Cybersecurity resilience in the U.S. workforce is ‘at about a C-minus’: expert
(ISC)² CEO Clar Rosso joins Yahoo Finance Live to discuss the cybersecurity job vacancies in the U.S., increased cybersecurity needs amid potential hacker threats and the Russia-Ukraine conflict, and the poor risk assessments firms are putting out due to understaffing.
Video Transcript
[MUSIC PLAYING] RACHELLE AKUFFO: Welcome back to "Yahoo Finance Live" everyone. As the Russia-Ukraine conflict escalated, President Biden urged companies to harden their cybersecurity defenses. But more than half a million cybersecurity jobs are unfilled in the US. To explore that disconnect and the risks that come with it, I'm joined by Clar Rosso, ISC Squared CEO. Thank you for joining me today, Clar. So then if you had to give a grade as to where the US stands currently in terms of cybersecurity resilience and its workforce what would that be? CLAR ROSSO: Cybersecurity resilience in the workforce that being key, I think we're at about a C-minus. And for small and medium-sized businesses, we're probably at a D. Because those organizations don't understand the risks they are facing and they aren't filling the jobs they need to fill in order to protect their organizations. RACHELLE AKUFFO: So let's break up some of that down because in your notes you say that the cybersecurity workforce gap as you call it, or the estimated shortage, it has been reduced to 2.72 million, that's down from 3.12 million last year. So some progress but what would you say is really stopping these jobs getting filled considering not just the demand for them, but also the salaries that come with them? CLAR ROSSO: Right. So there's a couple of factors impacting us being able to fill the open jobs. One is that organizations are looking for professionals that have a level of qualification where the supply absolutely does not exist. So imagine if you were hiring an accountant and you had to-- and you wanted accountants right out of college, and they had to be CPAs already, not even possible. So most organizations are looking for folks that hold qualifications like ours, CISSP, that requires five years of experience. You can't get that for an entry-level job. So there's a little bit of a disconnect. Everyone wants the cream of the cream, and yet, they just don't exist. So we need to educate and get experienced more cyber professionals. And the only way we're going to do that is to appeal to a much broader base than we currently do. RACHELLE AKUFFO: So then as we're seeing then, most of these unfilled cyber security jobs are in the private sector. So what's happening there and what can they do to sort of increase these pathways and get a more diverse workforce so they can fill some of these jobs? CLAR ROSSO: So there is some great opportunity and we can also learn from the government sector because I gave those grades earlier, I'd give the government a much higher grade than the US in terms of its understanding of the need and going after, fulfilling their cybersecurity workforce needs. But what we can do is start to look at other parts of our business, start to look at tangential career fields, and say, where do I have employees who are good problem solvers, good at analytical thinking, good at critical thinking? They have great communication skills? They work well alone and in a team? Who are those individuals within your organization? And slowly start to bring them over to the cyber team or have them work-- often cyber is-- it's really a team sport where people are working in groups to solve problems, have them help support a particular project or problem and see how they do. We often see in cyber that individuals are doing fractional roles, like 25% of their job is in cyber. So it's actually a great way to test out your workforce. The other thing the employers have to do is they have to commit to hiring entry-level professionals and upskilling them to do the specific roles that they need to do. RACHELLE AKUFFO: And as you mentioned, if people are sort of using some of their job skills for cybersecurity if you actually have a cybersecurity team that is stretched too thin what are some of the consequences that companies really should be bracing for when they're considering how to prioritize investment in this? CLAR ROSSO: This is huge. So when we did our Workforce Study last year, we asked that very question. We said what's at stake if you don't have a fully staffed workforce? And I'm going to read from this so that I can tell you exactly what they told us, they say we misconfigure systems. We don't have enough time for proper risk assessment and management. So we don't even know what our risks are and the risks we do know about, we're not being able to properly manage. We're slow to patch critical systems. We rush deployments of technology. We can't do the threat landscape assessment that we need to do. And there are oversights in our processes and procedures. And why that matters is those six things are the same reasons that organizations report that they've had data breaches or ransomware attacks. And in this environment, in the environment with the conflict going on in the Ukraine, the risks are even greater. We recently asked our members who are the cyber experts around the globe we said, what are you worried about? We had respondents from 41 countries, including the Ukraine and Russia, and this is what they told us, they said, we're worried about critical infrastructure and supply chain attacks. We're worried that we're not prepared and that businesses are not prepared. We're worried about data loss and the ability to do business. We're worried about this cyber precedent that this sets for future conflicts. We can assume, we can count on the fact that warfare in the future is going to include cyber warfare. And then last but not least-- and this is something that all businesses should be truly concerned on, is they're worried about opportunism that the current conflict is going to create. That it's not going to be just nation-states going after each other, the other cyber threat actors are going to take this opportunity where everybody's looking at critical infrastructure and supply chain to attack organizations. RACHELLE AKUFFO: And I mean, honestly, if this isn't a wake-up call I don't know what will be. We do appreciate your insights. Lots of great information there. Clar Rosso, the ISC Squared CEO. Thank you for your time this afternoon.
Gloss