Cybersecurity Talent: Will Your Company Ride the Wave, or Drown in the Tsunami?
Cybersecurity is all about the mitigation of risk. And the cybersecurity market has exploded in just the past few years, with 2015’s worldwide spending $75B expected to reach $170B by 2020.
Yet right now, the state of cybersecurity worldwide itself is in a state of grave peril.
We are facing a massive deficit of talent, and it’s about to get much worse. An estimated 3.5 million jobs in the industry won’t have a qualified person to fill them by 2020.
At the same time, cybercriminals are hard at work taking advantage of every weakness, with the result that we now project a staggering worldwide annual loss from cybercrime estimated at $6 trillion in the same time period. All this is being compounded by the seismic pace of technological change: highly sophisticated mobile devices, IoT, robotics, AI, all making technological adoption move much faster than cybersecurity innovation. Without premium security talent functioning at peak capacity, the resulting security gap becomes a devastating tsunami, made harder to withstand by a cultural landscape of toxic environments that block innovative problem-solving. In this scenario, there is a strong correlation between talent gap and security gap.
This state of affairs did not happen overnight. Over the last 18 years, we have desperately needed more and faster innovation and advances in cybersecurity solutions to help close the ever-accelerating security gaps that contribute to this cybercrime opportunity. Sadly, we have fallen short, and the fault lines are only getting wider.
Companies and their leaders are feeling the pinch. HR strategies have not solved the talent gap.
Well-meant and legislated programs focused on improving corporate diversity and inclusion are not working to bridge the gap. It is not enough to mandate that women are on boards of directors, or that certain percentages of diverse individuals are hired. In our Peer to Peer sessions on “Why Are Women Leaving Tech” at RSA in 2018, we realized that the pipeline of potential talent is there, and HR departments are doing the work of recruitment and onboarding.
But the way these individuals are onboarded, together with the entrenched management environment, receives the rainbow of diversity and blends it all to a colorless sort of human mélange in a business culture that strives for the ease of sameness. All the potential benefit is lost and groupthink retains its gatekeeper inertia. No wonder our talent and innovation capacity can’t keep pace with change when everything that is potentially new is made old again.
The question for our industry is this: do you want to ride the wave, or be pulverized into the sand? We are at the crisis point. Riding this tsunami requires more talent working within a culture that fosters innovation throughout the industry and the kind of out-of-the-box thinking that can thwart the creativity of the criminals, rather than rely on what’s worked in the past or on the echo-chamber of self-affirming ideas that form many teams’ environments.
In talking with women, men, non-binary professionals, and people of color, we’re hearing that cybersecurity is a sub-culture within a culture, and has some major challenges. Less than 11% of top leadership roles in cybersecurity are filled by women; for people of color, the numbers are lower by an order of magnitude. Women are opting out of cybersecurity in mid-career, citing reasons like work environment, lack of a clear career path progressing with more responsibility and leadership opportunity, not having role models at the top, and abnormally high levels of stress.
On the brighter side, some companies have found a solution to survive this tsunami, and help their companies become stronger and more innovative than ever by addressing the need for a change in culture in the cybersecurity space. And their approach is paying off already.
Allgress, Inc. CEO Gordon Shevlin intentionally harnessed the power of collaborative, egalitarian culture to develop next-generation GRC technology for SMBs. They are doing something right – their growth is 100% YOY and they were recently awarded the Risk Management Innovation Award from CyberSecurity Breakthrough Awards Program. Sarah Lange, Allgress CTO, expressed their approach to rapid growth, talent acquisition, and culture this way:
“In the 20 years of my cybersecurity experience in the public sector, I was very often the only woman in the room. I’ve never worked in a place as diverse as Allgress – it is not about your gender, origins, race or personal preferences here, in fact, diversity is very natural. It is an environment that embraces inclusion so that anyone who has an idea can openly raise it with Gordon, me, or any of the other leaders.”
Gordon describes the culture at Allgress as “family” and that it is critical to creating products that delight customers.
