There is no shortage of cybersecurity skills.

What is really missing is creativity at the managerial level Edited by LineaEDP22 / 10/2021 Lamont Orange, CISO of Netskope, explains why the 'critical' competence on cybersecurity exceeds the 'technical' one

Lamont Orange, CISO of Netskope

Readers of technology and business articles have been hearing for years that there is a lack of cybersecurity skills. Studies and surveys state that, given the lack of sufficiently qualified candidates, millions of jobs will not be able to be filled. I don't think that will happen. The fundamental laws of supply and demand are based on the fact that there will always be a workforce ready to fill well-paid positions in the security sector. The problem is not the shortage of staff, but the fact that CIOs and CISOs ignore candidate profiles if they do not have a specific list of qualifications. In many cases, hiring managers expect candidates to be fully trained on all the technologies their companies are currently using. This not only makes it more difficult to find qualified candidates, but also reduces the diversity in terms of experience within the security teams which, in turn, weakens the company's security management capabilities and also its talent pool. At Netskope, the approach to finding the figures who will fill roles relevant to security is different. We know, in fact, that we can teach the cybersecurity skills necessary to do the job, therefore, contrary to what happens, there are two characteristics that we consider more important than mere specific technical knowledge. The first is the desire to learn more and more in the field of safety, a quality that suggests that the candidate will independently take the initiative to constantly improve their skills. The second is the possession of a range of skills that no one else within the team can boast. The excessive emphasis on technical skills is at the root of the talent shortage Think about the long-term benefits of hiring someone with a specific range of safety skills: how much will that preparation be worth in many years? Probably not much. Even the most basic security technologies are incredibly dynamic. In most companies, IT infrastructure is in a time of massive transformation, from on-premises to cloud-based systems. Security experts therefore find themselves having to learn new technologies. In addition to this, they find themselves having to adopt a completely new mindset, which involves moving from the focus on protecting specific pieces of hardware to protecting people and applications, as now their workload moves more and more outside the network. corporate. Some security teams find it difficult to manage that change, while others are happy to kickstart this transition. However, as they learn to secure corporate assets in this fearless new world, the technical skills with which they did their jobs become less and less relevant. The CISOs who demand specific technical skills in candidates, the same ones who then express disappointment due to the lack of profiles that meet those requirements, are the real culprits for the "competence gaps". The lack of broad-spectrum vision when taking it comes back like a boomerang in the long run. Critical expertise in cybersecurity surpasses technical expertise A better approach is to consider candidates with little security experience. For example, if a company's project management teams or business functions are undergoing reorganization, there may be people with a deep understanding of the business who are looking for an opportunity to learn new things. In all likelihood, their expertise will not match what is required in the job description, but they can bring in a new perspective that will make the security team even more efficient. Cybersecurity is not an engineering problem isolated in flowcharts on a whiteboard. It is a business problem that requires normal bilateral communication with managers, stakeholders and the board of directors. This explains why even some CISOs lack the technical background. Furthermore, even the best-thought-out security policy in the world is only useful if employees at all levels of the organization commit to adhering to it. For example, marketers can significantly improve the effectiveness of security experts. I believe that any cybersecurity team should have an internal figure with excellent communication skills, who transmits the importance of security even to the less technical. On the basis of this less traditional view, security teams can greatly increase control over global corporate compliance. Likewise, both economic and financial analysts can bring complementary skills to a security team. In fact, the availability of experience in planning and modeling can greatly increase awareness of the possible ramifications of the different action perspectives, contributing with a different way of thinking and thus enriching the approach to safety and its effectiveness. Taking on this type of figure should allow you to answer questions like: "If we do X, how much difficulty will we have with end users?" and "Will approaching you really improve the protection of our data or create gaps by modifying user behavior?" What to watch out for during the intake phase When hiring, one of the main priorities of the Netskope security team is to increase the diversity of our group skills. Hiring managers seek out candidates who truly understand what the driving forces behind our business are and whose knowledge beyond cybersecurity can complement our existing range of capabilities. We are looking for people who are able to transform cyber challenges into business solutions. Obviously, a passion for safety is fundamental. We always ask candidates from the marketing or commercial sectors what they do in their free time. What technologies do they use on their laptops? If, during their free time, they have acquired special technical skills or if they have perhaps invented something to make life easier. It is always surprising to find that someone has stepped out of their specialty subject to solve a technological problem. People who demonstrate that level of interest in cybersecurity can be trained on specific technologies, the way we want them to use them. By applying this broad perspective to cybersecurity hiring, we increase diversity in the team. Furthermore, we look for such variety not only in skills, but also in ages and demographic groups. A team with heterogeneous talents and backgrounds will look at security issues from many more angles than a homogeneous group. Indeed, diversity is one of the core values across Netskope. From the CEO to the frontline employees, we believe the company will be more successful and be more resilient as an organization if we include more people with a wider range of perspectives. Without forgetting, then, that diversity is the final step in digital transformation. Businesses will have a better opportunity to complete that transition and keep resources secure in the cloud if they also transform the team itself. Text by Lamont Orange, Netskope CISO