Reflections on a week with inspiring cybersecurity leaders
Having wrapped up the week at an onsite conference, I wanted to share some reflections from the Cyber Future Foundations Cyber Talent Week (https://cyberfuturefoundation.org/ctw2022.html). Thinking about the challenges we have in tackling the demand for cybersecurity talent to fill some of the millions of unfilled jobs, some focus areas emerged, and the solutions required all stakeholders to take part. To solve the talent-gap crisis facing the cybersecurity industry, we will need to take a multi-faceted approach from the employers, candidates, and the educational system that supports them. Based on the scale of the problem, I am going to break down the solutions into phases for the short-term, long-term, and the next generation.
In the short term, most of the gap comes from employers whose demand for talent does not seem to be getting filled. We would encourage employers to start by re-examining their job descriptions to prioritize the problems that need to be solved and include the skills, competencies, and abilities to help solve those problems. Then, prioritize internal training and continuous education processes to develop all the other nice-to-have skills and aptitudes you can teach candidates over time. This focus on the problem to be solved opens up the apparatus to new diverse groups of talent from other workforce sectors interested in solving those types of issues and a retainment mechanism via continuous education and training. Additionally, for employers, do not overlook the existing stakeholder in your organization from the business lines who would be interested in these roles. Promoting from within and encouraging internal mobility does excellent for retention and culture.
On the candidate side, start with narrowing down the problems you would like to solve and the roles you would be interested in pursuing. Having a broad job search scope hurts your ability to articulate your value to employers. Focus on areas of passion that help you achieve your longer-term goals; network with peers and hiring managers; demonstrate and document your abilities in areas where peers and hiring managers are likely to see them.
For the long-term, companies need to work on developing effective talent development pipelines so that they can start to ingest junior candidates while working with educational institutes to help work on ways to provide them with continuous educational programs based on the needs of the organizations in the general area. We do not need to reinvent the wheel. Some frameworks have already been developed. The government has already generated remarkable frameworks from the NIST NICE Workforce Development Framework (https://niccs.cisa.gov/workforce-development/cyber-career-pathways), National Centers of Academic Excellence in Cybersecurity (NCAE-C) (https://www.nsa.gov/Academics/Centers-of-Academic-Excellence/), and international examples like SFIA (https://sfia-online.org/en).
Companies can work with educational institutions on what else they might need to add to help fill their needs or develop those resources in coordination with the institutions and let them provide them to the community. With talent pipelines, companies can create paths with consistent levels of developed skills, knowledge areas, and proficiencies that allow candidates to see pathways for progression. They can start to open up the hiring aperture to a more diverse set of candidates with a foundational set of competencies transferable to various career verticals.
A great example of this is the NSA Apprenticeship program with CSUSB (https://www.csusb.edu/inside/article/550111/csusb-awarded-million-grant-create-cyber-apprenticeships), or working with other companies like CyberUp (https://wecyberup.org/) that can help the organization create apprenticeship programs. These programs can help bring in junior talent and continuous education programs to get them ramped up. Candidates can work to highlight their skills, passions, and competencies through constant learning themselves and showing employers how they solve business problems through working with the technologies that employers are using and demonstrating their use of them on the scales available with an approach that can later be scaled to meet the organizational needs. Network with those in the field; this can be in platforms like LinkedIn and the informal platforms created by the communities in Discord, Slacks, and other organic communities that focus on the problem set (think cloud, application security, infrastructure security, etc.).
For the next generation, we will need increased partnerships between companies, government, and educational institutions to develop a minimum standard of aptitude through skills, knowledge areas, and hands-on competencies that produce a workforce that will be readily available and effective for employers. It does not end there; the partnership continues with a continued development journey for candidates supported by employers through on-the-job training and continuous education. For this partnership to be effective, you need to ensure that you are serving communities large and small with this training and education, while they might need investments in additional access to technology and infrastructure and awareness training to the communities as to the value of this career. Just because someone might have access to training and education does not mean that the students or the communities see the value in that career path as valuable to generating value for their community. Some great examples of this I have seen include some Cloud Service Providers (CSPs) who work with the local school districts to provide them with increased resources for curriculums like computer science, development, AI, and cybersecurity. On the employers’ side, with the improved job descriptions focused on the problems that need to be solved vs. a long list of requirements that seem only to screen out candidates, they can attract candidates from different domains who are attracted to solve those types of the problem set. Most of the skills that cybersecurity employers have stated are essential to them usually include curiosity, communication, persistence, and the foundation of technical skills like cloud technologies, networking, and application security.
As we look to take action on these outputs, we need to focus on the talent of today with how companies can utilize the diverse talent already available to them and continue to develop them; for the talent tomorrow, we should build talent pipelines via apprenticeships and internal talent pipelines; for the skill of the next generation, we need to drive awareness for the career path and value proposition to the community along with developmental programs from K to Grey. There need to be a holistic partnership between businesses, government, and educational programs.
I am a career coach focused on helping senior cybersecurity leaders develop themselves to help achieve excellent results and the success they are looking for in their career. Feel free to reach out to me at firstname.lastname@example.org.