Your company trained all its employees on security awareness training and has or uses a dedicated security team, but will that really protect all access to sensitive data?
The cybersecurity industry has exploded over the last decade. In the United States government alone, the budget for cybersecurity across agencies for 2020 is $17.5 billion with the U.S. Department of Defense representing 55% of that figure ($9.6 billion). Overall spending across public and private sectors in the U.S. is estimated at over $44 billion for specific cyber defense people, processes, and technologies. The majority of these funds have traditionally been allocated for cybersecurity technology products and services; however, there is an increasingly concerted effort to address the workforce issue – the yawning cybersecurity skills gap. According to Cyberseek.org, there are currently 504,316 unfilled cybersecurity positions and (ISC)2’s 2019 Cybersecurity Workforce Study estimates that the workforce needs to expand by 62% to meet the actual U.S. demand for trained cybersecurity personnel. The Whitehouse has bolstered this effort by way of an executive order in May 2019.
On the other side of the spectrum, organizations have been lining up to purchase cybersecurity awareness solutions. Market leaders like KnowBe4, Proofpoint, Cofense and dozens of other companies offer products and services designed for the general working population to increase awareness of common threats like phishing or social engineering. Some estimates suggest this industry will continue to grow at a significant clip to billions of dollars within this decade.
So while a number of solutions and providers are focused in these two opposing areas, the other reality is there is dire need in the middle – over-served by cybersecurity boot camps and underserved by awareness training. For most employees at medium to large companies, some percentage of their time is spent handling responsibilities that provide access to sensitive data or systems.
This class is the cyber-enabled workforce and leaders of organizations that can identify, support, and develop this population are more likely to improve risk management and lower cyber risk while also promoting a positive cybersecurity culture in the near-term.
What is the cyber-enabled workforce?
The cyber-enabled workforce is a subset of the general working population that, through role, responsibility, and access, are in positions that can impact cybersecurity risk or opportunity within an organization.
What is the difference between a cybersecurity and cyber-enabled role?
Cybersecurity employees work within roles focused on information security and all of the components and distinctions therein. For example, a SOC Analyst is a cybersecurity employee with the majority of his or her work responsibilities directly tied to cybersecurity.
Conversely, cyber-enabled personnel are not primarily responsible for information security, but rather work within IT networks as part of their roles of various departments and experience levels. To illustrate, an accountant within a firm may work with computer systems and have access to sensitive financial data: he or she works within a cyber-enabled role but clearly does not work within a dedicated cybersecurity position.
Where does the term “cyber-enabled” come from?
The term “cyber-enabled” originated as a descriptor for traditional crimes, such as fraud or theft, facilitated by information system technologies. In crime, cybercrime is different from cyber-enabled crime in that it relies or is dependent on the use of technology versus being aided by it.
What level of cybersecurity knowledge and skills does the cyber-enabled workforce need to possess?
It can vary by context, but here is a simple answer: a cyber-enabled employee should have an above-average understanding of cybersecurity, but not to the breadth and depth of knowledge of a dedicated cybersecurity practitioner. Cyber-enabled employees may work in areas like traditional IT, data security, risk management and compliance, or threat detection and remediation. Security is a critical aspect of their roles, but they are not specifically related to cybersecurity functions. For the vast majority of cyber-enabled employees, general cybersecurity awareness knowledge (anti-phishing, etc.) is currently offered, but is woefully insufficient. To the other extreme, credential-specific training that results in a certification such as CISSP or CEH is prohibitively expensive and mostly irrelevant to cyber-enabled roles.
How large is the cyber-enabled workforce?
According to the Bureau of Labor Statistics, there are approximately 129 million people employed in full-time positions in the United States. Of those, about 40% work at large or very large companies (52 million people) and another 26% work at medium-sized companies (34 million). While there are certainly cybersecurity and cyber-enabled roles within small businesses, we will focus on medium to large businesses in this write-up for the sake of simplification and illustration.
While not all of those 86 million employees employed at medium to large businesses are cyber-enabled, many of them are. According to a Ponemon study, nearly nine in ten (88%) of employees said their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, confidential business documents, or other sensitive data. Based on this projection the cyber-enabled workforce within the United States exceeds 75 million personnel and that number could be significantly larger if it were to include companies of fewer than 100 employees.
What roles within a large organization would be considered cyber-enabled?
Based on the handling of sensitive data and the use of computers and computer networks, many roles can be considered cyber-enabled. For some departments, using marketing as an example, only some roles would be included; whereas in other departments, like IT, all or most roles would be included.
Is my role cyber-enabled?
If you answer “yes” to two or more of the following questions, you are likely a part of the cyber-enabled workforce:
- Do you use an Internet-connected computer to conduct a majority or a significant portion of your work duties?
- Do you have access to proprietary information such as customer data, contact lists, employee records, or other confidential business documents?
- If a bad-actor had access to your computer or workstation along with access to the systems you use within your role, could it cause your organization significant financial damage?
- Do you interact with outside parties including partners or clients in some capacity related to cybersecurity products or services?
Filling Cybersecurity Skills Gaps
The future of business as we know it will be supported by talented team members across all departments who possess and demonstrate sound cybersecurity skills into their daily activities. In order to support this reality, CyberVista has developed an employer-driven training model designed for both cybersecurity and cyber-enabled personnel. If you or your team has an initiative to build knowledge, skills, and abilities well beyond that of off-the-shelf cybersecurity awareness training, please be sure to get in touch.