Are you awake all-night thinking of the effects of Africa’s cybersecurity skills gap and rising brain drain on your team? It’s time to think differently.
Recently, my friend and I combed through a mental list of ex-colleagues and realized that we were the last men standing (I am a woman). Everyone in our previous clique had migrated after accepting irresistible job offers. These guys, like us, are highly skilled and include those who thought or said they’d never relocate. We laughed it off and ended that discussion acknowledging that we may have the same fate despite our inclination, plus the seemingly weakened resolve to stay put. Reports from emigration assistance groups and local banks show that African countries – including South Africa and Nigeria – have seen a sharp rise in the number of skilled people emigrating. Topping that list are cybersecurity professionals, leaving CISOs and business owners incapacitated. I have had discussions with business leaders who expressed their frustration with retaining their cybersecurity talents and had insightful conversations with many cybersecurity professionals on this issue. Here are five tips I believe would help CISOs and business leaders stay calm in these times where both issues (skills shortage and brain drain) are common.
- Dialogue!: Good CISOs have conversations with their teams to understand their career goals and plans. Having these discussions, reveal details that can help you plan. Business leaders need to realize the myriad options available to cybersecurity professionals, so having those discussions early enough always pays off. I know some CISOs that got 3 months to 1 year in notice using this strategy.
Call HR in: Due to a lack of understanding, futile attempts are being made by Human Resources to fill open cybersecurity positions. From many required certifications for entry-level positions, unrealistic pre-employment assessments, to incommensurate salaries. No wonder after many hurdles, the candidate’s stay is short-lived, or worse still he/she turns down offers for a better job or more money. Business leaders must work with HR to rejig the recruitment process for security professionals. The outcomes should include realistic remuneration packages, clear job descriptions with progression requirements, and pre-employment assessments based on specific competencies.
Restructure: Depending on the context of your organization, there are different ways to restructure your security team. You may decide to outsource the management of cybersecurity processes and IT systems, decentralise cybersecurity functions or cross-train staff. With managed cybersecurity services, organizations can improve their security posture as they have access to dedicated security professionals who are available 24/7, thus saving costs and bridging the skills gap. Secondly, according to Gartner research fellow, Tom Scholtz – a lot of routine security functions can be performed by IT or other business functions. I won’t totally recommend this due to issues related to segregation of duties, but this can work when push comes to shove. You can identify security functions that can be reassigned to other business functions by assessing the team’s effectiveness for transferable tasks (e.g. user awareness). This approach facilitates shared accountability and integrates security into the fabric of the company, instead of solely enforcing security through a centralized function.
Lastly, every team has an outstanding performer. However, it’s a problem when cybersecurity teams rely solely on one person. I have always been an advocate for multiple contingencies and in my past leadership roles, I ensured the transfer of competencies and skills through knowledge sharing, lessons learned sessions, coaching, and mentorship. This paid off when people started to leave/migrate. Quickly positioning the beginners in your team to take up key roles presents tremendous benefits.Adopting any of these strategies may seem difficult but has been proven to be beneficial.
About the Author:
Nkiruka Aimienoho is a security and resilience strategic leader with over a decade’s experience leading large-scale strategic initiatives. As PwC Nigeria’s Senior Manager – cybersecurity and resilience, she oversees cybersecurity, resilience, I.T standards, and privacy services. Her team helps thousands of organizations, and millions of people stay secure and resilient. Before joining PwC, she led the largest consulting workforce at Africa’s elite InfoSec GRC consulting firm – Digital Jewels limited.
She is the founder of InfoSec Amazons, a non-profit initiative with the mission of supporting women in information security at entry and mid-level career levels.