MedCity Influencers

The war for cloud and cybersecurity talent is on!

The oldest news in the world still seems to be that we have a dearth of cybersecurity talent – now for the fifth consecutive year. In its latest annual report, The Life and Times of Cybersecurity Professionals 2021, ISSA reveals several reasons for the shortage.

By Chris Bowen on February 03, 2022

Companies are adopting the cloud like never before for a myriad of reasons. Many cite greater scalability, faster deployment time, and cost savings. During the lockdowns of the pandemic, we witnessed firsthand the overnight transformation of healthcare delivery models and the great eruption of cloud-based analytics usage to deal with the need for caring for thousands of sick and dying Covid-19 victims. Healthcare providers predicted how many hospital beds were available for a surging pandemic on an hourly basis. Our customers saved lives, bolstered by cloud hyper scalers, and those of us who knew the intricacies of configuring the right cloud services for the right applications in a secure, compliant way.

As dreadful as the pandemic has been, it took one of the deadliest pandemics of our time to propel healthcare technology transformation ahead by at least a decade. To put that in perspective, think about your local hospital. That hospital likely still has its own data center. It probably still has all the accouterments of the data centers of the mid-2010s, and hospital executives are likely trying to figure out how to convert them to revenue-generating bed space.

It’s no secret that healthcare providers have been cautious cloud adopters. They know that cloud providers offer strong security measures as part of their services. On the flip side, providers also know that they are ultimately responsible for securing their workloads in the cloud. So, while they try to maximize their ROI on real estate, they grapple with the challenges of transforming their digital footprints better serve their patients. They struggle with finding and keeping humans who possess cloud and cybersecurity skills. Ultimately, for providers, it comes down to how best to protect patient data while fueling innovation to stay ahead of the competitor provider down the street as demand for highly qualified talent continues to outpace supply.

In the latest Cloud Security Report by (ISC)2, security remains a top issue for cloud customers in general. Nearly every cybersecurity professional who took the survey (96%) is concerned about public cloud security. Given the many attacks on patient data, this level of concern has increased since last year’s survey.

(ISC)2 revealed that the most significant cloud security challenges are:

  • Data loss or leakage (64% – down 5% from 2020)
  • Data privacy and confidentiality (62% – down 4%)
  • Accidental credential exposure of credentials (46% – up 2%)
sponsored content

A Deep-dive Into Specialty Pharma

A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.

By PurpleLab

These top three are closely followed by:

  • Legal and regulatory compliance (44%)
  • Visibility and transparency (40%)
  • Incident response (38%)

Workers were forced to leave the office and adapt to working from home while simultaneously altering their flight path to cloud adoption. The cloud journey, breach patterns, threat intelligence, and likely the ridiculous increases in cyber insurance costs have taught healthcare providers they must configure the Cloud, maintain, secure, monitor, and observe it nearly perfectly to trust it for their patient data. Nevertheless, cloud adoption pays off, and they know it. But man, it can be a struggle for those who lack cloud and security expertise.

In many cases, healthcare providers cite the lack of qualified cloud and security staff as the most significant barriers to cloud adoption. According to InfoWorld, the shortage of cloud skills is killing companies that want to move to new technology quickly.

Gartner’s 2021-2023 Emerging Technology Roadmap reveals that IT executives see the talent shortage as the most significant barrier to deploying emerging technologies, such as cloud-based services.

Focusing on cyber, the oldest news in the world still seems to be that we have a dearth of cybersecurity talent – now for the fifth consecutive year. ISSA did a great job of helping us understand why. In its latest annual report, The Life and Times of Cybersecurity Professionals 2021, ISSA reveals several reasons for the shortage. Grouped into four broad categories, the ISSA and (ISC)2 findings and my firsthand observations reinforce patterns contributing significantly to the cyber skills shortage.

Stress plays a significant role.

  • Cyber professionals are constantly playing defense against a thousand bad actors at once from around the globe. The bad guys only must succeed once to potentially destroy your company or your reputation.
  • Cyber pros work long hours, often at nights and weekends, to thwart attacks. Incident response requirements take them away from family, friends, and the effects compound over time.
  • The shift to a remote workforce has blurred the lines between work and home for everyone, contributing to failures to unplug and stop working at day’s end.
  • Fighting high stress battles every day against unnamed, hidden adversaries can accelerate burnout.
  • It can be a very thankless job, and it’s not for everyone.

Solution: Security and cloud professionals must prioritize and contribute to the health of their minds, bodies, and psychological well-being. Organizational leadership should require time off for these high-stress positions and essentially force a reboot from time to time.

Training is constant and typically underfunded.

  • Cyber pros usually need 40 hours of continuing professional education training per year, per certification. Often, they cannot afford to pay for it on their own. Employers with moderately low training budgets do not fund CPEs adequately, effectively shifting training costs to the employee.
  • Day job time requirements are full-time, which interferes with cybersecurity skills development, which cyber pros must then do after work contributing to the burnout trend.

