Putting a dent in the cybersecurity workforce gap. - CyberWire Daily

Summary5 min read

Podcast Summary: CyberWire Daily – "Putting a Dent in the Cybersecurity Workforce Gap"

Podcast Information:

Title: CyberWire Daily
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.
Episode: Putting a Dent in the Cybersecurity Workforce Gap
Release Date: December 26, 2024

Introduction

In this special edition of CyberWire Daily’s Solutions Spotlight, N2K Networks’ President, Simone Petrella, engages in an insightful conversation with Claire Rosso, CEO of ISC². The discussion centers on strategies to address the persistent cybersecurity workforce gap, emphasizing diversity initiatives, professionalization, and the evolving landscape of cybersecurity standards.

Background of Claire Rosso

[02:53] Simone Petrella: Simone initiates the conversation by highlighting Claire Rosso’s pivotal role in ISC² and her initiatives that have significantly impacted the cybersecurity landscape. Petrella notes Rosso's efforts in promoting entry-level certifications, such as the Certified in Cybersecurity (CC) certification, which has garnered over 110,000 expressions of interest in the field within three months.

[04:00] Claire Rosso: Claire shares her extensive background in the accounting and finance profession, drawing parallels between risk management in accounting and cybersecurity. She emphasizes the similarities in required competencies, such as problem-solving, analytical thinking, and effective communication, underscoring the potential for cross-industry learnings to bridge workforce gaps.

The Cybersecurity Workforce Gap: Statistics and Insights

[11:24] Claire Rosso: Claire discusses ISC²’s latest cybersecurity workforce study, revealing that the global cybersecurity workforce has grown by 8.7% to 5.5 million professionals. However, the demand outpaces supply, with approximately 4 million unfilled roles worldwide—a 12% increase year-over-year. APAC regions exhibit the highest gaps, exceeding 2 million unfilled positions.

Notable Quote:

Claire Rosso [11:24]: "Our unfilled roles in cybersecurity now globally are around 4 million, which is huge. It was about a 12 point something percent increase year over year."

Addressing the Skills Gap

[14:11] Claire Rosso: Claire highlights the critical issue of the skills gap, noting that 92% of organizations report deficiencies in required areas. This gap not only affects workforce numbers but also the quality of cyber defense.

Notable Quote:

Claire Rosso [14:11]: "92% of organizations are saying they have skills gaps in one or more areas. And a significant number of professionals are saying if we could address the skills gap in our organization, it would lessen the impact of the workforce gap."

She stresses the necessity for organizations to identify essential skills, invest in professional development, and align training programs with strategic cybersecurity needs.

Professionalization of Cybersecurity

[08:16] Claire Rosso: The conversation shifts to the professionalization of cybersecurity. Claire emphasizes the need for standardized codes of conduct and global standards to elevate cybersecurity as a recognized profession akin to accounting.

Notable Quote:

Claire Rosso [08:16]: "We are an industry of professionals, but we haven't professionalized... We need a standardized code of professional conduct or ethics in the profession."

[20:23] Claire Rosso: Claire elaborates on ISC²’s role in advocacy, representation, and continuous professional development, ensuring that certified professionals are equipped to influence policy and uphold industry standards.

[22:51] Claire Rosso: Emphasizing the importance of continuous learning, Claire discusses ISC²’s initiatives to provide resources on emerging topics like AI security and supply chain risks, fostering a culture of perpetual growth and adaptation among cybersecurity professionals.

Diversity and Inclusion Initiatives

[22:51] Claire Rosso: Addressing diversity and inclusion (DEI), Claire outlines ISC²’s comprehensive DEI strategy aimed at increasing representation and retention of diverse groups within cybersecurity.

[23:09] Claire Rosso: Claire details the collaboration with various nonprofits focused on different underrepresented groups, emphasizing the dual approach of enhancing employability for individuals and improving employer practices.

Notable Quote:

Claire Rosso [23:09]: "We brought diverse individuals in and they don't stay. And it's the worst with women, right? We bring women in and they don't stay in cyber. And we need to change that."

