KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
You don’t have to go far these days to find security professionals complaining about skills shortages, and countless media outlets relaying their views. But there are at least two sides to this argument and the situation requires a more balanced approach. The security industry needs to rebuild its narrative to attract more raw talent at all levels.
You don’t have to go far these days to find security professionals complaining about skills shortages, and countless media outlets relaying their views. But there are at least two sides to this argument and the situation requires a more balanced approach. The security industry needs to rebuild its narrative to attract more raw talent at all levels.
Good morning. And thanks for being here with me this morning at the cybersecurity leadership summit with keeping a call, thanks to keeping a call for having me once again at one of their events, to talk to you this morning about the cybersecurity skills gap. Very quick round of introduction to start with my name is J is JC gal. I'm the managing director and founder of cos partners.
And we're a boutique management consulting business, which I established here in London about 10 years ago, which is focused on assisting C level execs with cybersecurity strategy organization and governance challenges by also animate the security transformation research foundation. And we will think tank affiliated to co partners, which is aimed at the development of, of new narratives around cybersecurity to help the industry at large and move forward.
As I said, many thanks for, for, for joining me once again, a quick, a quick number of house rules before, before I start, the session is recorded. You can ask questions.
I, I, I suspect through the, the, the website and I will do my best to respond and otherwise you'll have my details at the end of the session. And, and by all means, feel free to reach out, feel free to come back to me. If you have any questions, if anything is unclear, if you want to challenge me on anything, that's exactly what those events are about. So do not hesitate. If you have any questions for me, I'm gonna start sharing a, a number of slides with you to support this discussion.
So the cybersecurity skills gap, I framed the, I framed the session as you know, real problem of self-inflicted pain, and that's a little bit of productive title, but those are the kind of, of topics we're going to be talking about this morning. One thing is clear is that you don't really have to go far these days to find security professionals complaining about your shortages, and you don't have to go very far online to find countless articles talking about the topic. My view is that the problem is complex and it certainly has multiple dimensions.
And so those are the kind of things I would like to explore with you this morning. One thing it's absolutely clear for me is that complaining endlessly about it's not going to help. OK.
The only, the only way we're going to move forward with the problem of that complexity is by identifying the roadblocks, which have been preventing you from making progress in the past and removing them only that will bring change as with many other complex problems we're facing across the cybersecurity industry. So I'm going to start looking at, at, at this, in, in three different angles, if you want under three different angles, why is the cybersecurity industry struggling to attract talent? First of all, why is it struggling to retain talent?
And what do we need to change of course, to create different dynamics around all that. So let's get started. Why is the cybersecurity industry struggling to attract talent?
Well, again, to go back to what I was saying a bit earlier, this is, this is, this is a problem, which is far more complex than just not wanting to be the guys who says no or, or, or the scapegoat when something goes wrong. I think personally that the cybersecurity industry still has a fairly serious image problem.
You know, it carries a narrative which is dated, which is tech heavy. It ends up being perceived as an obscure and complex technical niche. Something, you know, which is reserved to nerds and gigs, that that's the narrative of the guy with the hoodie. That's the visual of the guy with the hoodie. And you don't have to go very far online to find countless articles and, and, and, and pieces of content, which are carrying that visual and that sort of narrative, you know, to an extent, the narrative of the guy who says no is the narrative of the, the padlock and the visual of the padlock.
And you don't really have to go far online to find those visuals and that kind of narrative as well. I think all these created an, an overall narrative, an overall perception, which frankly over time has become toxic. And to be honest, you know, if as, as long as, as, as us together, collectively as an industry, we carry on, you know, with this narrative, we carry on relaying the, this narrative. Of course, we, we, we created something which is a little bit of a self-fulfilling prophecy.
You know, if you, if you, if you push, portray yourself as an niche, within an niche, you will remain an niche within an niche. And if you put the spotlight constantly on tech, then you will alienate the other world.
And God, God knows that there are a number of other roles, which are not entirely technical in cyber security.
And, and in turn the lack of awareness around the diversity of roles, breeds, lack of training courses and the lack of educational opportunities, and frankly, the absence of peer career path around security does the rest, you know, this is the problem at all the levels when it comes to attract new talent, you know, what do you do once you've been a security Analyst in the, so for a few years, what do you do once you've been a CSO for, for, you know, in, in, for, for a number of years as well, where do you go, what is your natural career development?
