Growing out cyber talent is on the minds of every cybersecurity leader. We are all dealing with the workforce shortage problem. So we are all constantly struggling to staff our organizations with talented cybersecurity professionals.
If you believe what is reported in the workforce surveys published each year, industry is not to blame. According to survey findings, blame for this ongoing, global crises, rests almost exclusively with the academic and training institutions.
If this sounds a bit ludicrous,… it should. Because it is.
Regardless of your industry or organization, building organizational talent is a leadership function. Cybersecurity is no different. The problem is, some are trapped into a fixed mindset that says, “I can only afford to hire experienced, certified, professionals.”
The responsibility for building cyber talent is ours.
If we want our workforce woes gone, we have to own the problem. Which means owning the outcomes.
Here are three strategies we’re using in my organization to “own our cyber talent”.
Proactive recruit for cyber talent.
Like everyone else, we recruit and hire in response to business needs. These needs are both known, and anticipated. In both cases, we are working to fill “known gaps”. But the problem is that, most times, we find ourselves in a “must hire” situation. And ‘must-hire’ situations are undesirable because they limit options. Especially any option that includes building for the future; which is the only viable way organizations can fix a workforce gap.
We’re making a concerted effort to minimize our reactive recruiting and move intentionally towards a proactive approach. This requires a continuous focus on acquiring emerging talent, before we need it. Wit this approach, we are able to leverage lower-cost, slower-paced OJT to teach the skills we want, and develop the talent we need.
Plus, not being in “must hire” mode, allows us to be much more selective about the talent we want. Which is the next piece.
Stop using certifications as a talent “gold card”.
This is a biggie. Being credentialed is not the same as being talented. Nor do credentials ensure an organizational fit, or provide any realistic forecast of success. For a great perspective on this, read any of Christian Espinosa’s publications that discuss “paper tigers”.
My own experiences are full of examples of paper tigers. I’ve hired a few, and have had a few for customers. And while the email signatures where quite impressive. What they brought to the party, left a lot to be desired. To minimize the risk of hiring, or worse, creating paper tigers, requires a clear understanding of what talent is for your organization.The first step is breaking free from the reliance on certifications to define your talent needs.
Today, we continuously define & refine what talent “looks like” for our us. Having this clearly in front of us, allows us to accurately recognize and select the emerging talent we’re searching for.
Maximize your ROI for talent development.
This is probably the biggest. In my opinion, not enough cybersecurity leaders consider return on investment, when deciding how to invest their portion of the company’s training budget. Conferences and add-on certs might seem like good choices, but in my experience, rarely can we trace the benefit form attending these, to a specific business goal or objective. So the actual ROI to the company from these expensive, one off, investments is marginal at best.
The approach we’re adopting is to use a mix of i) near term business needs, ii) our own organizational needs, and iii) the employee’s career objectives, to guide our decision making.
Clearly, investing in workforce develop that ties back to business needs is essential. But ignoring our own organizational needs only complicates the talent management process; especially when we suffer a loss, or face unusual growth. Having a clear understanding of the talent we have on staff, and comparing it to our near and mid term needs, allows us to prioritize and making good investment decisions.
Lastly, don’t forget to find a way to measure the “return” you generate. It will prove invaluable for increasing your training budget next year.
Here’s another article about the future of cyber talent