It’s prediction season again! Last year, I shared my thoughts that InfoSec teams were better equipped to deal with the sudden changes brought by 2020 and a global pandemic, because we’re expected to be prepared for the “unexpected.” 2021 doubled down, continuing to redefine the possibilities of the unexpected: from large-scale cyberattacks to the Great Reshuffle to adjusting to hybrid work models, cybersecurity professionals have had to reevaluate the way they work, recruit, and interact with other leaders at their organizations.
Cybersecurity can periodically be thrust into a sudden and intense spotlight, but for our field to truly thrive in 2022 and beyond, security needs to become a consistent priority. While the technological intricacies of cybersecurity are better left to the professionals, security should be at the forefront of everyone’s mind.
Here are some thoughts on what else this new year will—or should—bring to the field of cybersecurity.
Employers must shift their mindsets to land security talent
Hiring in the security industry won't cool down in 2022 and the cost of getting talent will increase, which is a strong reflection of how much companies value InfoSec. Some employers are stuck in the mindset that the talent pool isn't growing proportionally to the demand for security talent. However, there's potentially a bigger talent pool than ever amid the Great Reshuffle, with more people reconsidering their careers and changing industries—if you know how to look. Hiring in the security industry won't cool down in 2022 and the cost of getting talent will increase, which is a strong reflection of how much companies value InfoSec. Some employers are stuck in the mindset that the talent pool isn't growing proportionally to the demand for security talent. However, there's potentially a bigger talent pool than ever amid the Great Reshuffle, with more people reconsidering their careers and changing industries—if you know how to look.
According to an October 2021 survey conducted by Censuswide on behalf of LinkedIn, 73% of Americans who say the pandemic changed the way they feel about their career say they feel less fulfilled in their current jobs. To retain great security talent, employers need to adjust how they recognize, reward, and engage with those employees. Attracting and retaining security talent will require employers to adjust their perspectives on the talent pool and work to embrace talent from sources that might be thought of as “non-traditional”. They need to go one-step further and convince nontraditional candidates why they should consider a career in InfoSec. Along with this shift in perspective, employers may need to develop new approaches to recruiting, training, and developing this talent pool.
CSO/CISO as a business leader
Oftentimes the CISO is perceived as “Specialized IT” and not as the true business leader that they are. As a CISO, it may seem obvious that I think that this perception can lead to a self-fulfilling prophecy and that a great CISO is someone that has a unique perspective that they bring to the C-Suite. However, throughout my career, I’ve seen that there is often a gap between security and business strategy. Boards and the C-Suite need to be hiring, developing, and demanding CISOs with skills and talent that can bridge this gap, which has proven time and again to be vital to organizations’ success. As more leaders learn about and begin to value cybersecurity, it will be essential to the success of the organization that everyone is aligned and on the same page.
In practice, this includes inviting your CISO to attend (and present at!) board meetings, including them on business strategy discussions, and providing opportunities for them to further develop their skills beyond cybersecurity and into the realm of business operations. CISOs are most successful in their roles when they’re a part of the organization’s business leadership, rather than being called out from the corner only in the event of a crisis.
Ending Security as an a la carte offering
It’s no secret that with the attention on cybersecurity amid large-scale hacks, organizations are beginning to take their security measures more seriously. While there has been some positive progress here on both an organizational and policy level, security isn’t often the default thought for many organizations. Whether organizations don’t see it as a necessity or don’t have the proper resources, treating security as optional opens the door to vulnerabilities.
Increasing and scaling security measures isn’t the sole responsibility of one individual or team, but rather everyone’s responsibility. In 2022, information security leaders, along with security vendors, need to double down on their sense of accountability for customers’ and users’ security outcomes. Security vendors should incentivize their customers to be secure by default, not secure as an add-on for an extra fee. Only by creating a system of accountability and a high floor for security expectations can organizations be better prepared and protected against cyberattacks in the coming years.
As we continue discovering ways to live and work together, I’m looking forward to the new year and what it will bring. With a heightened general public awareness of security, I hope that more organizations will make security a top priority and will turn to security leaders in a collaborative way. Heading into 2022, this will be the year of shifting mindsets, and the companies and employers that are able to do this will come out on top.