She highlights initiatives such as DEI workshops, employer-focused best practices, pay equity discussions, and the promotion of inclusive workplace environments to foster retention and satisfaction.

Impact of DEI on Security Posture

[27:10] Claire Rosso: Claire presents compelling data linking DEI programs to improved security postures. Organizations with robust DEI initiatives report lower risks, demonstrating that inclusive environments contribute to enhanced problem-solving and reduced vulnerabilities.

Notable Quote:

Claire Rosso [27:10]: "Organizations that have DEI programs in place report that they are at moderate to severe risk, as opposed to those that do not have DEI programs."

She hypothesizes that DEI fosters diverse thinking and collaboration, which are critical in addressing complex cybersecurity challenges effectively.

Conclusion

The discussion between Simone Petrella and Claire Rosso underscores the multifaceted approach required to mitigate the cybersecurity workforce gap. By emphasizing professionalization, addressing skills shortages, and fostering diversity and inclusion, ISC² is spearheading initiatives that not only aim to fill the existing gaps but also enhance the overall resilience and effectiveness of the cybersecurity landscape.

[30:25] Simone Petrella: Simone wraps up the conversation by expressing optimism about the future of cybersecurity, thanks to the proactive measures and collaborative efforts highlighted by Claire Rosso.

Key Takeaways:

The global cybersecurity workforce is growing but lags behind demand, with a significant gap in APAC regions.
Addressing the skills gap is crucial, with 92% of organizations acknowledging deficiencies.
Professionalization, including standardized ethical codes and global standards, is essential for the maturation of the cybersecurity field.
DEI initiatives play a vital role in both expanding the workforce and enhancing security postures.
Continuous professional development and advocacy are pivotal in bridging the workforce gap and strengthening the cybersecurity ecosystem.

Notable Quotes with Timestamps:

Claire Rosso [04:00]:

"Accounting and finance has an underlying need to have a deep knowledge and understanding of risk management and if you think about what cybersecurity is, it's nothing but risk management."
Claire Rosso [08:16]:

"We are an industry of professionals, but we haven't professionalized... We need a standardized code of professional conduct or ethics in the profession."
Claire Rosso [11:24]:

"Our unfilled roles in cybersecurity now globally are around 4 million, which is huge. It was about a 12 point something percent increase year over year."
Claire Rosso [14:11]:

"92% of organizations are saying they have skills gaps in one or more areas. And a significant number of professionals are saying if we could address the skills gap in our organization, it would lessen the impact of the workforce gap."
Claire Rosso [23:09]:

"We brought diverse individuals in and they don't stay. And it's the worst with women, right? We bring women in and they don't stay in cyber. And we need to change that."
Claire Rosso [27:10]:

"Organizations that have DEI programs in place report that they are at moderate to severe risk, as opposed to those that do not have DEI programs."

This comprehensive summary captures the essence of the conversation between Simone Petrella and Claire Rosso, highlighting the critical areas of workforce development, professional standards, and diversity initiatives necessary to fortify the cybersecurity field against evolving threats.

