Some Thoughts on IT Workforce Risks
Looking for another reason to worry about the long-term success of your compliance, audit, or risk management efforts? Fear not! A recent report on workforce development in cybersecurity paints a stark picture of just how challenging it is these days to build and maintain a good team.
The report comes from ISACA, the professional association for IT auditors, which released its State of Cybersecurity 2022 earlier this spring. It surveyed more than 2,000 IT security professionals around the world, asking about the cybersecurity skills they need people on their teams to have, and how easy or difficult it is to recruit and retain such employees.
The big message: most IT audit and cybersecurity teams are chronically short-staffed; and not enough newbies entering the talent pipeline have the skills that organizations need to tame the IT risks they face today.
We can start with some numbers:
- 62 percent of respondents said their cybersecurity teams are short-staffed;
- 60 percent said they’ve struggled to retain the cybersecurity employees they do have (up from 53 percent in 2021);
- 47 percent said it takes them three to six months to fill a cybersecurity role, and another 16 percent said it takes longer than six months.
So the first problem is that we don’t have enough cybersecurity workers, period. Then the ISACA report pivots to the skills that CISOs and IT audit managers want to have — and the numbers aren’t great on that front either.
The biggest skills gap cited by IT managers was the ever-popular “soft skills,” such as good communication, leadership, and flexibility in working with others, cited by 54 percent of respondents. Close behind was a gap in cloud computing skills, cited by 52 percent. The top six skills gaps are shown in Figure 1, below.
So, to recap: we have too few workers in cybersecurity and IT risk; and not enough of the ones we do have possess the skills that align with today’s corporate needs. Lovely.
The Problem Feeds Upon Itself
My concern is that at some point, these workforce problems metastasize beyond the CISO or audit director’s office. If a company is chronically running short on IT risk or cybersecurity staff, that becomes an internal control weakness unto itself — and potentially a large one.
This idea came to me thanks to a post we had last week about responding to whistleblower complaints. I quoted a forensic investigator who stressed that when you receive a whistleblower complaint, it’s important to consider whether you might have a deeper problem with internal control over financial reporting, such as poor segregation of duties or poor employee training. Even if the whistleblower simply misunderstood the procedure in question, that too might qualify as an internal control weakness: insufficiently skilled staff.
Well, the same principle applies to cybersecurity risks, too: an insufficient number of staff, or inadequately trained staff, can qualify as a weakness in the control environment. It’s right there in Principle 4 of the COSO Internal Control Framework:
The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
The COSO framework then goes on to elaborate several more specific “points of focus” that a company should incorporate to achieve Principle 4. Among them:
- Evaluates competence and addresses shortcomings;
- Attracts, develops, and retains individuals;
- Plans and prepares for succession.
The true question here is whether senior management will provide CISOs and chief audit executives the necessary resources (read: money) to hire enough staff with the proper skills; and to give those people the proper tools and technology so that they can keep pace with the IT risks and compliance burdens your company faces.
For audit and technology teams in particular, these issues teeter on the brink of a vicious cycle. If you can’t recruit good people, you can’t pursue challenging new projects; if you have no challenging new projects, the good people you do have go elsewhere; then you fall behind on risk management and strategic goals, because you have outdated tech and overworked staff. So you can’t recruit good people, and the cycle starts all over again.
Turning the Workforce Tide
I know that plenty of CISOs and CAEs will say, “Building a good IT team has always been hard! It’s even harder today, with labor shortages and inflation! We’re doing the best we can!” I understand that. It doesn’t change the bare fact that IT risks are sprouting like weeds. If a company can’t recruit and retain the talent necessary to keep those risk in check, your internal controls will weaken in all sorts of ways.
The ISACA report offers some observations about that point, both good and bad. For example, 45 percent of respondents said they provide training to help nonsecurity staff move into security roles. This is an excellent idea, and not a new one. Internal audit shops have done this for years, letting folks from elsewhere in the enterprise rotate onto the audit team for a while. IT risk management or cybersecurity teams could do the same, and gain valuable First Line perspective about how employees actually use technology in their jobs.
On the other hand, if recruitment and retention are the goal, then CISOs and IT audit leaders need good relationships with HR so you can convey your needs clearly. That brings us to the bad news from ISACA: only 30 percent of respondents believe that HR teams really understand their needs. Which means that 70 percent don’t, which is astonishing and alarming number.
So that’s is another point to ponder. Do you have a good working relationship with HR? Do job descriptions they circulate match your needs? Do recruiters know what to look for when screening applicants? (I’ve heard horror stories about this from legal compliance people; I can only imagine how much worse the situation might be with even more complex fields like IT audit and cybersecurity.) Can you, the team leader, talk with counterparts at HR about manpower budgets, roles, job titles, and the like?
And of course, internal audit could always try to assess “talent risk,” and then present your findings to senior management and the board. Done correctly, that could be the most effective way to break any logjam over salaries, staffing size, and technology investments: demonstrate that with current salaries and tech, you can’t retain staff that can navigate the IT risks that your organization faces.
You’d need solid evidence, perhaps by diagramming employee skills and salary levels to IT risks — with lots of glaring gaps in whatever matrix you devise. Then, just maybe, the CEO and CFO would open the checkbook.