Randy Raw has nearly 30 years of experience building cybersecurity programs in public and private organizations. He is a proponent of riskbased, layered security measures utilizing both preventative and detective approaches. He owns a coaching business where he coaches emerging and successful cybersecurity professionals and leaders. As a CISSP, he has spoken at many local, regional, and national conferences on technical and leadership topics.
This article is based on an interview between Financial Services Review and Randy Raw, where he shares his insights on emerging trends and challenges in the cybersecurity field, along with ways to tackle them.
What are some of the challenges that you see impacting the enterprise security space?
While many within the technology sector are preoccupied with the immediate challenges and ethical dilemmas posed by artificial intelligence, I find myself focusing on a different, yet equally pressing issue—the talent gap in cybersecurity leadership. The obstacle at hand is not merely technical proficiency; it’s the capacity to find individuals who can lead and learn from seasoned experts. What’s critically needed are professionals who possess not just technical acumen but also the social and emotional skill sets required to be influential leaders in cybersecurity initiatives.
Understanding the intricacies of managing a multigenerational workforce is a challenge in itself. Leading Generation Z, who are recently entering the professional sphere, demands a different approach than managing Baby Boomers, who are nearing the end of their careers. Likewise, Generation X employees, who have accumulated years of experience, bring a certain level of skepticism, while often occupying roles that require deep technical expertise.
“The obstacle at hand is not merely technical proficiency; it’s the capacity to find individuals who can lead and learn from seasoned experts. What’s critically needed are professionals who possess not just technical acumen but also the social and emotional skill sets required to be effective leaders in cybersecurity initiatives”
A study by Bain & Company posits that by 2031, a quarter of the U.S. workforce will be aged 55 and older. This aging demographic, which will likely extend its presence in the professional world, brings unique demands, ideals, and work styles. Consequently, cybersecurity leaders must adapt and develop strategies to manage and lead a workforce that spans multiple generations.
Are there specific project initiatives that your team is working on to address these challenges?
The challenges associated with leadership talent in cybersecurity are certainly a focal point for our organization. Yet, our concerns extend beyond that. We are also concentrating on integrating artificial intelligence into our cybersecurity strategy. From considering how our cybersecurity team can facilitate the safe business implementation of AI to evaluating vendors who incorporate machine learning into their cybersecurity solutions, we aim to be at the forefront of technological innovation.
Our department must transition from being the “department of NO” to becoming the “department of KNOW”—pronounced the same but fundamentally different. We strive to be actively involved in the innovation process and to translate security measures into risk assessments rather than merely ticking compliance boxes.
Our role as cybersecurity professionals goes beyond technical expertise. We must possess the soft skills to engage in meaningful conversations about business needs with the company’s leadership. The landscape isn't black and white; it’s filled with nuances and grey areas. Being influential leaders means helping our business executives make informed decisions in this complex environment, acknowledging and understanding the associated risks.
In the broader landscape of enterprise security, are there specific technological elements that your organization is prioritizing, apart from the conventional focus areas like endpoints and user education?
While focusing on securing endpoints and enhancing user education remains paramount, our industry is witnessing a perceptible shift toward cloud security, incident response within cloud environments, and API security. This change is substantiated by a growing body of evidence which indicates that issues related to the cloud and code security are becoming increasingly critical.
As we continue to harden workstations, servers, and networks, it’s incumbent upon us to extend the same rigor to our cloud-based infrastructure and internally developed software. Recent data breach reports suggest an uptick in attacks targeting software developed by in-house teams. Therefore, we must exercise due diligence in scrutinizing the security measures implemented in our internal code, along with ensuring the security of the data it accesses.
Talking about the next 12 to 18 months, how do you see the future of the space?
There are lots of vendors in the space purporting to address cybersecurity challenges, but the crux of the matter often lies in personnel training and development. For professionals accustomed to on-premises implementations, the transition to cloud-based security requires a comprehensive re-education to understand cloud environments' unique risks and vulnerabilities.
Some enterprises may have no alternative but to invest in retraining their existing workforce. Others, however, may be able to run dual teams—each specializing in either on-premises or cloud-based security. Regardless of the approach, both teams will also need to gain a deeper understanding of security risks related to internally developed software.
While specialized tools can undoubtedly assist in these endeavors, personnel training remains indispensable. The risk profiles of APIs, for instance, can differ substantially depending on their exposure levels. A nuanced understanding of these risks—a knowledge often from hands-on experience and indepth training—becomes essential in devising effective security protocols.
What would be your advice for the budding professionals in the field?
Engaging in professional-grade coaching and mentoring is imperative for individuals with a penchant for leadership. Such programs can offer a comprehensive assessment of one’s leadership skills, specifically focusing on attributes often categorized under emotional intelligence or soft skills. The objective is to cultivate the aptitude for people-centric leadership.
Simultaneously, there is a need for deeply specialized technical experts—those at the architect level—to be not just proficient in their domains but also proactive in sharing their knowledge. Mentoring and advocacy should be inherent aspects of their roles, always with an eye toward succession planning. The fallacy lies in equating indispensability with job security—adopting an attitude that as long as one remains the ‘go-to’ individual, one’s employment is secure.
The more prudent approach is considering how one might succeed in a role, effectively training successors to take over. This ensures the organization’s resilience and provides the individual the latitude to explore new opportunities when appropriate. In essence, professionals should strive not to be a single point of failure within their organizations, safeguarding against leaving their companies vulnerable during their unexpected departure.
