As new threats continue to emerge, the lack of trained cybersecurity experts has become even more apparent. Our panel of cybersecurity experts discusses how they are bridging the talent gap within their organizations
At our recent CISO Champions US event, our panel of information security experts discussed how to bridge the security talent gap and provide training and inspiration for cybersecurity teams.
Integrating Training Programs and Development Opportunities
Training is a vital part of helping to fill the cyber skills gap, boosting a cyber professional’s knowledge, and aiding their career progression. But with time and resource constraints – particularly during COVID-19 – it can be a struggle for employees to access the training they need.
In response, many organizations are turning to online training programs for employees. Elsewhere, there are opportunities for cross-training in different areas, under the guidance of different mentors.
“Everybody has different career paths and trying to introduce them to well-rounded professionals not only helps them get where they want to go, but it also keeps them engaged,” said Wallace Dalrymple, CISO, Emerging Markets, Blue Cross Blue Shield Michigan.
Similarly, Equifax BISO Michael Owens said it is important to take the lead from the employee. The important thing, he said, is for security leaders to have a conversation with employees to ensure they have a clear understanding of where the employee wants to be.
Identifying New Talent in An Increasingly Digital World
Managing and identifying talent in today’s socially distanced world can also pose problems for organizations. Combined with the existing talent gap, they are denied important networking opportunities and even chance encounters with skilled professionals.
One way around this is for cyber leaders to be more flexible in their approach to hiring for specific roles. Indeed, many execs increasingly realize that it may sometimes be better to recruit a talented candidate, and then train them up in the specific skills they require.
“If I’ve got a resource that has a ton of experience in cybersecurity, and maybe they’re really focused on one niche area, and I’ve got another resource with not as much experience but they’re hungry for that knowledge – I’ll take this person, any day. Because they want to learn and they’re going to dig in,” said Marian Reed, Former Head of IT Security, Serta Simmons Bedding.
Similarly, Reed said that certifications are valuable, but employers are looking for well-rounded individuals more than anything. “I wouldn’t hang my hat on getting multiple certifications and not go after real experience or the opportunity that you can teach yourself a lot of things at home. I think you bring in both of those things together.”
Selling Cybersecurity as a Career
Universities play a huge role in supplying talent for the cybersecurity industry, and it is therefore important for organizations to develop relationships with those institutions. Organizations often find that graduates are extremely keen to learn and grow their knowledge, across all aspects of cybersecurity.
Owens said it is up to companies to reach out to the upcoming talent pool to provide a true picture of what a career in cybersecurity looks like. He said a career in cyber “may sound intriguing and look cool in the movies, but it may turn some people completely away from wanting to be in a space when they think of having to be in a windowless, dark area for 6-12 hours a day. So, we have to humanize it and talk about all the other aspects.”
Owens concludes: “Sometimes its dispelling myths and expanding their breadth of knowledge about what the industry really looks like.”
The Impact of Diversity and Inclusion Initiatives
As with every other industry, how to encourage more diversity and inclusion is a hotly debated topic within cybersecurity. There are numerous ways in which organizations are looking to introduce more diversity into the workforce.
Reed noted that there were many more women in cyber 10 – 15 years ago, and that it is up to organizations to ask whether they are providing the right opportunities. “I think too often we just were too narrow in our thinking that we just don’t provide those opportunities,” she said.
For his part, Owens pointed out that there are more companies implementing training around implicit biases.
“People have this this natural instinct to hire people that look like them, or they have backgrounds in common or went to the same schools,” he said. “With that said, where are we recruiting these talents? What universities are we going to?”
He said while diversity inclusion training and awareness is important, it is up to organizations to widen their talent hunting grounds. “When we only go into MIT or Georgia Tech or Harvard or Princeton, we limit that pool down to just those people, which don’t have the same diverse pool.”
At the same time, organizations now realise that the more diversity they have in their workforce, the stronger they are.
This is confirmed by Dalrymple: “I am fortunate enough that nine out of my 17 security professionals are women: two African American women, one from Indonesia. I have learned a lot and it really can be understated the value that we get by bringing in a diverse workforce,” he said.
- Companies should encourage training across different areas of cybersecurity, under the guidance of different mentors
- Employers often value hunger for knowledge and keenness to learn cyber as much as niche specialism or certifications
- Cyber leaders must work with universities to recruit fresh talent, and dispel the myths around working in the industry
- Bias training is important for organizations, as is widening their talent hunting grounds to recruit a more diverse group of employees