Loading summary

Transcript46 lines

[00:02]
Unknown Host
You're listening to the Cyberwire network powered by N2K.
[00:10]
Simone Petrella
Hello friends. The Cyberwire team is on a short holiday break so we're bringing you a special curated selection. This is one of our Solutions Spotlight special editions. Thanks for being with us. We'll see you in the new year.
[00:25]
Unknown Host
Foreign.
[00:29]
Simone Petrella
Architects and engineers Simplify your identity management with Strata. Securely integrate non standard apps with any idp, apply modern MFA and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress free identity management and join industry leaders in transforming their identity architecture with Strata. Visit Strata IO Cyberwire, share your identity challenge and get a free set of AirPods Pro. Revolutionize your identity infrastructure now. Visit Strata IO CyberWire and our thanks to Strata for being a longtime friend and supporter of this podcast.
[01:23]
Unknown Host
Foreign.
[01:29]
Claire Rosso
This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks. Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros app for a free medium drink plus find your nearest shop, order ahead and start earning rewards offer valid for new app users only. Free medium drink Reward upon registration. 14 day expiration terms apply.
[01:57]
Simone Petrella
See DutchBros.com this episode is brought to you by Lifelock. The holidays mean more travel, more shopping.
[02:05]
Unknown Host
More time online and more personal info.
[02:07]
Simone Petrella
In places that could expose you to identity theft.
[02:10]
Unknown Host
That's why LifeLock monitors millions of data points every second.
[02:13]
Simone Petrella
If your identity is stolen, their US based restoration specialist will fix it, guaranteed or your money back. Get more holiday fun and less holiday worry with Lifelock.
[02:23]
Unknown Host
Save up to 40% your first year.
[02:25]
Simone Petrella
Visit lifelock.com podcast terms apply in our ongoing Solutions Spotlight series. Today N2K President Simone Petrella returns with a conversation with ISC2 CEO Claire Rosso about putting a dent in the cybersecurity workforce gap. Here's their conversation.
[02:54]
Claire Rosso
I am so excited to be joined today by Claire Rosso and you've spearheaded some pretty amazing initiatives in your tenure since joining just to level set for everyone listening those initiatives, one of which is the entry level Certified in Cybersecurity certification and it has had over 110,000 people express interest in joining the cybersecurity industry in just three months. I will also state for the record, we actually put out a challenge to our own team if they wanted to take the certified in cybersecurity. We are helping them get that and encouraging them to take it. So we've created some own incentives to do that. But the workforce GLAP is wide. But Claire, I'm excited to talk today about some things that you all are doing to help tackle that, especially around diversity initiatives as well. Before we dive into all of that, one of the first things I noticed about you is that you have a long history with associations, but of accountants. Yep. So I would love to hear a little bit about your background, but then also your perspective on the similarities and maybe differences that you've noticed in the field since joining cybersecurity.
[04:01]
Unknown Host
Thank you, Simone. So thanks. It's great to be here. Great to be talking to you. Thanks for having me. And it's fascinating actually that I come from working four decades for the accounting and finance profession because I actually think my experience is there are not dissimilar to what we're doing here. And there's a lot to be learned both ways in that relationship. So accounting and finance has an underlying need to have a deep knowledge and understanding of risk management and if you think about what cybersecurity, but it's nothing but risk management. So the overlap there was a super pleasant surprise for me when I joined the organization. And then personally I think that plus the fact that in my career I had had so many opportunities as a business leader to be involved as a sponsor and at different times very hands on in the execution of tech projects. So that sort of. And I always like my whole career was really interested in talking to network security people. Although they didn't call themselves network security, they were just the IT guys. And they were guys. Yeah. And they were all about the network. And they'd draw the pictures on the wall and they'd explain what firewalls were to me. And this was like early days for me. And it left a lasting impression that is serving me well today. But when I think about the profession, there's a couple areas that some of what I learned when working with accountants is actually serving me really well here with cybersecurity. So one is just thinking about the professionals. And in accounting we had a workforce gap. Nothing on the scale like we have in cybersecurity, but that challenged us about a decade or so ago to really think how do we think differently about who we hire and how can we challenge our traditional beliefs that we need to have people who have technical accounting skills and really think about what are the core competencies that make someone a good accountant. Well, guess what, they're problem solvers and analytical thinkers and critical thinkers. They have a commitment to lifelong learning. We