Solution: Leaders should work with the organization to adequately fund continuing professional education and prioritize a culture of continuous learning. Leadership should also offer some leniency in allowing workers to use working hours to expand their knowledge. Employers must prioritize wellness focus to allow cyber pros to prevent burnout.

The war for cyber talent means you should be aware of changes in compensation trends.

  • Cloud and cyber pros get poached by other companies a lot. Compensating them well and helping them be balanced as much as possible can extend their stay at your company. Quality of life is still important even to the most formidable cyber warrior or cloud expert.
  • Companies that ignore an employee’s need for balance, see more turnover than needed, and increase recruiting and hiring costs.
  • Companies sometimes still insist on requiring cloud or cyber pros to work from an office full time. Making the cloud or cyber pro relocate just because you want to see that new hire in the office occasionally can cause the best security pro to join a company with greater flexibility.
  • Frequent and transparent communication must also be integrated into the workday so that these professionals have an outlet to ask for help, guidance, and relief, when it’s needed.

Solution: Hire a great HR leader who understands the importance of, and how to stay abreast of compensation trends. The ideal HR leader has a passion about keeping great employees and is also one with enough leadership ability to successfully advocate for the right balance in compensation, career planning, and culture considerations.

Expectations and blame.

  • Many companies expect too much from a cybersecurity team. As cloud systems expand, so too do their workloads day-to-day. They work more tickets, respond to more requests, monitor more alerts, and often can’t keep up with the increasing workload.
  • When an event occurs, sometimes the cybersecurity team, or members of it, are blamed for the organization’s failures. Whether a phishing attack, a misconfiguration, an appliance failure, or a zero-day attack, many failing organizations punish the cybersecurity team by directly or indirectly blaming them for the cause.
  • Cyber job openings that remain open for very long periods can also demoralize an overburdened cyber team.
  • Similarly, job recruitments that are not in line with typical levels of experience cybersecurity professionals have further delay the hiring process.

Solution: Our leadership has invested a lot of money to ensure that we have appropriate resources to fight the never-ending cyber war and rapid cloud expansion. But not every company is so lucky. Advocate for the resources necessary to invest appropriately in these areas. You may find great success grooming existing employees from within. For more information, please see the Healthcare Industry Cybersecurity Workforce Guide to learn more about this growing trend. Or find a third-party partner to bolster your internal resources.

When a significant security issue or cloud configuration issue occurs, leadership should support those battling on the front lines to address it. That includes getting them the resources necessary to resolve the issue quickly and effectively. Preparing for a significant incident should happen well in advance of one. Being disciplined about practicing for an event can significantly reduce stress and bolster the confidence of cyber and cloud experts who defend the company.

Tooling and investment.

  • In many cases, the tools used to manage on-premises data centers do not translate well to cloud environments. This mismatch results in misconfigurations, data leakage, and security incidents.
  • Cloud services rapidly evolve, making it difficult to understand the massive number of changes in a cloud service over short periods.
  • Without properly educating business leaders, varying use cases may require seeming duplicative tooling approaches giving leadership the impression that efficiency is not valued.
  • The evolution of methodologies and technologies can stress well-defined processes. The following examples can put the cloud and security teams behind the eight ball as they scramble to convince the business to invest in new tools that can work with new approaches:
    • Shift left
    • Zero trust
    • Cloud Workload Protection (CWPP)
    • Cloud Security Posture Management (CSPM)
    • Serverless or low/no-code technologies
    • Container or microservice infrastructure
    • Artificial intelligence and/or machine learning integration

Solution: Cloud and security leadership should work cross-functionally to educate the organization about how new technologies sometimes require changes in tooling. Involve stakeholders across the organization in creating requirements criteria, creating tooling strategies, and selecting solutions. Learn how to create a business case for the investment request.

The cloud journey can be complicated and challenging. It’s much easier for cloud and cybersecurity pros to fight the battles if the company they work for is a mission-driven organization engaged in a good cause. Having a cause greater than oneself can help drive the culture and the passion for hitting that keyboard every day. The companies who succeed in attracting talent are also focused on culture and value their people above all. No company can keep all the talent all the time. Still, when the recruiter reaches out to your key security or cloud experts, make that team member think twice before considering that new offer.

Photo: anyaberkut, Getty Images

Chris Bowen

Chris Bowen is Founder and Chief Privacy & Security Officer at ClearDATA. He leads ClearDATA’s privacy, security and compliance strategies as well as advises on the security and privacy risks faced by customers, including healthcare payers, providers, life science companies, and innovators from the Asia Pacific, North America, and Europe.

A Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Technologist (CIPT) from the IAPP, and Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) from (ISC)2, Chris is an expert on patient privacy and health data security. He is a frequent speaker at national healthcare industry events.