Building Resilient Security in the Age of the Great Reshuffle

Since early 2021, large numbers of employees around the world have quit their jobs and moved to other enterprises in what is being called the Great Resignation, also known as the Great Reshuffle.¹ This upheaval is being blamed on the effects of the COVID-19 pandemic. The worldwide pandemic has had a disproportionate impact on the economic activity of various industries and sectors, altered workforce requirements, and changed employees’ perspectives and priorities. The result has been an estimated 4.4 percent reduction in total working hours worldwide in the second quarter of 2021.² The dramatic rise in the number of people leaving their jobs across all industries is attributable to a variety of reasons, including wage stagnation, the rising cost of living, staff burnout and the need for a career change.³ The US Department of Labor noted that 4.3 million US workers quit their jobs in August 2021, with most of the resignations taking place in the retail and hospitality sectors.⁴ In Europe, data from the Organization for Economic Co-Operation and Development (OECD) show that 14 million people have exited the labor market, with low wages being the primary factor.⁵

Although the mass exodus of talent has eased a little since the beginning of 2022, its effects on average compensation, organizational culture, employee expectations and security will be felt for years to come.

Effects Within the Cybersecurity Industry

The cybersecurity industry is not immune to this exodus of talent, and it had a preexisting shortage of skilled workers before the start of the pandemic. The gap has raised concerns about how business leaders view their cybersecurity posture and preparedness. According to one report, 98 percent of business leaders, cybersecurity leaders and cybersecurity practitioners have concerns about the current level of turnover in the cybersecurity workforce.⁶

The global shortfall of workers with cybersecurity skills is estimated at approximately 2.7 million vacant jobs according to a recent survey by (ISC)². Further, 60 percent of respondents reported that their enterprises faced a shortage of cybersecurity professionals that posed an extreme or moderate risk.⁷ According to the US Commerce Department, the cybersecurity skills gap is growing. There were approximately 600,000 unfilled positions in December 2021, up from 465,000 at the end of 2020—a 29 percent increase.⁸

Even employers that pay high salaries are finding that generous compensation is not enough to attract and retain cybersecurity talent.

Hiring and retention have always been concerns in the cybersecurity industry, and there are not enough skilled defenders to offset the number of attackers. Long-standing issues were exacerbated by the pandemic because of the increased workload and stress experienced by employees and their families. Enterprises not only struggled to hire enough talented cybersecurity professionals, but also increased the stress on their existing workforce. Cybersecurity budgets are now in the spotlight, as most enterprises find it difficult to obtain sufficient funding to align with the risk and potential impact of an increasing number of cyberattacks.⁹

Even employers that pay high salaries are finding that generous compensation is not enough to attract and retain cybersecurity talent. Many cybersecurity professionals feel overwhelmed by substantial on-the-job pressure and, because of the workforce shortage and the growing number and evolving complexity of cyberthreats, their jobs are more stressful than ever.¹⁰ According to a 2021 survey, 62 percent of the existing cybersecurity workforce are experiencing an increased workload, primarily because their employers cannot hire enough talent. Thirty-eight percent of respondents reported high burnout and attrition rates among cybersecurity employees.¹¹

Rising Security Threats

The Great Reshuffle has had a major impact on cybersecurity, including an increased risk of insider threats—that is, threats posed by individuals from within an enterprise such as current or former employees, contractors and partners. The cybersecurity workforce is on the front lines when it comes to confronting insider threats, which can result in loss of intellectual property and customer data such as personally identifiable information (PII), personal health information (PHI) and credit card numbers; hefty regulatory fines; and damage to the enterprise’s reputation. Employees with a grudge against a former employer may leak or sell valuable data or offer access to their former employer’s digital assets to ransomware hackers in exchange for a piece of the ransom payment.

According to a recent study on insider threats, there was a 72 percent increase in these incidents between 2020 and 2021. Forty-two percent of insider threats involved the theft of intellectual property or data. The sectors most often affected by insider threats included critical infrastructure, technology and government agencies.¹² Another study found that the number of insider threat incidents increased 44 percent over the past two years, with some of the relevant factors being the shift to remote work and the Great Reshuffle.¹³

The shortage of cybersecurity professionals comes at a time when many individuals are working remotely from home, using networks shared with other family members. Home networks and router infrastructures are vulnerable to ransomware attacks and other cyberthreats because employees and confidential files are not protected by the enterprise network. Without appropriate security measures in place, it is easy to copy critical documents to a personal cloud account or transfer files to a removable Universal Serial Bus (USB) storage device, leaving files unsecure and more susceptible to threats.¹⁴

With a rapidly evolving threat landscape, the deficit of qualified cybersecurity professionals means greater risk to enterprises. As a result, cybersecurity has become a critical component of the risk management function. The cybersecurity talent shortage is one of the major challenges in managing an enterprise’s cybersecurity posture. Enterprises should revisit their strategies for managing the cybersecurity workforce and build resilient environments with a focus on learning and development (e.g., upskilling, cross-skilling), job rotation, security culture and investment in people.