need them. We may not have historically needed them to, but now today we need them to be good communicators. They need to in writing and in verbal communications. They need to be great. And gosh, that sounds really similar to what we need in cybersecurity. So I think that is a pleasant area of overlap that we can leverage. The other thing, because we're here today at SecureDC for ISC2, we just had a speaker downstairs and the room started talking about the disparity of standards in cybersecurity. And that really struck a chord with me because, you know, ISD2, we're 35 years old in 2024. This is a new profession. We haven't been around for 150 years. So we're early days and we are seeing a tidal wave of regulation coming to the profession. And professionals are overwhelmed because they want to be in compliance with regulation, but they also need to do the work of cyber defense. And you can't really do both most of the time. So there are trade offs. So we really have some opportunity to talk about setting global standards in cybersecurity and really harmonizing. And it has to be global because the work of cybersecurity professionals is global. And I think because the accounting profession's been around for decades, this will be my last accounting analogy. But they learn for that. But it took them 125 years to figure it out. We can do it much earlier. We can now start having the conversation about how do we harmonize, how do we harmonize across the globe, how do we harmonize within agencies in the US and that can create a real important opportunity to strengthen the security posture of our whole ecosystem.
[08:16]
Claire Rosso
Yeah, I mean it always has struck me being in the cybersecurity industry for as long as I've been in there. We are an industry of professionals, but we haven't professionalized. Yeah, and what I think you're describing is this concept of like professionalization, you know, and those standards are part of it.
[08:32]
Unknown Host
But yeah, so we have, we like kind of look at the. I don't know, I get a little confused about the number of the legs on the stool. But we have the certification piece right with. It has exam education, experience and ethics. But I'm going to come back to ethics. We need the standardization and the standards that we're holding people to. But then I think the other thing, and this is actually one of our work projects for 2024, is we need a standardized code of professional conduct or ethics in the profession. So we've been starting to talk to government stakeholders, the other certifying bodies about, let's put together that framework for what does a code of professional conduct look like? What are the standards we all need to be held to? And in a profession where in certain parts of the world, it's more lucrative to go work for the bad actors than it is to work for businesses and government, it's really important that we take that step and focus on that professionalization.
[09:34]
Claire Rosso
I would think it's also pretty helpful for recruiting other people to even progress in the field, because I know one area that a lot of cybersecurity leaders are really nervous about right now are the recent SEC charges against Solar Winds, and then who's taking that personally? And kind of, you know, what happened with Uber? So there is some accountability that's coming into the profession and.
[09:57]
Unknown Host
And we need to create clarity about what's okay and what's not okay. I think the other thing that we need to be looking at is I was actually really surprised. I feel a little naive about this, but I was really surprised to learn because ever since I've been in an executive role in an organization, I have been covered by the DNO insurance of that organization. So work I do on behalf of the organization is covered by the insurance. CISOs aren't always included in that. And that was actually pretty stunning to me that they're not. And so I think that we can do something as a 600,000 plus professional organization to talk to businesses, talk to the insurance companies, and talk about, wait a second, we need to have the same protections for our cyber leaders as you are giving to other leaders in the organizations now, that doesn't absolve anybody if they participate in criminal activity. But yeah, good point, but I wouldn't.
[11:01]
Claire Rosso
Do that for any other executive either. Exactly right. So switching back to kind of the meat of the topic, ISC2 is known for putting out its annual cybersecurity workforce study, and the most recent came out in early November of 2023. Would you mind sharing some key takeaways or themes that you saw from this most recent study?
[11:24]
Unknown Host
