Wednesday August 2nd - 5:00 PM (UTC)

Solving the Cyber Talent Shortage with Skills-Based Hiring


Learn how to incorporate skills-based hiring and career pathways into your talent strategy by joining Lightcast’s VP of Applied Research Will Markow and Helen Patton, former CISO at Cisco and former Executive Director for JPMorgan Chase, as they answer the question:

How does a company invest and grow their talent pipeline when facing a talent shortage?

Time Stamps:

Intro - 0:42

What is the current state of the cybersecurity workforce, and what are some challenges? - 3:04

What can a company do to develop their pipeline? - 9:39

How can employers develop their workforce with skills? - 18:20

What advice would you give to HR teams looking to better support business leaders with their talent challenges? - 24:12

How do you determine when to build, buy, or borrow workers? - 28:17

How can you invest in growing and retaining workers effectively? - 34:14

What has worked or hasn't worked for you in the past? - 39:58

Final thoughts - 46:06

Lightcast team members work daily with clients to help them advance as skills-based organizations with marketplace-tested and practical real-world approaches. Team members are trained to help navigate the complexities of every people strategy.
Connect with us to identify your roadblocks, create a strategic plan, and achieve your goals.


Vince Paradiso: 

Welcome everybody to Lightcast's webinar on Solving the Cyber Talent Shortage with Skill-Based Hiring. We have on the webcam today two awesome experts in the field of cybersecurity. Helen has been in it for a number of years working for various large organizations and our own Will Markow, as well, has been part of many initiatives as well as many reports and other endeavors to improve the workforce in cybersecurity. So we're just going to be shooting them some questions. Will, Helen, would you like to add anything to the listeners that I may have missed out that they might wanna know about you. Helen, anything you want to start with?

Helen Patton: 

Yeah well one, thanks for listening in. I guess the thing to know about me is I've done the security thing for a couple of decades now. And part of my journey was being the CISO at a university, and so just because of these kinds of roles, I've had lots of people being asking me about how to get into cyber, how to work in cyber, or how to stay in cyber, and so yeah, it's a sort of a hobby of mine to talk about this stuff.

Will Markow: 

I would just add that I really consider myself as somebody who took a back door into the cyber world. I'm not a practitioner. You definitely don't want me protecting any networks. But I have been analyzing the cybersecurity workforce for over a decade now through the work we've done at Lightcast.

It really culminated in the development of a tool called which provides detailed information about the cybersecurity workforce across the United States. Its partnership with CompTIA is nice and really endeavors to help close the information gap in cybersecurity, which I think has long been a barrier to closing the talent gap in cybersecurity.

So really excited to talk about some of the insights and some of the data that we've been able to pull from our work over the past decade.

Vince Paradiso: 

Awesome. Thank you both. And I think as we know it's really the issue and challenges in cybersecurity workforce that has really come to the forefront, and I'm sure we'll get to some point, but almost so much to the point to where the White House just recently dealt an initiative pulling in a huge conglomerate of partners, both in the education, in the security and tech industry, including Lightcast, to really try and bolster up the workforce. And kind of along those lines, maybe you guys can talk about the current state of the cybersecurity workforce, what required this type of initiative, the White House part just in general, and what the challenges are as well.

Will Markow: 

Yeah. Happy to dive into that and give the 10,000 foot perspective that we see in the data. And just a little bit of history. We started looking at the cybersecurity workforce about a decade ago.

A lot of people were saying it's a big component of the IT workforce, it's growing rapidly, and we can't find enough people to fill the jobs. Ten years later, we hear the exact same story. The numbers have changed slightly, but I think that we're still grappling with many of the same challenges we did a decade ago because it's a very difficult, intractable problem to try and solve.

And so why is that? The first reason is yes, it is a large field that is growing rapidly. Over the past decade, we've consistently seen that demand for cyber jobs has grown faster than almost any other field in tech or beyond. And it's always going to be difficult for a training infrastructure to keep up with a field that is evolving and growing so rapidly.

Compounding the issue is that the skill sets and the requirements also change very rapidly. So even once you've trained somebody for a job in cyber, those skills become outdated very quickly. In many cases, over just the past two years, we've seen that nearly a quarter of the top skills demanded in cyber jobs have already changed. And so every two years, you're going to have to update at least a quarter of your skills. That also means that preparing people for this field is not a destination, but it's very much a moving target. And so this really places a lot of strain on educators and employers who are trying to build the next generation of cybersecurity workers and ensure that the current generation of cybersecurity workers have skills that even remain current.

And so as a result of this, we do see strong evidence of a talent gap in the field. Last count, we saw that we only have about 69 workers for every 100 that employers are demanding in cybersecurity, which effectively means we're stepping onto the cyber battlefield, missing nearly a third of our digital army.

And this has real consequences for employers. It means that cyber jobs are taking longer to fill than other IT jobs. It means that they're costing more to fill, and salaries are higher than in other IT jobs. And so this really puts a strain on our economy, not to mention all of the national security implications of not having enough people to secure our digital infrastructure.

That said, I think a lot of emphasis has been placed on the talent gap, and to be sure there is a talent gap in cyber, but I think there's also an expectations gap within cyber. In which many employers are not demanding the skill sets or the credentials that are aligned with what people are actually coming out of post-secondary education with.

And just to give you a concrete example of that, we see that only about 15%, actually under 15% of cyber jobs, call for fewer than at least three to five years of prior work experience. Similar percentage also calls for a minimum of a bachelor's degree or higher, but actually the majority of people we're graduating are at the sub-baccalaureate level in cyber degree programs.

And so there's this misalignment between what employers are asking for and what we're actually supplying in terms of new graduates and new entrants into the cybersecurity space. There are a lot of other issues with the expectations gap as well as the talent gap, I'm sure we'll get into them.

