4 Strategic Transformers to Find Cyber Security Talents
Dave Stirling, CISO at Zions Bancorporation, isn’t waiting for a change in the talent pool or a major shift in the job market to solve the cybersecurity skills gap. Instead, he makes his own luck. How? By changing his hiring strategy, “by trying different things and seeing what sticks.”
This approach has led Stirling to hire candidates from the bank’s IT and operations staff, work with local colleges, invest more in training and rethink how it deploys open jobs. He acknowledges that such moves, even taken together, are not a silver bullet to the well-publicized challenges of finding, hiring and retaining employees. However, he says they are making incremental improvements in his ability to recruit and retain hard-to-find talent in cybersecurity.
This is an encouraging trend, given the stats about the cybersecurity skills gap. The Professional Governance Association (ISACA) in the State of Cybersecurity 2022: Global Modernization of Cyber Workforce Efforts, Resources, and Operations sets the scale of the challenge here. According to a survey it conducted of more than 2,000 cybersecurity professionals, 63% of them hold vacant positions in cybersecurity (up eight percentage points from 2021) while 62% are understaffed in cybersecurity teams. Meanwhile, 20% said it takes more than six months to find qualified cybersecurity candidates for vacancies, and 60% reported challenges in retaining qualified cybersecurity professionals (up seven percentage points from 2021).
At the same time, cybersecurity leaders say they not only need to fill existing positions but increase the number of roles on their employees due to the growing attack surface within their organizations as well as the increasing number and complexity of attack attempts. These dynamics prompted Stirling to be nimble, and others also to try new tactics.
They report success. “We have to make some very deliberate changes in how we look for resources and how we build the human capital for security,” says Lamont Orange, CISO at security software maker Netskope.
Here are four strategies that Sterling, Orange, and others use to find and retain cybersecurity talent.
1. Formulate better security job descriptions
Similarly, Jonathan Fowler has taken steps to address the recruitment challenges he faced as a CISO at technology company Consilio. One of his strategies targets the job descriptions he uses for recruitment. He says he found that the job descriptions his company was using to fill open positions described what the ideal candidate would be and the tasks they would perform. He says it was usually a long and often unrealistic list. So he and his team rewrote the narrative, creating job descriptions describing what a “really great employee does on a daily basis.”
“It’s really about leveling. It’s about saying, ‘What do I need?’ What absolute essential tasks do I need to do? Then moving on from there,” says Fowler, adding that the new approach “brings in people who might not have applied for the job before because there was one or two assignments.” [listed] which they have never done before.”
Stirling also rewrote job descriptions as part of his multi-pronged strategy to address recruitment challenges. A few years ago, he and a team of managers began revising job descriptions to create more succinct narratives. Or, he says, “to distill them and remove the fluff.”
Stirling says he’s come to realize during this process that job descriptions usually describe an individual who has held the position most recently. This meant—particularly for those who left jobs that they had outgrown—that the job description went beyond what was actually required to do the work. This practice often also meant that potential candidates who applied mirrored the previous employee, which Stirling found hampered efforts to attract more diverse talent.
Using research into best recruitment practices, Stirling says he and his managers have eliminated unnecessary requirements and phrases that would encourage qualified candidates to self-select from applying. For example, Stirling and his team have used “strengthen” rather than “enforce” and “collaborate and communicate” words denoting command and control — changes that Stirling says better reflect the needs of his security department while also appealing to a broader group of candidates.
“It was a noticeable change when we did all that, and we found that we had qualified people who might not have applied before,” he adds.
2. Expand the security talent pool
Some CISOs have gone even further: They review what they want in candidates, opt for change, and even reduce some of the requirements traditionally required in cybersecurity appointments.
Joanna Berkey, CISO at HP, is one of them. She announced her relocation in a LinkedIn post, declaring, “I’ve given up on my degree requirements.” She wrote: “I’ve learned that we need to be more flexible when it comes to hiring online talent. We require a diverse range of experience levels and a more diverse talent pool that includes people moving from other industries, historically disadvantaged populations, workers without traditional degrees and people with transferable skills. interested in making a difference later in their careers.”
Berkey isn’t just giving up on degree requirements; She says she is also “open to, receptive to, and even encouraging to experiences that are not limited to the Internet.” These moves have helped her expand her range of candidates, she says, and attract individuals with diverse educational qualifications but no degrees, military veterans as well as experienced workers with years of on-the-job insights.