And you do not have to Beed hoping constantly from, you know, from, from one job to a similar job, to a similar job, but frankly, credible alternative role models are simp simply missing. You know, when is the last time you saw a CSO becoming a CIO or, or, or COO, or, or even CRO even across the GRC ecosystem, those, those, those bridges, those gateways are not really, really visible. So frankly, my starting point is that in my opinion, the cybersecurity industry has never managed to make itself attractive. And frankly, this is wrong. It's wrong, it's plainly wrong at the number of levels.
You know, there are countless cybersecurity roles, which are not purely technical and which will require personal and political acumen. I mean, from, from auditing to awareness development or security training, there are genuinely complex transversal transformational projects around cybersecurity in particularly large organization, which should provide prime training grounds for ambitious project and program managers. There are genuine management, transformational challenges, which again, should provide key opportunities for ambitious middle managers to develop into and to prove themselves.
So, you know, this is not just about tech, the whole, the whole narrative around cybersecurity cannot be reduced just to the tech narrative. Why are those messages not coming through? I think as a, as a community, we have to ask ourselves those questions. If we really want to start addressing the, the, the, the problem we have in, in, in attracting, in attracting talent into security, why are those messages not coming through?
Well, to me, they're not coming through because fundamentally quite a lot of the content we've got online around the cybersecurity skills gap, to an extent talk about a different problem. Okay. It talks about the difficulty in staffing, large operations. It talks about the difficulty of staffing, large projects, but those problems are rooted in a different context altogether, okay. Around staffing issues for security operation centers and large operational centers.
Very often, what is very prominent to me is the attempt by management to prop up manual legacy operational processes, just by throwing more resources at them, because it's easier than fundamentally transforming those processes or streamlining them.
And many organizations are stuck with legacy operational processes around security, whether it's identity management or security monitoring or incident handling, or, or threat intelligence, many, many, many organizations, large organizations are settled with, with operational processes, which are mostly manual labor intensive, very repetitive built around countless tools. I mean, there's a survey from Cisco released at the beginning of the year, which shows that on average, large organizations use 20 different security technology.
This, this is just crazy. OK. And indeed, it's very hard to attract young professionals in, in, in jobs, which ultimately are manual repetitive and, and, and, and frankly boring form for, for many of them.
So that's one side of the, the, the problem I see very often when I hear people complaining that they don't find the resources, they need another side of the, of, of, of the, the coin, if you want, is that many organizations when they find themselves in, in a situation where their maturity level is too low, when they come out, you know, on, on, on the other side of, of, of an incident or, or, or an EMS, they try to change everything at the same time, or at least they want to try to change everything at the same time.
But to be honest, building a monstrous program of work requiring, you know, tens of additional FTS, you know, selling this to the board, you know, getting funding for the bot, the tune of tens of millions, but ignoring all dependency between tasks, ignoring or ignoring all dependencies between cultural aspects. And pretending that again, this is just about throwing resources at the problem. That's not, not how you change things.
I mean, this is the specialized industry. You cannot, you cannot expect to find an unlimited amount of resources available to you at any time to do anything. This is just not the way any specialized industry works. So you would struggle to staff, large scale programs of work, you know, in any specialized industry at long delivery. For me behind that kind of, of attitude, there is fundamentally a problem of bad planning and bad management.
And, and to be honest, to say, bluntly, this is showed by the tech, the tech industry, and this is showed by large consultancies. So fundamentally very often when we hear about the skills gap, we have essentially the perception of the skill gap, which is relative to, to those flow expectations.
But what is all this really telling us, you know, what is all this really telling us is also something we need to confront as a, as, as a community, as an industry altogether, you know, is this really a matter of, of skill strategies or is, is this poor management, or is this just a reflection of the grid of the security ecosystem? Those are questions we have to ask ourselves.
One thing is certain is when is that, in my opinion, and in my experience, frankly, you know, of, of consultants, you are looking at what I see every day in the field, all these breed attrition, you know, as I said earlier, manual repetitive security, operational processes, you know, they very, very quickly become boring for young professional and they leave. And, and once they've, once they've gone, it's, it's not likely they'll come back again.
As I said, as I said on the previous slides over complexifying transformative programs of work, you know, ignoring dependencies, ignoring governance issues, ignoring priorities, setting across corporate silos, you know, working against arbitrary timelines, working against arbitrary resources requirements, simply thinking that you can resources at the problem. That is just a matter of adding up the number of FTS you need. And you will just go onto the market and find those people sitting there waiting for you. You know, it doesn't work like that in any specialized industry.