Okay. As usual, it's a good news, bad news scenario, which is really ultimately good news. So the workforce grew. It grew 8.7% to 5.5 million professionals. We count fractional people in cybersecurity as part of the workforce because it is really illustrative of what the cybersecurity workforce looks like. So anybody who spends more than 25% of their time on cyber roles we include as part of the workforce. So 5.5 million. We grew the supply. Always good news, we pat ourselves on the back. But at the same time, the demand grew even more. So our unfilled roles in cybersecurity now globally are around 4 million, which is huge. It was about a 12 point something percent increase year over year. And while that's worrisome, I actually think it's positive too. Because what that tells me, because this is demand for unfilled roles, is that organizations are prioritizing cyber professionals on their team, which is they understand the value of cybersecurity professionals in the workforce. So that was kind of the top level. It's about the same all over the globe. APAC has the highest gap. It's well over 2 million unfilled roles, which again, you could turn that to say they have the greatest awareness of the value of cybersecurity within the business. But some of the other things that came out that I thought were interesting, maybe not surprising, but like uniform interesting is 75% of all the respondents said threat landscape's the worst they've seen in the past five years. This year we dug into the difference between people and skills. And so not just do you have a gap in your workforce, but do you have a skills gap? And perhaps it has really shown a spotlight on the fact that we need to be paying more attention to the skills gap because 92% of organizations are saying they have skills gaps in one or more areas. And a significant number of professionals are saying if we could address the skills gap in our organization, it would lessen the impact of the workforce gap. So I think that really points to thinking about what are the skills we need, how do we take the time? And that's the hard part, right? You're a cyber professional. You know this. That's the hard part. How do we take the time to develop the skills that we deem essential to our organization so that we can really address our security posture and in.
[14:11]
Claire Rosso
Some cases take the time to identify which skills are required for the roles that we need? There's kind of an inventory analysis that has to happen before you even take the time to mitigate it by giving people training or whatever you're going to do to develop them. Are you finding also just in this unique economic environment, the market's doing okay, but companies are behaving like, you know, costs are kind of constrained and so the first things that often get cut are development budgets. I'm just curious if you're seeing that too.
[14:47]
Unknown Host
So. Yes. Which then makes me say we're hearing two different things. Right? We're hearing two different things that we actually did research early in 2023 where C suite said, we understand the value of cybersecurity professionals. We know that our risk is worse during times of economic instability. Last people we'd ever cut from our teams are cybersecurity professionals. So we were cautiously optimistic. But what we found is that 47% of cyber professionals in the past year have dealt with cutbacks to their team, either in the form of layoffs, budget cuts, or hiring or promotion freezes. 71% agree that the risk of malicious insider. And this was some of the interesting stuff that we found in this report, too, are far greater during these times of economic pressure. And it's actually like a stable time versus times like now. It's like the threat of malicious insiders are three times worse than they are during normal times. In fact, we had more than 50% of the respondents say that they have either first or secondhand exposure to a malicious insider event in the past year, and that over 40% are saying they've actually been approached to be the malicious insider and that I think the cybersecurity profession knows and understands the risk of malicious insiders. I think there's a lot of education we can do in the business community of helping them understand the risks that they're creating to their organization when indiscriminate cuts are made to teams.
[16:35]
Claire Rosso
What is ISE2 doing when it comes to educating at the executive level? Is that something you all are getting involved with now as that mission is expanding?
[16:43]
Unknown Host
It is. So we're looking at it from two angles. So our first angle is to work with cyber professionals themselves and help them think about what they do in terms of how a business runs itself. So talking about cyber in terms of how is it supporting the organization's strategic priorities, or what risks may be presented to the organization's strategic priorities based on what they do or don't do related to cybersecurity. So we're working on that. We've started to run cyber leader workshops this fall, and we're going to start to ramp that up into next year. So that's one way we're tackling it. We are also tackling it with business leaders through more generalized outreach of how we talk to the media, how we talk to groups that represent business leaders and boards of directors about what they need to know about cyber literacy. We actually endorsed a report by Nightdragon and Diligence, Dragon and Diligence. Sorry about that pause there. But that actually looked at the cyber literacy of public company boards of directors in the US and it found that only 12% of directors have any level, any reasonable level of cyber literacy. So if they're. So board directors in the US Are woefully unprepared to consider an organization cyber risk, and that's in public companies. So just imagine what it is in private companies. And then the third thing we're doing is as we are scanning the horizon on global regulation, we're trying to look at it through that lens as well, of what are the decisions that businesses are making. And I think one of the what I think we see and hear governments talking about as being kind of business friendly. We're going to share best practices with you. We're going to suggest what frameworks you should be following. I'm not sure as business friendly as they make them out to be, because we're allowing businesses to kind of shoot themselves in the foot, so to speak, and make bad decisions that are putting them at risk if they're part of critical national infrastructure. And practically everyone's not yet everyone's not. Right. You're putting the whole nation at risk. So it's a really interesting situation, and I think there is a ton of work to do. We were just in a room where somebody said, you know, the business leaders in my sector, they're really smart. They make thoughtful decisions. And then he said, but time and time again, they're not prioritizing the cybersecurity risks within their businesses. So I have to ask, are they really making thoughtful decisions? Do they really understand what they're deciding on?
