Thanks for the opportunity to serve this great community of Security & Risk Management Leaders. Knowing the landscape of our #criticalinfrastructure sector challenges helps us plan and allocate resources effectively. I’ve had a great number of collaborations with industry leaders this quarter, focusing on interest rates, new threats, the evolution of AI, and global economies.
Here are a few poignant challenges I see our collective teams facing in the next 24 months:
With hundreds of thousands of “open” positions facing fulfilment issues across the IT and Security landscape, there’s no doubt you’re feeling the challenge of finding and retaining qualified folks. It is a uniquely challenging world out there: remote work policy and inflation have complicated the market.
I see OT/ICS labor market trending towards a sellers market and away from what we’ve seen as a sellers market. In other words, folks demanding a “remote work” are being turned down, also enabling a lowering of ultra-high compensation in the past few years for OT-specific trained personnel.
What this means: as Security and Risk Leaders, we should focus on searching, hiring, and TRAINING talent that is focused on the long-term. You’re going to want folks on your team that want to be there and are willing to give their training and growth the focus, time, and effort necessary to be successful long term.
I recommend AGAINST trying to hire UP at any cost. It is imperative to hire personnel this year that are aligned with the business goals you have, rather than just their IT/OT experience.
2. PRODUCT CONFUSION
There are tons of controls that require a product to close, mitigate, validate, or defer risk – we know this. In the next two years, I see security and risk management leaders being overwhelmed with product demos if they don’t manage their project plans effectively. New and emerging vendor capabilities are strong; you’ll have a lot of “new ideas” to balance.
But the real reason you’re going to get confused is that institutional capital investors are putting immense pressure on product and service vendors to drive pricing, revenue, and scale UP based on generally poor performance from tech companies in 2022. A lot of tech companies, especially those that raised upwards of $10M in 2021/2022, faced market uncertainty, remnants of covid (remote work), and a shifting focus on the regulatory/compliance market. Many of the companies you’re interviewing at this time are likely fighting for survival, so a holistic look at market case studies, platform/company security investments, and leadership is a must.
One of the top ways to avoid poor decisions on the product selection is to ensure that the product you’re buying from company X is actually their “big seller.” Lots of companies – large and small – are still trying to push “new” cross sell and up sell products that may not have the market penetration or success as the other product types. I recommend asking the vendor questions like, “generally what percentage of your clients buy this offering vs not buying” or “would you mind sharing the product lifecycle of this offering vs the other(s).”
Another tip I’d implement is keeping the product evaluation/demo tasks on your team to one or maybe 2-3 folks, depending on size. Some folks are simply better suited to evaluate vendors than others – and they might even enjoy it! What this does is enable other folks on your team to focus on successful POCs/POVs.
3. NON-TECHNICAL PLAYERS
One of the top questions CISOs felt uncomfortable asking in 2022 was “how are we doing?” from BoD, CXO suite, and customers that don’t understand their role or world. “How are we doing on what??” Compliance, Threat management, OPEX, Personnel training, cyber resiliency?
It isn’t easy being a security and risk manager in 2023, because the cyber & security in the headlines actually creates more short term panic than long term resources. Non tech personnel tend to “get scared and react” and increased marketing push from cyber/security product companies don’t make it any easier.
Additionally, new regulations are driving involvement beyond security team. Ways to manage these questions comes down to roadmap management, enabling yourself to state clearly every quarter (or month or year) what your team was resourced to accomplish and how you’re tracking on those projects. Security and risk management leaders are only able to quantify the success or status of their team when resource allocation and business outcome alignment is approved at the CXO level.
If you find value (or object) to any of the above, feel free to reach out to me via LinkedIn and start a collaboration.
Visit our website.