Security teams should look for opportunities to invest in self-learning platforms and virtual labs and collaborate with security vendors on live demonstrations and hands-on training experiences.

Strengthening the Cybersecurity Workforce

Employers should reevaluate their hiring and retention strategies. For example, they should make an effort to hire more women, more people of diverse ethnicities and those with niche skill sets who can excel in cybersecurity roles. It is valuable to determine whether employees can be cross-trained in cybersecurity domains or whether some employees may be interested in pursuing career goals different from those attainable in their current positions. To retain talent after recruitment, organizations should offer defined career paths, mentorships and training programs. Internship opportunities can guide young people toward careers in cybersecurity. Organizations should consider making key changes to enhance their cybersecurity, including:

• Develop a healthy security culture—The cybersecurity workforce can benefit from empathetic leadership in the work environment and a healthy security culture. Adapting work practices to evolving needs, especially those related to the pandemic, enhances trust among employees and allows them to take personalized steps to improve their well-being, productivity and job satisfaction. For global enterprises spanning multiple time zones, it is critical to respect and consider employees’ optimal work hours to maximize productivity while providing flexibility. Security leaders should encourage employees to participate in developing open cultures that will help them build trust, learn about their security responsibilities and provide and receive continual feedback on team performance.
• Establish a vision and growth mindset for the cyberworkforce—Every enterprise has its own unique culture, and it is necessary to attract and retain talent with values and attitudes that align with the enterprise’s vision and mission. Organizational leaders must establish growth mindsets in individuals and teams. This is critical for encouraging an innovative outlook and continuous learning. Employees with growth mindsets believe that skills and abilities can be developed over time. They not only want to learn and apply new skills, but also want to share their knowledge with others. Cybersecurity professionals with growth mindsets see challenges as opportunities to grow and learn and to become more resilient and adaptable. The hybrid work environment prevalent today needs security employees who are working toward a common goal that aligns with the enterprise’s larger purpose. The significance of their roles and their effect on broader organizational goals and objectives must be recognized, and appreciation for employees’ efforts must be communicated day in and day out. Security leaders should communicate frequently and effectively with their teams on the vision and purpose of the security function as it relates to the broader business. They should underscore the value that security unlocks for enterprises to rapidly scale and expand.
• Continually upskill and reskill employees—Investment in skill enhancement and the development of new capabilities should be part of the employee retention strategy. Upskilling programs encourage critical thinking and help employees focus on strengthening their job-specific skills, which are keys to success. Developing and implementing a formal mentorship program guides security professionals on their career paths, as do external security industry forums that enhance and extend their professional networks. Connecting with like-minded security professionals provides perspective on needs and priorities. A structured model that includes shadowing, internal job opportunities, certifications and training ensures a cybersecurity workforce that is ready for the future and prepared for the pace of technological innovation and adoption across industries. Security teams should look for opportunities to invest in self-learning platforms and virtual labs and collaborate with security vendors on live demonstrations and hands-on training experiences. Leaders should also show their commitment to cybersecurity training by giving employees the necessary time off to prepare for and obtain security certifications.
• Embrace the hybrid working model—Enterprises need to realign their human resources policies and working models to create ecosystems capable of managing the work experience of employees. Organizations can attract more cybersecurity talent by giving employees the flexibility to work securely from anywhere. Enterprises must determine how to be flexible in determining their cybersecurity priorities while following business requirements that vary based on sector and industry. Security teams are increasingly providing options for employees to be in the office a few days of the week on a rotational basis based on their business needs. Security leaders should coach their managers to lead and manage teams in this new hybrid working model and educate the cybersecurity staff on how to optimize their workplace experience. Most cybersecurity teams must deal with the impact on security investments, workforce restructuring and work backlog to meet business requirements. Considering the global shortage of talent in the cybersecurity industry, enterprises can build a stronger workforce by augmenting their internal capacity with external security vendors and managed security service providers (MSSPs) where required. Managed services can take the form of outsourcing or co-sourcing models, which can be quick and effective ways to overcome these challenges.
• Automate cybersecurity capabilities and processes—Enterprises have started to hire more cybersecurity professionals and increase their capacities to handle cyberthreats. However, due to the worldwide talent shortage, job vacancies remain. Without the appropriate tools and systems in place, employees will continue to be burdened by extra security responsibilities, resulting in increased attrition. Enterprises should consider investing in emerging technologies such as artificial intelligence (AI), machine learning (ML), analytics and robotic process automation (RPA) to help bridge the talent gap, empowering teams and increasing their day-to-day efficiency and efficacy. For example, RPA can be leveraged by security teams to automate repetitive, time-consuming cybersecurity tasks such as reviewing third-party security contracts and conducting quarterly internal security audits. In addition, ML capabilities can be explored to analyze open-source threat databases, building on existing knowledge by identifying new threats and thereby assisting in the development of efficient incident response processes.

