Jefferson Health is expanding its hiring scope and leaning on technology to manage the ongoing cybersecurity workforce shortage without sacrificing security. The current healthcare cyber threat landscape demands strict, sophisticated security controls and constant monitoring.
But the ongoing cybersecurity workforce shortage has left many organizations scrambling to safeguard data and prevent cyberattacks with an overworked and short-staffed team.
Even before the COVID-19 pandemic and the Great Resignation, Jefferson Health noticed cybersecurity workforce gaps. The large health system, which serves the Greater Philadelphia area and Southern New Jersey, found that its cybersecurity needs were growing faster than local schools could generate new talent.
Mark Odom, vice president and CISO of Jefferson Health, knew that his team would need to pivot and reassess its security strategies to make up for gaps in the workforce.
“Obviously, not being able to cover all the bases in security is a significant issue,” Odom said in an interview with HealthITSecurity.
“It’s not a Jefferson issue, and it’s not a US issue—it’s a world issue that we’re all facing.”
By investing in entry-level talent, leaning on automated technology, and reducing burnout among current staff, Jefferson Health is tackling the cybersecurity workforce shortage head-on while still acknowledging that the industry as a whole has a long way to go.
A survey conducted by (ISC)² found that while the cybersecurity workforce gap narrowed for the second consecutive year, the global workforce still must grow by 65 percent to defend critical assets effectively.
A workforce shortage can result in employee burnout, as exemplified by the current nationwide clinician shortage. For IT and cybersecurity teams, the workforce shortage could cause remaining employees to be stretched too thin, allowing critical vulnerabilities and suspicious network activity to fly under the radar.
Log4j vulnerabilities also put significant strain on an already overburdened cybersecurity workforce, another (ISC)² report found. Because Log4j is so widely used, unpatched vulnerabilities could have catastrophic security consequences for healthcare and other sectors if not patched immediately. As a result, the cybersecurity workforce had to work overtime to secure systems and mitigate risk.
(ISC)²’s survey of 269 cybersecurity professionals working closely with Log4j vulnerabilities and remediation efforts validated the severity of the vulnerabilities, “the fallout of which will not be known for months or even years to come.”
Along with technological implications, Log4j exposed the fragility of the cybersecurity workforce. Respondents reported sacrificing their vacation time and weekends to remediate Log4j vulnerabilities, which led to burnout and job dissatisfaction for some.
One in four surveyed cybersecurity professionals reported believing their organization was less secure while they worked to remediate the Log4j vulnerabilities. In addition, 23 percent of respondents said they are now behind on 2022 cybersecurity priorities.
The healthcare sector cannot afford these gaps. If network intrusions slip through the cracks and cyberattacks continue to increase, there could be serious impacts on patient safety and privacy.
“I would say the workforce gap is starting to impede some organizations’ ability to move forward,” Odom observed.
“I think we’ve kept up so far, but if we had not changed some of our strategies and leveraged some of these tools that are out there, we would find ourselves at a loss.”
“There is so much bright talent out there,” Odom noted. “Some of my best cybersecurity resources came to me without a cybersecurity degree.”
Along with the idea that an entry-level candidate must have a degree in or prior knowledge of cybersecurity, there are other glaring misconceptions about the required skillsets needed to get a job in cybersecurity, Odom suggested.
“For instance, we scare a lot of these young practitioners off with the word coding, but probably only 25 percent of our staff really codes,” Odom noted.
Reducing the barriers to entry for the cybersecurity field is one way that Jefferson Health has been combatting the workforce shortage.
For example, on paper, a candidate with a business degree may not appear to be the best fit for a more technical cybersecurity role. But business degrees teach a great deal of risk management. With baseline business knowledge, an entry-level candidate can enter the cybersecurity field and pick up technical skills along the way.
Jefferson Health’s strategy now involves hiring entry-level candidates, training those individuals, and establishing runways to generate a talent pipeline. The goal is to help employees progress in their careers and see a future in cybersecurity.
“I would encourage everyone to open up those entry-level positions and start onboarding those trainees today,” Odom advised. “They will be your support tomorrow.”