Dave Stirling, CISO of Zions Bancorporation, isn’t waiting for a shakeup in the talent pool or some big shift in the job market to solve the cybersecurity skills gap. Instead, he’s making his own luck. How? By changing up his own staffing strategy, “by trying different things and seeing what sticks.”
That approach has Stirling recruiting candidates from the bank’s IT and operations staff, working with local colleges, investing more in training and rethinking how he posts open jobs. He acknowledges that such moves, even when taken all together, aren’t a silver bullet to the well-publicized challenges in finding, hiring and keeping staff. However, he says they’re making incremental improvements in his ability to recruit and retain hard-to-find cybersecurity talent.
That’s an encouraging trend, given the statistics about the cybersecurity skills gap. The professional governance association ISACA in its State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations quantifies the challenge here. According to its survey of 2,000-plus cybersecurity professionals, 63% have unfilled cybersecurity positions (up eight percentage points from 2021) while 62% have understaffed cybersecurity teams. Meanwhile, 20% say it takes more than six months to find qualified cybersecurity candidates for open positions, and 60% report challenges retaining qualified cybersecurity professionals (up seven percentage points from 2021).
At the same time, cybersecurity leaders say they need to not only fill existing positions but increase the number of roles on their staff due to the increasing attack surface within their organizations as well as the growing number and sophistication of attack attempts. Those dynamics spurred Stirling to tact, and others to also try new tactics.
They’re reporting success. “We have to make some very intentional changes in how we look for resources and how we build security human capital,” says Lamont Orange, CISO at security software maker Netskope.
Below are four strategies that Stirling, Orange and others are using to find and retain cybersecurity talent.
1. Craft better security job descriptions
Jonathan Fowler has likewise been taking steps to counteract the staffing challenges he has encountered as CISO at tech company Consilio. One of his strategies targets the job descriptions he uses to recruit. He says he found that the job descriptions his company had been using to fill open positions described what an ideal candidate would have and what tasks they’d be performing. It was usually a lengthy and often unrealistic list, he says. So he and his team rewrote the narrative, creating job descriptions that described what “a great employee really does on a daily basis.”
“It’s really about level-setting. It’s about saying, ‘What do I need? What are the absolute basic tasks that I need done?’ and then going from there,” Fowler says, adding that the new approach “brings in people who may not have applied for the position before because there were one or two duties [listed] that they’d never done before.”
Stirling also rewrote job descriptions as part of his multiprong strategy to address staffing challenges. A few years ago, he and a team of managers started to review job descriptions to create more concise narratives. Or, as he says, “to distill them down and remove the fluff.”
Stirling says in the process he realized that job descriptions typically described the individual who most recently had the position. That meant – particularly for those vacating jobs they’d outgrown – that the job description overshot what was needed to actually do the work. The practice also often meant prospective candidates who did apply mirrored the prior worker, which Stirling found hindered efforts to attract more diverse talent.
Using research into recruitment best practices, Stirling says he and his managers eliminated superfluous requirements and phrases that would encourage qualified candidates to self-select out of applying. For example, Stirling and his team used “foster” instead of “enforce” and “collaborate and communicate” for words implying command and control – changes that Stirling says better reflected his security department’s needs while also appealing to a wider candidate pool.
“It was a noticeable change when we did all that, and we found that we had qualified people who maybe wouldn’t have applied before,” he adds.
2. Broaden the security talent pool
Some CISOs have gone even further: They’re reviewing what they want in candidates and opting to change and even reduce some of the requirements conventionally sought in cybersecurity hires.
Joanna Burkey, the CISO at HP, is one of them. She publicized her move in a LinkedIn post, declaring “I ditched degree requirements.” She wrote: “I learned that we need to be more flexible when it comes to hiring cyber talent. We require a variety of experience levels and a more diverse talent pool that includes people moving from other industries, historically underserved populations, workers without traditional degrees and people with transferable skills interested in a change later on in their careers.”
Burkey isn’t just ditching degree requirements; she says she’s also “open to, receptive to and even encouraging experience that isn’t cyber specific.” These moves have helped her broaden her candidate pool, she says, attracting individuals who have varied educational credentials but no degrees, military veterans as well as experienced workers with years of on-the-job insights.