This is the kind of attitude which simply leads to failure. And, and, and frankly, failure alienates in management.
You know, you cannot blame the senior management for looking back at the millions they've spent on cybersecurity over the past 10 or 20 years and asking themselves, why are we still being rich? This is not just about the, the fact that the threats evolve constantly.
You know, it's also because many of those transformative programs of work over time have never been properly delivered across large organizations. They've never been properly delivered because they were either over complex or because, you know, priorities shifted and, and nothing got finished. And all these, you know, fuels the historical tendency, you know, senior management has, has, has had to see security as a cost.
And, and, and, and as a problem. And frankly, if, if you look at an organization which is in that type of situations, we would like to be Inso in a context like that. I do appreciate that this is a little bit of, of, of a grim picture.
I'm I'm, I'm, I'm I'm painting. And yeah, I would be very happy if some of you wanted to, to challenge me. I'm not on, as I said at the start, my details are at, are at the end.
And if, if, if you do have a different view, if you think I'm far by all means challenge me, but fundamentally as a community, as an industry, we need to ask ourselves, you know, what can we do to start changing things? And to me, I don't pretend to have the silver bullet here. I don't pretend to have, you know, the ultimate solution, the problem, but I think we need to consider three lines of actions and that involve CSOs involves senior management, and it must involve HR teams. And I insist on that involve HR teams.
The first thing collectively, we have to start working at making security, more attractive it's time to it's time to ditch the who is to ditch the pads, to ditch that toxic narrative and to move towards a more positive business oriented narrative. This is about protecting the business. This is about enabling the growth of the business by protecting it.
You know, we need to rebuild the narrative, which is business-centric and not tech-centric, and which is positive and the narrative, which showcases the diversity of roles and their trans transversal nature looking beyond tech. Okay. And I think this is very much the, the, the crux of the matter that's where I started this presentation.
And I'm, I, I want to insist on it even more. Now, this is really by changing the, that sort of narrative, that we will attract more talent and greater diversity of talent into the security industry.
Second, and this is probably more aimed at Ciscos. I would say it's absolutely key to create a more stimulating entry level for, for, for young professionals.
As I said, you know, if they find the jobs boring, they will leave and they won't come back. So CISOs have to look back at those legacy operational processes. They have to look back at the role of the security Analyst Analyst. They have to declutter their cybersecurity estate and have to start thinking about automating processes, more intelligently to cut on manual processing and to allow possibly a smaller number of Analyst to work more efficiently and to bring more value into what they do.
And all that would create a more stimulating or less boring environment for them to, to, to fit in and to develop with manual manual work, cutting and pasting across countless tools into Excel. You know, this is not something any young professional is gonna find very attractive for very long. So I really think Cecils have to look back at, at, at some of their operational processes and try to reshape them to streamline, streamline them, to create a more stimulating entry level for young professionals.
And finally, and I think that last point is more aimed at HR people and at, at senior execs, it's time to start building up role models, you know, showcasing genuine career path across the, the security industry, showcasing real, meaningful, credible bridges across cybersecurity roles and, and other roles. And to me that has to work primarily across the broader GRC spectrum to start with, but there is absolutely no reason why it would be limited to just that spectrum.
I, we should be able to showcase those type of career path across the entire management spectrum, into HR people in particular, and to senior exec. I say, please think outside the box, look beyond tech. There is absolutely no reason why the CSO would, would not come from, from a business role.
It's time, it's time to start breaking that dynamic and to start to try to look truly at, at, at alternative ways of, of, of staffing security management roles, all that to me, needs to be combined to start building a new narrative at all the levels, the narrative, which is positive, as I said, which is business centric and not so much tech centric. And it's in my opinion, by driving in that direction, that we will start to attract more raw talent at all levels in the cybersecurity industry. I'm gonna leave it here for this morning.
Again, I thank you very much for, for, for listening to me and for watching this many thanks to keeping a call. Of course, once again, for having me, as I said, repeatedly throughout and at the start, please be in touch to discuss further. You've got my details on the screen. If I've record your, if you think I've gone too far or not enough, by all means being touched for me, that's exactly what this is about.
You know, as a, as a community, we need to talk about those matters and we need to exchange to, to, you know, to build, to build the right way forward for all of us collectively. Thanks again to all of you. I wish you a very good rest of your day and a very good cybersecurity leadership summit. For those of you who are going to attend other other sessions. Thank you very much.
