October 26, 2020

Last Updated on January 15, 2024

It’s no secret that there’s a large and growing gap between supply and demand in the cybersecurity workforce. The pandemic has only made this worse, while at the same time increasing demands on these scarce human resources.
Industry thought leader Reg Harnish discussed this worldwide problem on a recent episode of The Virtual CISO PodcastReg is founder and CEO of the cyber advisory firm Slingshot Cyberventures, CEO of MSSP OrbitalFire and founder and past CEO of GreyCastle Security. Hosting the show per usual is Pivot Point Security’s CISO and Managing Partner, John Verry.

“Before the pandemic, we were in this situation,” says Reg. “And now many of these [InfoSec] folks, a lot of whom were IT folks to begin with, have been redeployed. They’re working on VPNs, helping people print from home, setting up Zoom licenses, worrying about this virtual workforce. So you have fewer cycles available to you from your cybersecurity expertise.”

“I also think there’s increasing demand on cybersecurity, from CISOs to firewall administrators,” Reg notes. “If you were struggling to find, attract, hire and retain cybersecurity talent back in March, it’s only gotten worse for you because there’s greater demand, and/or you don’t have access to as many cycles as you did.”
“One other thing that I think is also going to exacerbate that shortage is the ramp-up of the Cybersecurity Maturity Model Certification [CMMC] program within the defense industrial base,” observes John. “You’re going to see an inordinate number of companies that are going to need a lot of attention.”
“And the second thing is we haven’t really felt because a lot of companies have put it to the side during this pandemic is dealing with the California Consumer Privacy Act,” John adds. “But they’re not going to be able to put that to the side for much longer. So you’re going to have an already insufficient workforce that now has two other priorities.”

That’s not a pretty picture, especially since security workloads were already backlogged for many teams. But its not all bad news… with challenge comes prioritization.

“Cybersecurity issues don’t just vanish if you ignore them,” Reg deadpans. “They tend to stack up. I can name many organizations that basically put a pause on their cybersecurity investments; or again, they had reallocated their cybersecurity talent to other, more pressing issues. So the workload was already overwhelming in March. I don’t think any cybersecurity team out there felt like they were getting to everything that they needed to do.
“But with CMMC and a hundred other things… it hasn’t stopped,” Reg continues. “Your risks haven’t stopped; your adversaries haven’t stopped. Since March our production went down and the workload itself continued on that accelerating curve. The gap between what we needed to do and what we’ve been able to do has widened severely since March. So now, if you’re the CISO or a small business owner, you’ve got to make some decisions on your priorities.”

“Priorities have never been a strong point for the industry,” asserts Reg. “We all talk about risk assessment and how it helps prioritize and narrow your focus. But we’re not good at risk management today, in my opinion—so we’re faced with a brand new challenge in that area as well.”

If your business will benefit from out-of-the-box insights on risk management, data management, or just rethinking your overall security priorities and approach, be sure catch this podcast episode with Reg HarnishClick here to listen to the complete showand also to access all our other podcast content.
If you’re not an Apple Podcasts user, you’ll find the growing selection of episodes from The Virtual CISO Podcast here. 

SOC 2 vs ISO 27001 (Or Both)

What every Software-as-a-service (SaaS) firm needs to know in order to acquire/maintain independent validation of their security posture.
View our guide today.