If you’re an IT or cybersecurity professional, you’ve been very busy over these last few months dealing with a gigantic jump in remote work and the increasing security challenges brought on by the coronavirus pandemic.
Almost overnight, IT and security staff had to figure out how to help the entire office work from home and stay secure and protect the company in doing so. Now, organizations should think differently about how they recruit, hire and train those positions, according to Simone Petrella, CEO of cybersecurity workforce development firm CyberVista.
That’s increasing the importance of IT personnel and changing the way companies should recruit, grow and train talent,” Petrella says.
The growing threat surface
Both private organizations and public government agencies have warned of an increased attack surface due to remote work and news headlines about the coronavirus pandemic.
“In many sectors, it’s increasing the need for there to be IT and security personnel because so much has moved either virtually or online,” Petrella says.
According to reports, hackers and state actors are targeting remote work solutions like videoconferencing platforms and are conducting phishing attacks posing as official health organizations. State actors are also targeting healthcare research about the coronavirus.
“Those threat actors are very aware that we now have people who are accessing corporate networks from home, those of us that are fortunate enough to be able to continue to work remotely,” Petrella says. “And so everyone’s home network is now an endpoint that connects to their business in some way, and so that creates an entirely new attack surface and increases exponentially the amount of vulnerabilities that were already there.”
Remote work was already trending up, but this happened much faster than anyone could have anticipated.
“We were never really situated to be … entirely remote,” Petrella says.
For example VPNs need to be installed on endpoint devices, but there are now added enforcement and compliance components to deploying a VPN.
“That puts a real demand increase on the type of talent we need,” Petrella says.
Look within for new cyber, IT talent
With those added pieces and the perfect storm of security and infrastructure issues being caused by the pandemic, organizations should look at filling those cybersecurity and IT positions a bit differently.
That might include outsourcing security functions or looking to other areas of the organization affected by cost cutting measures and see if existing talent could be revectored into more security-enabled roles.
”That way, you’re not necessarily … losing good talent that you already had institutionally, and you’re giving them an opportunity to upskill into a growing field,” Petrella says.
Even before the pandemic, the cybersecurity and IT industries were harping on the need to build a talent pipeline. That notion may have been doing them a disservice, according to Petrella.
“The truth of the matter is that a lot of the talent they need is really sitting under their noses, and they could more efficiently and cost effectively upskill that talent into the roles that they need, and have the added benefit that there are people who know the business objectives, the organizational culture and institutional norms,” Petrella says. “And those are really important things for employers when you talk about retention, but also value creation.”
If the COVID-19 crisis has taught us anything, it’s that cybersecurity professionals are needed in every industry and every sector, but different organizations require different skills for their cybersecurity and IT staff. As such, employers shouldn’t just take a blanket approach toward hiring for those positions.
Those employers want professionals skilled in both of those aspects, but new cybersecurity workers also need soft skills like communication, teamwork and management.
“it is increasingly important we find security professionals — or we grow security professionals — who are able to apply those controls in a way that’s consistent with objectives of the business and making that logical leap,” Petrella says. “Otherwise, you’re doing it without any real context.”