• At a recent Orange Cyberdefense analyst event, the company addressed (among other things) the familiar topic of the skills shortage in cybersecurity
• In doing so, it illustrated ways in which it might turn this fundamental market challenge into an advantage
The theme at Orange Cyberdefense’s recent analyst event was combining the best of both human and technology resources, so it was no surprise that the inescapable cybersecurity skills shortage was a featured topic alongside sessions dedicated to strategy, portfolio, and innovation. Without directly saying so, the managed security service provider (MSSP) is clearly trying to turn this global challenge into an advantage – at least in France, where it can claim market leadership with only about a 15% share due to a highly fragmented environment involving hundreds of solution providers.
With its strategy for retraining and recruitment well underway, Orange Cyberdefense has managed to increase the size of its team despite the people shortage and its associated side effect of high turnover among qualified employees. With 100 Orange employees upskilled and recruited by its own Cyberdefense Academy since 2017, plus the addition of 300 new external recruits in 2018, the group’s security business now has 1,300 “humans” on board.
This progress so far is a result of identifying ways to play on its potential existing advantages while also figuring out what matters to professionals in the wider security community. With regard to the former, Orange leverages its own community to the extent that nearly one-third of new hires are coming via employee referrals. And with regard to the latter, it is figuring out what it takes to be an attractive destination for human talent, offering incentives such as professional/technical certification programs, plenty of interesting and challenging projects to work on, and providing an overall positive environment where the sharing of ideas and best practices is encouraged.
Another angle Orange has taken is to partner with Microsoft on some of these same efforts. The global vendor has its own HR challenges in France, but is addressing the issue with outreach and education that goes beyond its own organization. It is developing a curriculum on Windows 10 security, active directory security, and cloud security, and is training external students and its own employees on security around identity and responding to active directory attacks. Orange employees are among those taking advantage of the training, and a number of current students in the program will be taken on early next year for practical internships in Orange Cyberdefense.
For all its efforts, Orange Cyberdefense still must cope with an employee turnover rate of 12-15%. The good news? That’s actually much better than the industry-wide rate, which is at least 20%. Next year, the company will extend its efforts to the entire Orange Group community to develop an expert pool of thousands of employees to drive referrals and internal recruitment, promoting its new Orange Cyber Campus, and rolling out a Women in Cyber program to further develop the skills pool internally and externally.
Beyond attracting and retaining human talent for its own organization, Orange also emphasized ways it can leverage those valuable human assets with clients–that is, beyond the traditional managed and professional services it normally provides—to help them overcome the skills shortage. For less mature customers, the obvious initial support is consultancy on risk assessment and strategy, but it can also provide a CISO as a service (or a compliance officer who sits next to the customer’s CISO). For more mature customers, it’s more about traditional managed services and offering an outsourced alternative for “make or buy” decisions, or providing functions they can’t (or don’t want to) do in-house. Some of these examples are more innovative than others from an MSSP portfolio perspective, but they do support Orange’s efforts to make the most of the challenges the industry faces from the skills shortage (and help it to further promote its positioning around the digital and human touch).