[19:37]
Claire Rosso
Right. Well, there's that old adage now that every company is a tech company.
[19:41]
Unknown Host
Yeah.
[19:41]
Claire Rosso
I mean, what company isn't? You know, you could be driving FedEx trucks, and those trucks are loaded with sensors. They know every single location they're at when they're happening. Like, you don't think that's connected to the Internet? How are you not running a tech company in somewhat.
[19:54]
Unknown Host
Exactly. Exactly.
[19:55]
Claire Rosso
Well, you know, full disclosure, we've been a partner of ISC2 for a long time, but one thing that is so exciting to me is it seems like your mission's really expanded over the last few years, and you're just taking on so much more. Everyone knows IIC2 is the CISSP.
[20:11]
Unknown Host
We are CISSP.
[20:12]
Claire Rosso
And what you're describing is so much more. As we think about that road to professionalization, has that been. If I'm reading it between the lines here. Has that been part of your charter as you've been thinking about reshaping the organization?
[20:24]
Unknown Host
Working with our board of directors is absolutely intentional. So I would akin it to, you know, we're talking about professionalizing the sector, and part of that is professionalizing the professional bodies. So we really and our peers acted like training organizations to some degree. We, we push people to be certified and we certify people, and that has done that. The work of ISC2 and the other certification bodies has done more to build the cybersecurity workforce than anything else across the globe. So that has great value and we're still totally committed to that. So that part I always want to be clear about. But the reality is our members, the cybersecurity profession, needs representation. They need people out there advocating with regulators, policymakers on what makes sense and what doesn't make sense, because everyone goes generally to make policy with good intentions, but they don't really understand the impact of the decisions they're making unless somebody who has that expertise can come. And let me explain to you why maybe reporting every cyber incident within 24 hours of it happening actually doesn't make any sense at all. Part of what we can do is we can help speak for the collective. We can give voice to the individuals in ways that they aren't going to be able to do for themselves. And so absolutely intentional on that advocacy front for the profession. The other thing that we've really expanded greatly and will continue, continue to do into the future is once someone is certified, rather than just automatically saying, okay, earn your next certification, really focus on what are the areas of professional development that you need most and how can we help you do that? So you can imagine in the virtual halls of ISC2, we are talking a lot about third party supply chain risks. We're talking about AI security and the safe and ethical use of AI. We're talking about OTIT industrial controls, you name it, we're talking about all those things and talking about how do we help people effectively and rapidly make sense of what's going on so that they can do their jobs better and faster and easier.
[22:52]
Claire Rosso
Well, on that point, I know a part of that is also addressing diversity and inclusion, and that's a priority for ISCs too as well. How are you approaching those particular issues in the cybersecurity community and what initiatives are in place now to promote diversity?
[23:09]
Unknown Host
All right, well, so we kicked off a DEI initiative three years ago when I first joined, and we brought a group together globally to say, what's the landscape look like here and what do we need to do? And the data's super clear. The people, we bring diverse individuals in and they don't stay. And it's the worst with women, right? We bring women in and they don't stay in cyber. And we need to change that. We need to understand what the root causes of that. So our approach has been first and foremost that we're not going in alone on this. So there are so many wonderful nonprofits all across the globe that are focused on helping different kinds of diverse or underrepresented groups enter the cybersecurity profession. So some of them are racially based, ethnically based, gender based, neurodiversity based. There's tons of organizations. So we are partnering with them to understand what we can do to help people be successful. And one of the things that we found out and we held a global DEI summit in Washington D.C. last summer to bring that group together and talk about what can we do that's most important. And where we landed was sort of a two way path on