Finally, a fresh perspective on the shortage in cybersecurity personnel that’s not about a) handwringing, b) more investment in university programs or c) more investment in AI or other advanced technologies.
To Confront the Cybersecurity Skills Shortage, Prioritize – that’s the advice of Jack Jones, creator of the FAIR model and co-founder of RiskLens, writing in an article just out for Homeland Security Today.
“Organizations should look at the skills shortage as another reason to move to more effective risk management practices,” Jack writes.
“When I review cybersecurity programs in organizations today, I often see a tremendous amount of wasted time and energy expended on concerns that shouldn’t be a priority.
“In fact, the ‘Top Ten Cyber Risks’ list has been wrong in every organization I’ve walked into that has taken the time to create such a list. By wrong, I mean most of the things in their list aren’t risks at all or aren’t their greatest risks.”
The result is a waste of an increasingly scarce resource: skilled cybersecurity professionals. The problem is compounded by a checklist mentality – using staff time to fill gaps in NIST CSF compliance instead of prioritizing on true risks.
Jack has been crusading for years, as Chairman of the FAIR Institute and Chief Risk Scientist for RiskLens, for a quantitative approach to cyber risk analysis that puts a financial value on risk so organizations can effectively prioritize security investment and labor.
The security universe has been tilting in his direction lately: look at the direction from the Securities & Exchange Commission (SEC) to public companies for financial disclosure of cyber risk, the insistence from Gartner that risk quantification is a must-have, or even the risk-heavy topics for speakers at the RSA Conference.
As Jack’s Homeland Security Today article points out, the skills shortage is another important teachable moment for the infosec profession.
Image from Homeland Security Today