Bosses say they’re serious about cybersecurity. It’s time for them to prove it
Getty Images
If there’s one profession that continues to dominate the demand for tech hires, it’s cyber security.
Demand for cybersecurity personnel has skyrocketed since “remote work” entered the lexicon and businesses have doubled down on their digital assets as a means of insuring themselves against future uncertainty.
While the post-pandemic tech boom has been a boon for tech professionals capable of anything related to software, it has also left companies more exposed than ever to the dangers lurking in cyberspace.
As the threats of ransomware, malware, and intellectual property theft become all too real for businesses, hiring managers have turned to cybersecurity professionals to protect them. The problem is that there aren’t nearly enough of them to go around—and many in the cybersecurity business are starting to quit their jobs due to stress and burnout.
A number of factors underpin the shortage of skilled tech talent in the workforce, and the big one is that technology is now evolving at such an alarming rate that it’s hard to know which skills will continue to be applicable in the medium to long term (although coding is generally a safe bet).
But decisions in the C-suite also stifle businesses’ efforts to adequately defend against cyber threats. While leaders absolutely want cybersecurity expertise on their teams, they aren’t necessarily willing to pay for it. Or, more precisely, they are not willing to pay enough.
Take a recent report from O’Reilly, which found that only a third of HR decision-makers at UK tech companies are willing to spend more than £10,000 ($11,600) on cybersecurity recruitment, learning and development in the next 12 months. When you consider that more than half of cyberattacks cost companies more than $100,000, it’s amazing that employers aren’t willing to invest a tenth of that amount to prevent such attacks.
Budgets are always contentious in businesses, and it’s hard to convince a company’s leadership to invest in something they can’t see for something that might not happen (even if it probably won’t)—especially when many IT leaders still don’t have a say in decision-making. to the company – even if it is related to technology.
But £10,000 doesn’t seem like a lot when you consider how much money employers have sunk into huge offices and glitzy corporate hubs that are only used once or twice a week. One way companies can find room in their technical training budget is to determine how much office space they really need and cut back accordingly.
But money, while a key factor, is only one part of the multifaceted cybersecurity skills problem. Many businesses still don’t have the right mindset to effectively manage an increasingly complex work environment – and this is usually a result of leadership.
Much like their employees, business leaders are thrown into remote work in 2020 with little planning or preparation. While they were busy shipping out laptops, setting up VPNs, and trying to track down suddenly invisible workers, few considered what such a major upheaval in the workplace and IT practices meant for cybersecurity in the long term.
Many leaders still haven’t addressed this issue, instead taking a set-it-and-forget-it attitude toward cloud applications and security software that doesn’t provide a holistic approach to risk management.
The extent of this problem was highlighted in an October report by Savanti, a cyber security firm. In a survey of 800 global board directors, 83% identified cyber security as a top priority, but less than half took any dedicated action – even if it simply meant requesting an IT security update or auditing their company’s cyber readiness.
The report also found that Chief Information Security Officers (CISOs) are being hired, managed and evaluated as technical experts rather than business leaders. So when it comes to big strategic decisions, there’s no one in the room to explain how they might affect IT or cybersecurity.
It’s no wonder so many IT leaders are tired of not being listened to, which may explain why—according to Savanti—the average tenure of a CISO is only 2.3 years.
The good news is that companies are generally starting to realize that they can no longer sleep on cybersecurity issues. If they haven’t been the victim of an attack or attempted attack themselves, they almost certainly know of a company that has – and a company that was probably better prepared than they were.
The intense media focus on cybersecurity has offered another incentive for companies to stay out of the spotlight: falling victim to a cyber attack is a bad look, and the financial, operational and human implications could be catastrophic at a time when companies are trying to cope with the economic downturn.
Looking ahead to 2023, companies must balance costs with the growing need for technology skills. But if leaders are serious about building resilience and holding firm in a year of uncertainty, cybersecurity cannot be pushed to the back of their minds.
ZDNET MONDAY OPENING
ZDNet’s Monday Opener is our introductory look at the week in tech, written by members of our editorial team.
Comments are closed.