Developing security talent and teams: A roundtable discussion
During the Infosec Inspire Cyber Skills Summit, we had the chance to gain valuable insights on developing talent from a panel of leading cybersecurity professionals. The conversation included:
- Danielle Santos, Program Manager at the National Initiative for Cybersecurity Education (NICE)
- Karl Sharman, Head of Cyber Solutions and Consultancies at Stott and May
- Leo Van Duyn of Cybersecurity and Technology Workforce Development Strategy at JPMorgan Chase & Co.
We’ve gathered some of the highlights from an illuminating round of questions and answers.
Recruiting strategies are only part of workforce management. Employee retention and churn are big factors as well. From a practical point of view, how long does it take and how much does it cost to get someone hired and onboarded?
Video: Hiring and training a new employee can cost more than $16,000
Karl: The average tenure within cybersecurity is about 18 months leading to increased costs associated with more frequent hiring efforts, training and onboarding. Sometimes, this turnover is uncontrollable. To proactively reduce the impact, have a succession plan and pipeline of resources lined up for replacement if needed.
Leo: Reduce churn and associated costs by assessing the skills you have in-house and where your employee strengths reside. Then, analyze how their existing skills fit into roles across the entire company, even beyond cybersecurity. Empower employees to craft their career paths to growth internally before they even think about leaving.
Through the process of identifying what human skill asset you have internally, you can also gain insight into where the gaps are. Then establish processes for hiring to fill the gap. As you hire to fill these gaps, conduct skills assessments and culture assessments to ensure you have a constant way to assess and bring in the right talent. Be sure to work with your HR talent acquisition group to identify candidates who are good fits and keep them on the radar whether they’re a good candidate for a current role or future opportunities.
What kind of mentorship programs do organizations offer to help upskill junior or inexperienced members of staff?
Karl: Solving the talent shortage is all about the upskilling and development of talent. Focusing on this leads to increased productivity and better performance from employees. Seasoned employees can connect with those early in their careers to foster a collaborative environment where employees can learn from each other. There is also value in having teammates at the same level partner to share ideas and bring diverse perspectives to initiatives.
Daniele: Create opportunities for organic mentorship. For example, by creating general communities and groups focused on specific demographics, such as women’s or LGBTQ groups, mentoring relationships inherently grow out of them. In terms of upskilling, leverage workforce management groups and apprenticeship programs to help people who are not in cybersecurity re-skill and transition into the industry. Mentoring is a critical part of this journey and it’s helpful to partner with nonprofits who are already creating these mentorship programs.
One of the biggest problems in cybersecurity employment is the concern that the industry is siloed. The NICE Framework addresses this and aims to standardize roles across the industry. Is this being taken up and are we seeing any progress within the industry?
Video: How cybersecurity work roles are being standardized
Danielle: Growing and sustaining global cybersecurity talent requires standardization. The NICE Framework provides a unified way to view and discuss the cybersecurity workforce, create career pathways and develop talent. At least 30 large corporations have endorsed the movement, and the NIST group continues to enhance the program to meet growing needs in niche areas, such as operations technology.
Leo: NICE is a great resource for understanding how someone’s background and life experience translates into cybersecurity roles. This is especially helpful for people who have non-traditional experiences, such as being self-taught. In addition, though NICE was built for application in cybersecurity, it can apply to other domains beyond cybersecurity. As you adopt the Framework, think about how it can be leveraged broadly across other areas of the organization, (such as technology) and even internationally.
Karl: Many industries are struggling with talent challenges, and the NICE Framework helps break down barriers. An aspiration we should look to as we adopt the framework is whether we can standardize things enough to effectively hire without job descriptions or a resume. A resume is not enough to judge talent, and people can be biased. The NICE Framework can help us overcome that challenge.
What can organizations do to make sure bias isn’t injected into job descriptions and hiring processes?
Karl: The language included in job descriptions is important. Different groups have different interpretations of job requirements and qualifications, and it’s important to ensure bias does not impact this process. When you have nine different interviewers involved, for example, everyone has different preferences in personalities, skills and more. To control this, make job description language crystal clear, establish standard grading systems for evaluating candidates and train interviewers on the process to reduce bias. Establishing this level of consistency requires a solid framework, and NICE is a good place to start.
Danielle: Bias can come in many different forms, and the Framework is continually improved to remove this as much as possible. For example, NICE doesn’t list specific software or technologies, and region-specific regulations are avoided. This is intentionally done to reduce bias.
For organizations planning to use the NICE framework for the first time and map out job descriptions, what do you recommend?
Leo: NICE gives you a good starting point, but HR and management teams must be on board. The real benefit is in engaging subject matter experts (SMEs) in the process to help you map your jobs out. The challenge is that the Framework can be very overwhelming, especially to those who aren’t cyber experts. Set a very focused scope on how you want to apply the Framework to your organization before looping in SMEs.
Given the human resources challenges in cybersecurity, are there any free resources for training and certification?
Danielle: The NICE website has a useful page for people looking for resources. It includes links to low-cost or free cybersecurity learning content, as well as a Frequently Asked Questions page with advice on free scholarships and low-cost programs.
Addressing the challenges impacting cybersecurity talent pipelines can seem like a near impossible feat to solve. However, standardized frameworks, like NICE, are making it easier for organizations to speak a consistent language when it comes to cybersecurity talent efforts. This inherently fosters consistent hiring processes, reduces bias and leads to more streamlined hiring, engagement and retention of employees.
To hear our experts in their own words, watch the entire conversation here.