Emily Heath, VP, and CISO at United Airlines recently posted on LinkedIn that the challenges of cybersecurity demand “a broad range of skills, creativity, and diversity in thinking.” The company tackled this issue head-on, making diversity and inclusion a very visible part of their innovation strategy. They are tackling the “beige management culture” first, and a more diverse community is a result. As of July 2018, “the security risk and compliance team at United is now 48 percent female and 42 percent minority, represented by 25 nationalities and talented team members from a wide variety of backgrounds and experiences.” Emily reports that this has created a “huge advantage” for United.
This is consistent with research reported in the Harvard Business Review article, “The Other Diversity Dividend.” In the VC industry, research showed that the more homogenous the partner base, the lower the investment’s performance. In VC firms, the success rate of acquisitions and IPOs was 11.5% lower when the partners shared school backgrounds, and investments’ comparative success rate for firms with shared ethnicity was reduced to 26.4% compared to the 32.2% success rate for diverse firms. What was the cultural difference? The VC firms who were recognizing “the other diversity dividend” were breaking the mold of established networks that tended to reinforce sameness in all phases of talent management.
Groupthink is what happens when diversity is minimized and it leads to repeatedly doing the same thing hoping for better results. The relative ease of decision making that accompanies common perspectives on a team also delivers sub-optimum results. Diverse collaborators in an egalitarian environment are better equipped to deliver creative thinking and innovation in highly competitive and uncertain environments with clear results for the bottom line.
To be sure, some tech corridors may be better than others. The “bro culture” of Silicon Valley described by Emily Chang in her 2018 book “Brotopia: Breaking Up the Boys Club of Silicon Valley” is not necessarily propagated to the same degree in thriving tech communities like Denver. In contrast, the April 2018 Seattle Times Sunday edition published a feature front-page article “Microsoft Ceilings” that highlighted the pervasive issue of failing to attract and retain female talent and people of color among the top five tech companies in the US, where women comprise on average 30% of the workforce, and about half that in development and engineering roles.
By “doing the right thing” and addressing the culture issue head-on, companies like Allgress and United have shown that including more varied perspectives and unexpected ideas can free a company from its insular groupthink, create better solutions and directly benefit the bottom line.
Of course, this approach does come with its own challenges. It shakes up the status quo and boots some people out of their comfort zone. How does a leader create a culture where everyone knows their perspective matters? How do you move fast while accommodating opposing viewpoints? How do you not only attract the best talent, but make them want to stay, and perform at their best? And how do you make sure the leaders in your company are ready for –and on board with — all these new challenges?
Over the next seven months, we’ll be providing insights and tips on how you can find, hire, nurture and retain the people who will let you surf the talent-shortage tsunami instead of being broadsided by it. Then, we hope you’ll join us at the RSA conference where we’ll be hosting an event-within-an-event all about the latest talent acquisition and retention strategies in today’s cybersecurity space.
This series is the collaborative work of Karen Worstell, CEO of W Risk Group and founder of MOJO Maker for Women in Tech and Elaine Marino, CEO of Equili and founder of LadyCoders. We’re using our combined decades of experience as women leaders in Tech to bring you actionable, executive level strategies that you can use to build, develop, and retain your talent in an intentional way that contributes directly to your bottom line AND advances your company capacity for innovation and increase productivity. That’s what our initiative “Solving the CyberSecurity Talent Crisis” for RSA® Conference 2019 is all about. Follow us online, and let us hear from you! Learn more at www.karenworstell.com/rsac or engage with us on Twitter at @karenworstell.
Find more information about the RSAC 2019 or to share the shorter blog published by RSAC click here
How are you preparing for the talent shortage? What do you do to find and retain the best talent? Please comment below!
 Gompers, Paul and Silpa Kovvali, “The Other Diversity Dividend” Harvard Business Review, July-August 2018.
 Chang, Emily. Brotopia: Breaking Up the Boys’ Club of Silicon Valley. Portfolio. 2018