With three years at the helm of the world’s largest industry membership body, Rosso is well placed to summarise the risks and opportunities that face the infosec sector.

Addressing the ISC2 community – which now comprises 600,000 members – Rosso said the cybersecurity profession is going through ‘tremendous change”.

Ransomware, phishing, malevolent AI, and social engineering remain the top cyber risks facing companies, she said.

Woefully understaffed
Rosso highlighted that company security departments are chronically understaffed globally.

“Professionals tell us that the threat landscape is the worst it's been in five years," she said, speaking at the ISC2 Security Congress on Wednesday in Nashville, Tennessee.

"People outside the business are always surprised when I tell them the top cyber risk globally is the lack of a qualified workforce."

The good news is the global cyber workforce has increased to 5.5 million professionals  – an increase of 8.7 percent on 2022, according to a survey of over 11,000 participants globally by ISC2.

The not-so-good news is that there is still a cyber workforce gap of 4 million unfilled positions. And despite this stark figure, the ISC2's 2023 poll shows that almost half (49%) of cyber business leaders expect their teams to be downsized in the next year.

“Given these shortages, how can staff be expected to keep up with the changing threat landscape?” Rosso asked.

Hire for attitude and aptitude
ISC2 is playing its part by running its One Million Certified Cybersecurity programme – free online self-paced training and exams for one million people around the world. To date, 30% of those who have taken the course are already  in employment.

Rosso said companies need to put a laser focus on cyber recruitment by investing in training and diversity initiatives, providing flexible working, and hiring for aptitude and attitude.

“Our members are telling us that they are hiring more entry level people and bringing them on for the journey,” she said.

Companies are also implementing job rotational assignments, creating ad-hoc mentorship programmes, and looking out for cyber talent in wider company departments, Rosso added.

Quit the blame
To make the cyber world a better place to work, Rosso called for more inclusive company environments where everyone is heard and cross-employee inputs are sought.

“If you’re working remotely that means investing in relationships with team members and managers. If people don't have good relationships within their teams – they leave. We can’t afford to lose good cyber staff and be vulnerable amidst an expanding threat landscape.”

Rosso also urged companies to stamp out blame culture. “One of the best ways you can stop blame culture in an organisation is to make sure it's not happening in your own team. And quit throwing blame over the fence too, or at the person who clicked the phishing email.”

Rosso highlighted cloud security and AI as massive recruitment pain points for cybersecurity.

“Nearly half of cybersecurity professionals currently say they don't know anything about AI," she said, citing ISC2 research

“The good news is I think this is providing an inflection point for us. For those who have worked in infosec for a few decades, you’ll remember when it was in the back office and nobody talked about it. To the boards we were just kind of irritants that spent money… well, I tell you, AI will change all that."

She continued: "The rapid advancement of AI threats mean that organisations will be propelled to see the value of cybersecurity. We will be invited to the board table. There will be no more hustling for cybersecurity leaders as our worth will be seen within our organisations,” she said.

“Today, everyone agrees that AI is at the heart of our future. And everyone also agrees that cybersecurity is the heart of AI. This is the inflection point. We know how to secure technology, we’ve got the super powers, and this is our day in the sun.”