z,” they were assured that whatever I’m asking for is supporting their business bottom line. So there’s very few instances, I don’t think actually I’ve ever had a “No” in regards to spend with this organization because of the trust relationship and open communications that I have with them, putting it in business terms, as opposed to technology terms. They’re business people. So why would we go to them with the technology lingo and ask for that spend.
Tom Temin: Yeah, Jon, that sounds like something that would come up in your consulting with organizations is to look at it in business terms. And maybe in business terms, then leaders of organizations can be convinced that they need to pay to get the talent they need. Fair enough?
Jon Oltsik: Quite fair, but there’s a lot of history and baggage here. We used to say that organizations don’t want good security, they want good enough security. And unfortunately, what our research says is that that’s still true. There’s still this attitude that, well, Colonial Pipeline got hit — their critical infrastructure — that can’t happen to me. And as Candy will attest, from her experience, that happens to everyone. So understanding business terms is really important, and that’s what our research says.
Tom Temin: We were speaking with Jon Oltsik. He’s senior principal analyst at Enterprise Strategy Group. And Candy Alexander is president of the International System Security Association. And there’s another dynamic that might be of interest to federal agencies, which have a great deal of dependency on contractors for their operations and their development work, and they have their own cybersecurity issues within the agency, but now increasingly, they’re worried about supply chain security. So maybe talk about the dynamic where one organization depends on another, and therefore the dependent organization’s cybersecurity concerns become everybody’s cybersecurity concerns.
Candy Alexander: I’ll take that first. I have worked several times with a federal contracting organization, primarily civilian based agencies, however, a couple recently with DoD. I truly believe that where the federal government is moving with CMMC is definitely the way to go. And I’m finding organizations that are not DoD. Contractors are also adopting them. So recently, I did a an engagement with an organization that was contracted by NIH. They also pushed not the CMMC so much as SP 800-171, which is phenomenal. That is something that organizations can put their arms around and understand. So I think that most certainly is going in the right direction. Because let’s face it, I just spoke a moment ago about not speaking technology terms to business people. So if we can at least educate business people to ask one of two questions — are you CMMC compliant? Or are you SP 800-171 compliant? That takes care of a lot of issues.
Tom Temin: You’re referring to the NIST Special Publication 800-171, which has all of the cybersecurity controls an the organization should have, I think for sensitive but unclassified information, correct?
Candy Alexander: Correct. Yes.
Tom Temin: Got it. Okay. Just so people know some of the nomenclature we’re using here. And so Jon, then it sounds like pay is one thing, but knowledge and training is another thing. And I think your study showed that there’s a feeling on cybersecurity — practitioners parts — that they’re not getting, besides the salary, other resources they need, such as regular training and keeping up to date on what it is they’re trying to accomplish.
Jon Oltsik: Yes, that’s correct, Tom. So 91, I’m almost positive with these numbers, but 91% of those that we surveyed agree that cybersecurity professionals need to keep up with their training, or it puts their organization at risk, yet 57% of those that we surveyed agree that they don’t get enough training because they’re too busy. Now, training is funny, because a lot of organizations feel like they’re going to have attrition in their cybersecurity staff, and so investments in training are just a ticket for people to leave, to go out the door. And we don’t believe that’s true at all. In fact, training should be a staple of any organization, because you need to keep up with threats, you need to keep up with the latest technologies, and your people are going to have those opportunities regardless. In fact, if you train them, they’ll be more motivated to stay because that’s one of the things that cybersecurity professionals really want in their careers. So training is critical. And that’s what the data says. It really emphasizes not only the need for training on the cybersecurity professional part, but also on the business part.
Tom Temin: And for federal agencies that don’t have a lot of flexibility on what they can pay people, for the most part, then they often use the mission as a motivator to get people to do cybersecurity for them. But I imagine that they can also use the flexibility they do have which is large in training and development of people as a selling point for coming to my organization, even though I can’t pay you what the private sector can pay. Fair?
Jon Oltsik: Very fair. While competitive compensation is important, cybersecurity professionals want to work at organizations that have a cybersecurity culture. They want to work with other very strong cybersecurity professionals so they can learn and be mentored. And they want those training opportunities. So, there are ways to get around it. Certainly compensation is important. But the mission is important for cybersecurity professionals. So, the federal government has a little bit more flexibility than, let’s say, some other agencies or some other organizations have.
Tom Temin: Candy, anything to add?
Candy Alexander: So just to emphasize, once again, the importance of the professional development for a cyber professional. I often speak about using the analogy of a physician. We’re trusting our cyber professionals to protect the organization. However, we’re not giving them enough time to get training, we’re not giving them budget to get training, and there’s really minimal mentorship going on. So when we use the comparison to a physician, would you want to go to a physician that has had no training in a number of years and then kind of just wings it on a day-to-day basis? It’s that significant, especially in this day and age where cyber is everything in everywhere. Cyber is by medical devices, cyber is cyber defense on your organization. So do you really want to trust your livelihood or your life to somebody who [says], eh, I’m going to catch a YouTube video on how to lock down a system? I doubt it. That’s not a wise investment. And the thing is, we’ve discovered in the past four years of our research that cyber professionals are actually really loyal people. You put in the investment to the cyber professional, and they’re going to stay. One of the underlying things that we’ve asked in the past years is, why do you do it? And of course, I’m paraphrasing, but cybersecurity professionals just want to do the right thing. We want to save the world. So if you give us the training, professional development, you give us the mission of doing right and doing what’s appropriate, then we’re going to be happy.
Tom Temin: Candy Alexander is president of the International System Security Association. Thanks so much for joining me.
Candy Alexander: Again. Thanks for having me.
Tom Temin: Jon Oltsik is senior principal analyst at the Enterprise Strategy Group. Thank you also.
Jon Oltsik: My pleasure, Tom. Anytime.