Canadian HR Reporter

CANADIAN HR REPORTER SEPTEMBER 2018 NEWS 3 Venngo provides organizations the most comprehensive suite of private discount programs. we help people save money, save time and feel good. © 2018 Venngo Inc. All rights reserved. workperks ® is a registered trade-mark of Venngo Inc. All other trade-marks are the property of their respective owners. learn more connecting people with the brands they love TM www.venngo.com 1.866.383.6646 indulge CHHR_003.indd 1 2018-08-16 10:04 AM Cybersecurity talent hard to find: Report 'e race to leverage technology is outpacing our ability to manage the risk' BY SARAH DOBSON AS technological changes trans- form the operations of many em- ployers, there's an unprecedented demand for cybersecurity profes- sionals — and a resulting cyber- talent shortage. Seventy-three per cent of Cana- dian executives expect the num- ber of full-time cybersecurity staff to increase over the next three to five years, with one-quarter ex- pecting cyber teams to grow by more than 25 per cent, according to a report by Deloitte and the To- ronto Financial Services Alliance (TFSA). Executives cite the "increased frequency and complexity of cy- ber threats" and "increased secu- rity and privacy regulation" as the trends that will have the most im- pact on their cybersecurity over the next three to five years. "is is a field where we're all struggling… because the race to leverage technology and get the most value out of it is outpacing our ability to manage the risk associated with it," said Sashya D'Souza, senior vice-president of talent initiatives at the TFSA. "We as a nation, and really globally, don't have enough tal- ent to make sure that the risks are minimized," she said. "We will use AI and machine learning to help detect threats, and we will use process automation to take away some of the repetitive, labour- intensive cybersecurity tasks that are being done today by humans but we're still going to need hu- mans, and we're not growing our teams quick enough." Employers are adopting a lot more technology, such as the cloud, social media, customer analytics or digital payments, but that also increases their surface area of attack, said Marc MacKin- non, who leads Deloitte Canada's cyber-strategy practice and is a partner in the firm's risk-advisory practice in Toronto. "As they embark upon all these technologies, continue to advance their businesses, they're... blurring many of the boundaries that once existed in terms of where's really the inside versus the outside of the organization, collaborating and partnering with a lot more third parties and different organi- zations that may now have access to data." As a result, there's been an in- crease in the sophistication and deliberation of threats, he said. "Unfortunately, a lot of efforts therefore fall onto the shoulders of the security function, and when you have a demand that's increas- ing when the supply side isn't able to keep pace, then there's this whole challenge or glut in (the) market, essentially, where there's not enough supply in order to meet demand." Recruitment, retention challenges Recruiting, developing and re- taining cybersecurity profes- sionals remains an ongoing chal- lenge, according to the report, based on interviews with more than 40 cybersecurity leaders, educators and administrators, along with a survey of 110 Cana- dian executives. e top recruitment challenge is finding the right mix of tech- nical, analytical and soft skills (76 per cent), followed by the is- sue that demand for cyber talent exceeds supply (56 per cent), the lack of academic programs in this area (33 per cent) and graduates from academic programs in this area who don't have job-ready skills (30 per cent). Finding senior-level cyber tal- ent is most difficult (47 per cent), compared to mid-level talent (35 per cent) and entry-level talent (18 per cent). On the one hand, you could walk into the certified informa- tion security systems professional exam and see hundreds of people looking to have "CISSP" after their name, said Jeff Curtis, chief priva- cy officer at Sunnybrook Health Sciences Centre in Toronto. "And a lot of them will get certi- fied and then they hit the market, they go out and try to get a secu- rity job. e problem is they've never worked in security before; they've worked in technology but they haven't worked in any type of… compliance or risk manage- ment function." Younger people may know how to use software and conduct vul- nerability scans, but they haven't seen how that lives within a se- curity program, or completed a plan-do-check-act cycle of actions that's governed by a certified in- formation systems security officer (CISSO) who sets out the objec- tives of the program, he said. "It's very difficult… I can only get one out of 10 candidates who can put a sentence together, even if they've taken the courses, who can explain a narrative around what matters most," said Curtis. "ey have no associated busi- ness training, so they're techno- logically very astute, but techno- logical people are easy to find. It's the combination of that with the business training that's not there," he said. OVERALL > pg. 18

• Cover