Bosses say they're serious about cybersecurity. It's time for them to prove it

Business leaders claim that cybersecurity skills are a top priority, but their actions often suggest otherwise.
Written by Owen Hughes, Senior Editor
Getty Images

If there's one profession that continues to dominate demand in tech hiring, it's cybersecurity.

Demand for cybersecurity staff has skyrocketed since 'remote work' entered the lexicon and businesses doubled down on their digital assets as a means of insuring them against future uncertainty.

While the post-pandemic tech boom has been a blessing for tech-savvy professionals with a knack for anything software related, it has also left companies more exposed than ever to the dangers lurking in cyber space.

As the threats from ransomware, malware and intellectual property theft become all too real for businesses, hiring managers have turned to cybersecurity professionals to keep them safe. The problem is, there are nowhere near enough of them to go around – and many in the cybersecurity biz are beginning to drop out due to stress and burnout.

A number of factors underpin the shortfall of skilled tech talent in the workforce, a big one being the fact that technology now evolves at such an alarming rate it's hard to know what skills will still be applicable in the medium to long term (although coding is generally a safe bet).

But decisions in the C-suite are also stifling businesses' efforts to adequately defend themselves from cyber threats. While leaders absolutely want cybersecurity expertise on their teams, they're not necessarily willing to pay for it. Or, to put it more accurately, they're not willing to pay enough.

Take a recent report by O'Reilly, which found that only a third of HR decision makers in UK tech companies are willing to spend more than £10,000 ($11,600) on cybersecurity-related recruitment, learning and development over the next 12 months. When you consider that over half of cyber attacks cost businesses upwards of $100,000, it's staggering that employers are unwilling to invest one-tenth of this sum to stop such attacks from happening.

Budgets are always contentious in businesses, and it's difficult to convince company leadership to invest in something they can't see for something that might not happen (even if it probably will) -- particularly when many IT leaders still don't have a say in company decision-making – even if it relates to tech.

But £10,000 doesn't seem like a lot when you consider how much money employers have wrapped up in huge offices and flashy corporate hubs that are only being used once or twice a week. One way companies can find room in the budget for tech training is by figuring out how much office space they really need and downsizing accordingly.  

But money, while a key factor, is just part of a multifaceted cybersecurity skills problem. Many businesses still don't have the right mindset to effectively navigate an increasingly complex work environment – and that's usually a result of leadership.

Much like their employees, business leaders were thrown into remote working in 2020 with little planning or preparation. While they were busy sending out laptops, setting up VPNs and trying to keep tabs on suddenly invisible workers, few were considering what such a massive upheaval in workplace and IT practices meant for cybersecurity in the long-term.

Many leaders still haven't addressed this, and are instead exercising a 'set it and forget it' attitude to cloud apps and security software that's not delivering a holistic approach to risk management.

The scale of this problem was highlighted in an October report from cybersecurity firm Savanti. In a survey of 800 global board directors, 83% identified cybersecurity as a top priority, but fewer than half had taken any dedicated action – even if this simply meant requesting IT security updates, or auditing their company's cyber-readiness.

The report also found that Chief Information Security Officers (CISOs) are being hired, managed and evaluated as technical experts rather than business leaders. So when to comes to big strategic decisions, there is nobody in the room to explain how they might impact IT or cybersecurity.

Little wonder that so many IT leaders are fed up with not being listened to, which perhaps explains why – according to Savanti – that the average tenure of a CISO is just 2.3 years.

The good news is that companies are, for the most part, starting to realize they can no longer sleep on cybersecurity issues. If they haven't already been a victim of an attack or attempted attack themselves, they almost certainly know of a company that has – and a company that was likely better prepared than they were.

The intense media focus on cybersecurity has offered another incentive for businesses to stay out of the spotlight: falling prey to a cyber attack is a bad look, and the financial, operational and human implications could be catastrophic at a time when companies are trying to cope with an economic downturn.

Looking ahead to 2023, businesses need to balance costs with the growing need for tech skills. But if leaders are serious about building resilience and holding fast in a year of uncertainty, cybersecurity cannot be relegated to an afterthought.


ZDNet's Monday Opener is our opening take on the week in tech, written by members of our editorial team. 


Editorial standards