Bosses say they are serious about cyber security. It’s time to prove it

If there’s one profession that continues to dominate tech hiring demand, it’s cybersecurity.

Demand for cybersecurity workers has skyrocketed since “remote work” entered the lexicon and businesses have doubled down on their digital assets as a means of insuring themselves against future uncertainty.

While the post-pandemic tech boom has been a boon for tech-savvy professionals with a knack for all things software, it’s also left companies more exposed than ever to the dangers lurking in cyberspace.

As the threats of ransomware, malware, and intellectual property theft become all too real for businesses, hiring managers are turning to cybersecurity professionals to keep them safe. The problem is, there aren’t enough of them to go around—and many cybersecurity businesses are starting to fold due to stress and burnout.

A number of factors underlie the shortage of skilled technical talent in the workforce, the big one being that technology is now developing at such an alarming rate that it’s hard to know what skills will still be applicable in the medium to long term (although encoding is generally a safe bet).

But C-suite decisions also stifle businesses’ efforts to adequately protect themselves from cyber threats. While leaders absolutely want cybersecurity expertise on their teams, they aren’t necessarily willing to pay for it. Or, more precisely, they are not willing to pay enough.

Take a a recent O’Reilly report, which found that only a third of HR decision-makers at UK tech companies are willing to spend more than £10,000 ($11,600) on cybersecurity-related recruitment, training and development in the next 12 months . When you consider that over half of cyberattacks cost businesses over $100,000, it’s astounding that employers aren’t willing to invest a tenth of that amount to stop such attacks.

Budgets are always controversial in business, and it’s hard to convince a company’s leadership to invest in something they can’t see for something that might not happen (even if it probably will) – especially when many IT leaders still have no say in company decision-making – even if it’s related to technology.

But £10,000 doesn’t seem like much when you consider how much money employers have packed into huge offices and shiny corporate centers that are only used once or twice a week. One way companies can find room in their technical training budget is by figuring out how much office space they really need and cutting back accordingly.

But money, while a key factor, is only one part of a multifaceted cybersecurity skills problem. Many businesses still don’t have the right mindset to effectively navigate an increasingly complex work environment – ​​and this is usually a result of leadership.

Like their employees, business leaders have been thrown into remote work in 2020 with little planning or preparation. While they were busy shipping laptops, setting up VPNs, and trying to track the suddenly invisible workers, few considered what such a huge upheaval in the workplace and IT practices meant for cybersecurity in the long run.

Many leaders have yet to address this and instead take a set-it-and-forget-it approach to cloud-based applications and security software that do not provide a holistic approach to risk management.

The scale of this problem was highlighted in report for October from cybersecurity firm Savanti. In a survey of 800 global board directors, 83% identified cyber security as a top priority, but less than half had taken any specific action – even if that meant simply requesting IT security updates or auditing their company’s cyber readiness.

The report also found that Chief Information Security Officers (CISOs) are being hired, managed and evaluated as technical experts rather than business leaders. So when it comes to big strategic decisions, there’s no one in the room to explain how they might affect IT or cybersecurity.

It’s no wonder so many IT leaders are fed up with not being listened to, which may explain why—according to Savanti—the average CISO tenure is only 2.3 years.

The good news is that companies, for the most part, are beginning to realize that they can no longer sleep on cybersecurity issues. If they haven’t yet been the victim of an attack or attempted attack themselves, they almost certainly know of a company that has – and a company that was probably better prepared than they were.

The intense media focus on cybersecurity has offered another incentive for businesses to stay out of the spotlight: falling victim to a cyber attack is a bad look, and the financial, operational and human consequences can be catastrophic at a time when companies are trying to cope with economic downturn.

Looking ahead to 2023, businesses must balance costs with the growing need for technical skills. But if leaders are serious about building resilience and holding firm in a year of uncertainty, cybersecurity cannot be left behind.

THE ZDNET OPENING ON MONDAY

ZDNet’s Monday Uncover is our introductory look at the week in tech, written by members of our editorial team.

BEFORE THE ZDNET OPENING ON MONDAY: