Organizations face three challenges related to cyber talent: Who is responsible for risk mitigation today? What skills are corporations seeking to staff their growing talent needs? And what steps are employers taking to keep the talent they have today?
Katherine Jones, Partner and Leader of Products and Insights for Mercer Select Intelligence
Karen Shellenback, Principal and Leader of Research and Insights for Mercer Select Intelligence
Published on 28 October 2016 on BRINK
Given the dearth of graduates from accredited cybersecurity programs—and the growing desire for personnel with related education, experience and certification—talent to fill open positions is scarce.
Companies may find themselves well-served in providing current cybersecurity staff with the education to achieve certified status, and then compensating them well enough to retain their newly trained talent from competitive offers.
Given the enormity of the potential risk and its impact on lost business (Lloyds of London estimated that cyber attacks are costing businesses $400 billion annually), far too many companies are strangely complacent. Only slightly more than half (53 percent) of the respondents in a 2016 Mercer Select Intelligence global survey reported that their organizations viewed cybersecurity as imperative across the entire organization. While the majority of respondents felt that they were organized to meet the tasks and challenges ahead—and were already sourced to build a flexible staffing model with the right mix of staff, consultants and contractors—far fewer (47 percent) felt they were adequately staffed in terms of talent to meet tomorrow’s challenges.
For many organizations, we see a shift to departments of risk management for cyber responsibility.
Who Owns Cyber Risk Mitigation?
Traditionally, responsibility for computer-related security rested in the IT department, especially for those companies that have maintained a designated cybersecurity function for more than 10 years. For many organizations, we see a shift to departments of risk management for cyber responsibility. While this is a growing trend and development, it is less than five years old. This may speak to one of several tendencies:
- An increase in organizational functions specific to risk management
- A growing trend to house cybersecurity within the overall corporate strategic risk function rather than in IT
- The growing focus of cyber risk management as a C-suite strategic risk issue
Interestingly, 21 percent of those responding organizations in which cybersecurity responsibility is housed in the IT function viewed it as a crucial priority inside IT, but not as a priority within the business units or at higher levels of management. This contrasts significantly with those organizations that housed cybersecurity within a risk management department, for which not one respondent thought that cyber concerns were limited to his or her department. This finding showcases the overall shift in perspectives on cyber attacks as a strategic risk management function rather than solely an IT charter.