Her staffing decisions don’t lower standards, Burkey stresses. In fact, they have the opposite effect, explaining that they’re helping her reduce organizational risk and boost her company’s resiliency by ensuring she has a full complement of qualified talent with a diversity of experience and thought. She says, for example, she needs workers who understand business strategy, finance and operations (who can be trained in security) so they can identify weak spots that need attention and better align security strategies to functional objectives. “They bring in knowledge of areas we need to protect,” she adds.
3. Build a stronger security talent pipeline
Travis Gibson, CTO and CSO for Big Brothers Big Sisters of America, took a similar approach. He says he rethought how much experience he required for roles as well as whether a college degree was necessary for all positions. As he notes: “It doesn’t make sense to have an entry-level position require a minimum of two years’ experience.”
That stance allows Gibson to look at his organization’s IT workforce as a viable pipeline for the security team. “They’re security-adjacent for most of their careers,” he says, adding that many IT workers are interested in moving into security.
Gibson acknowledges that IT talent isn’t easy to find, either. But he says statistics show recruiting IT workers isn’t as hard as hiring security pros. He also notes that it’s critical for security chiefs such as himself to have a good relationship and a coordinated approach with IT leaders so that recruiting from IT isn’t seen as poaching.
Moreover, he says recruiting from IT as well as removing experience and education requirements necessitates a commitment to training and career development. To that point, Gibson says he and his managers develop training plans when they identify promising candidates so those workers can successfully make the move into security.
Gibson says he has used this strategy to fill about 20% of the positions on his security team in the past several years. The strategy also lets him fill the positions faster than if he’d gone to the market to hire. “Plus, you end up with multidisciplinary skills on the team,” he adds.
Other security leaders are likewise finding ways to build a better pipeline of security talent. For example, professional services firm Deloitte & Touche is working with the Flatiron School to create new cybersecurity professionals. “We’re looking at creating a supply – net new talent,” says Deborah Golden, the U.S. cyber and strategic risk leader at Deloitte.
Applicants apply for admission to Deloitte’s Cyber Career Accelerator; the company covers the cost of the nine- to 12-week cybersecurity training program. So far, Deloitte has had three cohorts go through training. Golden says the company offered a “large percentage” of the cohorts positions at the firm. “And of those, we have had a 99% acceptance rate.”
Orange, the Netskope CISO, is also working to increase the pipeline of security talent through on-the-job training and initiatives with area colleges and universities. For example, he and his team work with professors to identify students to enroll in a for-credit semester-long classes with experiential cybersecurity training followed by an internship with Netskope.
Orange also promotes mentoring and shadowing opportunities. He brings real-world case study-type security lessons to colleges to ensure more graduates are ready to work in cybersecurity when they graduate.
4. Improve the workplace environment
Bringing talent in the door is only half the equation; keeping security workers is the other part, and it’s equally challenging. Info-Tech Research Group for its 2022 Security Priorities Report asked security and IT leaders to name their top security priorities and their main obstacles to security success in 2022. Talent topped the list in both categories. Some 30% listed acquiring and retaining talent as a top priority, making it the most cited priority (ahead of protecting against and responding to ransomware and securing a remote workforce). Some 31% cited staffing constraints as a top obstacle.
Isabelle Hertanto, principal research director for the security and privacy practice at Info-Tech, says CISOs should engage their business colleagues early and often so they’re able to anticipate what security skills will be needed when and how best to source those skills. As she explains, this strategic approach allows CISOs to select outsourced partners who better complement their in-house team.
“It’s thinking about how an MSP [managed service provider] can bolster your existing team in ways that could mitigate the risk of losing them,” Hertanto says. The MSP could pick up, for example, the routine tasks the in-house team finds mundane or distracting. That gives staffers more time for higher-value engaging tasks and more time to learn new, more advanced security skills.
Multiple security leaders echo that perspective. They say that providing a workplace where security teams have the right level of challenging work but without being constantly overwhelmed is critical for retention. “People leave jobs because they’re not well matched at a company or because they’re not being taken care of,” says Deidre Diamond, founder and CEO of CyberSN, which provides research and placement services for the cybersecurity profession.
To counteract that, Diamond says she advises CISOs to organize their teams so that managers have the bandwidth to actually manage their teams – that is, they have the time to provide feedback, advise and train. She says she also advises CISOs to have realistic workloads for each position. “That means one job per person, not two jobs per person, which is what’s happening now,” she says, acknowledging that it’s a tall order but it’s essential for preventing the burnout that drives workers out the door.
Copyright © 2022 IDG Communications, Inc.