Dr. Adrian Davis, EMEA Managing Director at (ISC)2, gives a glimpse of how cybersecurity professionals can navigate the two major challenges facing Europe’s cybersecurity profession
As we look ahead to the next few years, major challenges loom for Europe’s cybersecurity professionals. Chief among them is the race to comply with the new General Data Protection Regulation (GDPR) and the growing cybersecurity workforce shortage, both areas of focus for (ISC)2 at Infosecurity Europe this year.
(ISC)2’s GDPR Taskforce has been gathering front-line professionals’ experiences of the many unexpected steps involved in achieving compliance with the GPDR regulation, which has less than a year to go before it comes into force, affecting companies around the world that do business with European citizens. This represents a mammoth task for companies and all cybersecurity professionals.
We discovered, for example, that amongst tasks necessary to comply with the law, cybersecurity professionals will have to:
- Develop a complete up-to-the-minute ‘inventory’ of all personal data held
- Ensure everyone from the marketing to the product development teams operate on the principle of ‘privacy by design’
- Introduce new privacy training for any employee or department involved in handling personal data
- Ensure total control over all ‘shadow IT’ and legacy systems to give subjects access to their data on demand
- Trawl through paper records of consent gathered from previous customers for personal data collected years or even decades ago
Most crucial of all, the law will apply to any and every department that handles personal data, from marketing to HR, which means cybersecurity professionals will need to get the support of every single business unit, including the board, in order to successfully implement it. This latter point, which has to date been the key stumbling block to companies getting their compliance efforts off the ground, remains the key challenge for those on the frontline. Too many boards continue to assess GDPR as a specialist IT task, rather than the organisational challenge that it actually is. We’ll be discussing these challenges and how to meet them at our Infosecurity Europe session “Being the Fly on the Wall – Experience from (ISC)2 Members’ GDPR Task Force” at 12:00 on 8th June.
Another key concern is our aging cybersecurity workforce that is failing to replace itself. We are facing a global shortfall of 1.8 million workers by 2022, a problem compounded by a profound lack of women and young people coming into the field. The proportion of women in the European workforce stands at a dismal 8% and, in the UK, just 12% of the workforce is under 35. This presents a grave and growing economic and national security threat at a time when the demands on cyber defenders are increasing.
Overcoming this immense challenge will require businesses to radically rethink the required cybersecurity skills for their organisations, where to find the people with those skills, and crucially their organisation’s commitment to developing these people. It will require companies to transform their hiring checklists and go outside traditional recruitment channels to find ways of attracting new people, including graduates and people from non-technical backgrounds, into the workforce.
The majority of employers still have a preference for off-the-shelf talent and look for ‘previous experience’ on CVs, but this will have to change if employers are to open the doors to more women and millennials as well as encouraging people to switch to cybersecurity from other career fields. They will also need to ensure that the expectations of hiring managers are aligned with the practical realities of work in the field.
There are also some less tangible issues to come to grips with. With male professionals in Europe earning £9,100 more on average than women for example, employers will need to explore why this is the case and address the pay gap in order to make the workforce more attractive for women. There are also questions around the lack of diversity in the field.
There is growing evidence that the skillsets needed for cybersecurity are changing with some of the most successful cyber professionals up to C-suite and executive level coming from backgrounds as diverse as marketing, finance and the military. The recruitment strategies of cybersecurity departments everywhere would benefit from reflecting this. We hope to be moving this discussion forward on from the Keynote Stage for “Building an Agile Security Team for the Future” on Tuesday 6th June at 11:05, where I will be joined by several industry leaders, including The Economist Group and Network Rail.