Security leaders who can successfully transform their current cybersecurity functions and implement the proposed changes can realize a higher return on their employee investments.

Conclusion

As the cybersecurity industry struggles to cope with talent shortages, the aftereffects of the Great Reshuffle have widened the already existing skills gap. As enterprises deal with high rates of employee turnover, they should actively seek to transform their cybersecurity recruitment and retention strategies to prevent valued and skilled employees from leaving. They should implement plans to minimize the effects of turnover and the threats posed by insiders to build a resilient workforce. Security leaders who can successfully transform their current cybersecurity functions and implement the proposed changes can realize a higher return on their employee investments, effectively improving their overall security posture and delivering value to their enterprises.

Authors’ Note

The authors would like to thank Abhinav Kumar for his contributions to the development of this article.

Endnotes

¹ Meister, J.; “The Great Resignation Becomes the Great Reshuffle: What Employers Can Do to Retain Workers,” Forbes, 19 April 2022, http://www.forbes.com/sites/jeannemeister/2022/04/19/the-great-re-shuffle-of-talent-what-can-employers-do-to-retain-workers/?sh=7c0ab0ef4cf3
² International Labour Organization (ILO), World Employment and Social Outlook: Trends 2021, http://www.ilo.org/wcmsp5/groups/public/---dgreports/---dcomm/---publ/documents/publication/wcms_795453.pdf
³ Cook, I.; “Who Is Driving the Great Resignation?” Harvard Business Review, 15 September 2021, http://hbr.org/2021/09/who-is-driving-the-great-resignation
⁴ Cox, J.; “A Record 4.3 Million Workers Quit Their Jobs in August, Led by Food and Retail Industries,” CNBC, 12 October 2021, http://www.cnbc.com/2021/10/12/a-record-4point3-million-workers-quit-their-jobs-in-august-led-by-food-and-retail-industries.html
⁵ Taylor, P.; “The Good News About Labor Shortages,” Politico, 7 October 2021, http://www.politico.eu/article/good-news-labor-shortages-coronavirus-economic-recovery/
⁶ Code42, Annual Data Exposure Report 2022, 2022, http://www.code42.com/resources/reports/2022-data-exposure
⁷ (ISC)², "A Resilient Cybersecurity Profession Charts the Path Forward," 2021, http://www.isc2.org/Research/Workforce-Study
⁸ Hardcastle, J. L.; “Can Cybersecurity Offer Greener Pastures in the Great Resignation?” SDX Central, 23 February 2022, http://www.sdxcentral.com/articles/analysis/can-cybersecurity-offer-greener-pastures-in-the-great-resignation/2022/02/
⁹ Naden C.; “The Cybersecurity Skills Gap,” International Organization for Standardization (ISO), 15 April 2021, http://www.iso.org/news/ref2655.html
¹⁰ Argov, S.; “Big Salaries Alone Are Not Enough to Hire Good Cybersecurity Talent: What Else Can Companies Do?” Help Net Security, 29 November 2021, http://www.helpnetsecurity.com/2021/11/29/hire-cybersecurity-talent/
¹¹ Information System Security Association (ISSA), “Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment,” 28 July 2021, http://www.issa.org/cybersecurity-skills-crisis-continues-for-fifth-year-perpetuated-by-lack-of-business-investment/
¹² DTEX, 2022 Insider Risk Report: Psycho-Social Behaviors, Remote Work and the Rise of the Super Malicious Insider, USA, 2022, http://www2.dtexsystems.com/2022-insider-risk-report
¹³ Dice, “Insider Threats: Why These Cybersecurity Incidents Continue to Grow,” 21 February 2022, http://insights.dice.com/2022/02/21/insider-threats-why-these-cybersecurity-incidents-continue-to-grow/
¹⁴ Sabau, C.; “Are Leavers a Threat to Your Data? What the Great Resignation Means for Your Data Protection Controls,” Endpoint Protector, 27 January 2022, http://www.endpointprotector.com/blog/are-leavers-a-threat-to-your-data-what-the-great-resignation-means-for-your-data-protection-controls/

PRAKASH RENDUCHINTALA

Is a senior consultant with Optiv Security’s cyberstrategy and transformation team. He has more than eight years of experience in IT audit, third-party attestation, control gap assessments and IT risk management.

ROHITHA CHOWDHARY

Is a manager with Optiv Security’s cyberstrategy and transformation team. She has extensive experience leading and delivering multidisciplinary cybersecurity projects for clients across various industries, including establishing enterprisewide cybersecurity capabilities through the security management and governance, risk and compliance domains.

PRADEEP SEKAR

Is a managing director and leader of Optiv Security’s cyberstrategy and transformation team. He is a seasoned cybersecurity professional who has worked closely with a variety of Fortune 100 and 500 chief information security officers (CISOs) and chief information officers (CIOs) and their teams to develop and sustain secure, adaptive and robust cybersecurity programs.