employability. How do we, for individuals beyond our certified in cybersecurity, how do we help provide them with the tools and the confidence they need to consider a job in cyber, to interview for a job, to create that resume, to successfully onboard in a job. And especially when you might be onboarding in an organization where you don't see a whole lot of people like you there. And then how do you help them just navigate the workplace in a way where they feel included and they belong and that's somewhere where they want to stay. So whole bunch of work starting in that area and there's a lot going on there. We just want to amplify and scale that. And we now need to also address the employer side of the equation. And I bet you have stories, you could tell me so many. But we need to work with employers to say, what are those best practices? Let's work together. Because your heads are all nodding when we talk about hiring differently. So let's talk about that. How does that mean you change your job descriptions? How does that mean you change? How do you change how you filter for who you interview? How might that even change how you interview and consider who's a qualified candidate for a job? And then from there, once we get people hired, what are the best onboarding practices? How do you create an inclusive environment where everybody's voice is heard? Because that little thing, and it's not a little thing, that is one, it's a key to great problem solving in organizations that are dealing with dynamic challenges. But it's also one of the number one indicators of job satisfaction for cybersecurity professionals that make them want to stay at an organization is when they feel like they're being listened to. And so we're going to work on the employer side with all those things. We're going to talk about pay equity with people, we're going to talk about their advancement practices and how to do it, and then we're going to start to spotlight the organizations that are doing it. Well, we don't have an actual name for it yet, but just imagine ISC2 Cybersecurity Employer of Choice. And we already know that organizations that in their job postings talk about their diversity equity inclusion programs are viewed more favorably than those organizations that don't have that. So we think if we add this other level, those employers will be the employers that people are beating down their door for.
[27:11]
Claire Rosso
Everyone always wants to keep up with the person next to them. So that's a brilliant idea. I love it.
[27:15]
Unknown Host
Yeah. I gotta tell you one more thing. I gotta tell you one more thing. I don't. We now actually have data that shows that organizations that have DEI programs in place have better security postures than those that do not.
[27:34]
Claire Rosso
Interesting.
[27:35]
Unknown Host
So 19% of organizations that have DEI programs in place report that they have. They're at moderate to severe risk, as opposed to 34% of organizations either have no DEI programs at all nor any plans to have them ever in the future. So I think that that's really interesting because people, some people, some people, when you talk about dei, it's like they think they've been sent to the principal's office.
[28:09]
Claire Rosso
Right.
[28:09]
Unknown Host
And it's like, this isn't about sending you to the principal's office. This is just about making you better, all of us better at what we do.
[28:18]
Claire Rosso
What's your hypothesis on that? I have a couple I could come up with. But what's yours?
[28:24]
Unknown Host
Well, I want to hear what yours are too.
[28:27]
Claire Rosso
Mine would be that if you have a DEI program in place, that you've set a cultural expectation, that you're looking for diversity of thought experiences and backgrounds. And so as a result, you are. If you're making the effort to kind of put the program in place, then you're doing a little more than just talking the talk. And so even if it's not entirely formalized, it's created a culture, or at least the start of a culture, where you could hire people who have different diversity of thought and that makes. I believe that that actually ultimately reduces our risk in a security world.
[29:01]
Unknown Host
Absolutely. I agree with you completely because I think what it does is it creates that. That if you're already doing that, it's not just a checkbox activity. You are already thinking in ways that create, like, that sense of inclusion and belonging in the organization, which also hopefully means that you're also taking care of the people on your team so that you're not burning them out and you're engaging in some of those best practices of job or project rotation. So, okay, we all gotta be 247 for periods of time, but we don't need to be 365 days a year. So I think so. And I do think I absolutely see a strong willingness across the profession to head in this direction. And this goes back to we want to do it. Help us. Help us on how we do it. Yeah, we know they're resistors, and there's really vocal resistors, but they are absolutely positively the minority in the profession, not the majority. Most people are very inclusive. I actually have been really impressed moving from working with a different profession before to coming to cybersecurity at how much cyber professionals want to help bring along the next generation of cyber professionals. So I think we're ripe for change here.
[30:25]
Simone Petrella
That's N2K President Simone Petrella with ISC2 CEO Claire Rosso.