Berkey stresses that her hiring decisions don’t lower standards. In fact, they have the opposite effect, explaining that they help her reduce organizational risk and enhance the resilience of her company by ensuring that she has a full pool of qualified talent with a variety of experiences and ideas. It says, for example, that it needs workers who understand business strategy, finance, and operations (who can be trained in security) so that they can identify weaknesses that need attention and better align security strategies with functional goals. “They bring knowledge of the areas we need to protect,” she adds.
3. Build a stronger pipeline for security talent
Travis Gibson, chief technology officer and CSO of the Big Brothers Big Sisters of America, took a similar approach. He says he’s rethought how much experience is required for roles as well as whether a college degree is necessary for all jobs. As he notes: “It doesn’t make sense to have an entry-level position that requires at least two years of experience.”
This position allows Gibson to view his organization’s IT workforce as a viable pipeline for the security team. “They are adjacent to security for most of their careers,” he says, adding that many IT workers are interested in the transition to security.
Gibson admits that it’s not easy to find talent in the IT field, either. But he says the statistics show that hiring IT workers is not as difficult as hiring security professionals. He also points out that it is critical for security chiefs like him to have a good relationship and coordinated approach with IT leaders so that hiring from IT is not seen as a poaching.
Furthermore, he says hiring from IT as well as removing experience and education requirements requires a commitment to training and career development. To this point, Gibson says he and his managers are developing training plans when they identify promising candidates so those workers can successfully transition to safety.
Gibson says he has used this strategy to fill about 20% of positions on his security team in the past several years. The strategy also allows him to fill positions faster than if he had gone to the market for employment. “Plus, you end up with multidisciplinary skills on the team,” he adds.
Other security leaders are similarly looking for ways to build a better pool of security talent. For example, professional services firm Deloitte & Touche is working with the Flatiron School to create new cybersecurity professionals. “We’re looking to create a showcase – net new talent,” says Deborah Golden, Lead Cyber Risk and Strategy at Deloitte.
Applicants apply for admission to Deloitte’s Cyber Career Accelerator program; The company covers the cost of a nine to 12 week cyber security training program. So far, Deloitte has had three groups undergoing training. Golden says the company has offered a “significant percentage” of the group’s corporate positions. Of these, we have an acceptance rate of 99%.
Orange, the Netskope CISO, is also increasing its security talent pipeline through on-the-job training and initiatives with colleges and universities in the region. For example, he and his team work with professors to select students to enroll in semester-long classes for credit with pilot cybersecurity training followed by an internship with Netskope.
Orange also enhances routing and shading opportunities. It brings real-life case study-type security lessons to colleges to ensure more graduates are ready for a career in cybersecurity when they graduate.
4. Improving the work environment
Bringing talent to the door is only half the equation; The other part is retaining two security workers, and it’s a similar challenge. The Info-Tech Research Group’s Security Priorities Report 2022 asked IT and security leaders to identify their top security priorities and key obstacles to security success in 2022. The talent pool topped the list in both categories. About 30% mentioned talent acquisition and retention as a top priority, making it the most mentioned priority (before ransomware protection and response and securing a remote workforce). And 31% cited employment restrictions as the main obstacle.
Isabel Hertanto, principal research director for security and privacy practices at Info-Tech, says CISOs should engage their co-workers early and often so that they can anticipate what security skills will be needed and when and how best to obtain these skills. As I explained, this strategic approach allows CISOs to choose external partners that best complement their internal team.
“He is thinking about how to implement MSP [managed service provider] You can support your existing team in ways that can mitigate their risk of losing them,” says Hertanto. An MSP, for example, can pick up on routine tasks that the internal team finds normal or distracting. This gives employees more time for higher-value, engaging tasks and more Time to learn new and more advanced security skills.
Many security leaders echo this perspective. They say providing a workplace where security teams have the right level of tough work but without constant fatigue is critical to their retention. “People are leaving their jobs because they are not doing well at a company or because they are not being cared for,” says Deidre Diamond, founder and CEO of CyberSN, which provides search and recruitment services to the cybersecurity profession.
To address this, Diamond says she advises CIOs to organize their teams so that managers have the bandwidth to actually manage their teams — that is, they have time to provide feedback, advice and training. She says she also advises information security managers to have realistic workloads for each position. “It means one job per person, not two jobs per person, which is what is happening now,” she says, acknowledging that it is a challenging but necessary task to prevent the burnout that drives workers out of the house.
Copyright © 2022 IDG Communications, Inc.
#Strategic #Transformers #Find #Cyber #Security #Talents