I think those are some of the huge macro trends that we're seeing across the cybersecurity landscape that's really driving a wedge between supply and demand within the field. 

Vince Paradiso: 

Helen, anything to add to that?

Helen Patton: Yeah. I think Will summed it up really well. 

From the point of view of a hiring manager, I will tell you that there's a couple of other things to layer onto that. As an industry, we can't agree on what a cybersecurity job is. Like even from, say, a security analyst on a job board, you look at what people are asking for and what they think the job entails, and every company has a different view of what that is.

And so as a job seeker, it's really hard to even know what kinds of skills you should be shooting for because the industry doesn't know what kinds of skills they need. So Will's right, there is a disconnect between what hiring managers are asking for and what graduates or learners are learning. Some of that too though, is because the industry is young, and so we still don't really have a clear definition of what cybersecurity is, functionally.

Every security team in every organization is constructed differently, has different kinds of functional elements. And a lot of what they're looking for in a candidate is going to be specific to their location, their industry, their size, their age, their technology stack. And so it's really impossible as a job seeker to know exactly what you need to learn in order to be ready for a job.

As a hiring manager, it's really hard to know what skills to put into a job description. So you see a lot of things where they'll put the safe things. I want someone who understands, for example, incident response, or vulnerability management, or identity and access management. And then there'll be things like, and we would prefer if you would know what it's like to live in Ohio, or we would prefer if you knew what it was like to work in a bank or whatever.

And hiring managers know they're going to have to train on the job. And so it's that. There is also an expectation in the industry that there aren't really entry level jobs. So the challenge right now is if it's such a junior job that it's just procedural, go tell someone how to do it and they can do it. You should be automating that job. 

And so this is where Will said, “we are seeing things with five years of experience as a requirement.” It's because they're expecting you to get five years somewhere else, five years on a help desk, five years as a general IT practitioner, a network engineer or a software developer, and then moving into cybersecurity.

There is a question of, is there such a thing as an entry level security job? There is, if you look at the nice framework and some of the jobs that are out there, it'll say entry level on the title, and then it will say, yeah, but you've gotta have at least two years of experience or three years of experience. To me, that's not an entry level job. 

So we can't get our definitions right. And that's a real problem. I don't actually think it's a talent shortage. I think it's leadership shortage actually.

Vince Paradiso: 

I think. Yeah. And that calls back again to what the White House and the government's trying to do, because to your guys' point, if an applicant doesn't know what to apply for, what to learn, they're left out in the dark.

And frankly, if the companies don’t know what they want, they don't know what to hire, and that creates a problem as well. So maybe to go back to what both of you touched on with the job requiring five years experience or doing these types of stepping stones to get to where they need to be.

What are some things that companies can do to develop their pipeline? The first things that come to my mind are, apprenticeship programs or internships or stuff like that, but that's just off the top of my mind. I'm sure you guys have a lot of great ideas. Both Helen, from your experience having been in it, and Will from what you've seen growing and everything else?

Helen Patton: 

Yeah I'm a big proponent of apprenticeships, more so even than internships because most security teams are actually quite small. So unless you're going to work for a big old bank on Wall Street or something, most security teams are 30, 40 people at most. And if you bring on an intern, even one, it means that somebody on the team has to spend time training that person up.

And what we've found is it takes about six months to train up a person who's got no prior experience before they can start adding value back into the team. So if you're doing a summer internship, by the time you get to the end of summer, you're adding value to the team, but now it's time to go.

So being able to find longer term ways of working with interns. So it could be serial internships over multiple summers or an apprenticeship program where you are simultaneously doing classroom learning and on the job learning at the same time over maybe a longer period of time, nine months, 12 months, something like that is much more beneficial to the hiring manager in the company. But also, it gives the person who's doing that apprenticeship the opportunity to really understand how the function works and how it works in reality, not how it works in theory, which is what you would get in a classroom setting or a certification setting. 

Yeah, internships where you've got a long-term relationship between interns or apprentices and then the employees is a much better option in terms of setting the employee up for success.

Will Markow: 

Yeah, I completely agree with everything Helen said. I think some of the most effective approaches we've seen at companies are when they've really embraced either an apprenticeship approach or a long-term internship approach that really has the intention of transitioning into longer term employment with the company.

And I think this was implicit in what Helen was saying as well, but it's when employers can really articulate a clear roadmap for advancement within the company and provide that clear internal career pathway that we see the most effective approaches to solving what I really think of as a chicken and egg problem here, because to Helen's point, companies don't want to hire a cybersecurity practitioner who has no prior experience. And there's a good reason for that. 

It's not just because companies are being mean and don't want to hire kids fresh out of college. You really want somebody with no experience protecting your most valuable digital assets? Probably not. But you've got to build the next generation of people who do know how to do that somehow.

And those types of internship or apprenticeship programs to full-time hire positions that articulate a clear pathway with clear steps along that pathway and clear information about, it be skillsets or credentials or whatever it may be that people can acquire along the way, along their career journey, is one of the most effective ways and cost effective ways by the way that we've seen companies really try to solve that chicken and egg problem. 

And just to put some numbers on that, there was this one financial services company we saw that implemented this type of internship to full-time career pathway. And it went all the way up to their more senior level roles where whenever they had an opening, they would try to fill it with somebody who came from the next position down and they went all the way down to doing that with their interns. And they found that on average, every time they went through one of those promotions and then promoted again cycles, they were saving, on average, around $25,000 versus had they gone out and hired somebody completely fresh on the spot market for talent.

And so there are not just benefits to growing the pipeline, not just benefits to the individual who's looking for career opportunity, but also real bottom line benefits to the companies as well.

Vince Paradiso: 

My mind also just goes through this, I’ll just dial in a little bit. And I know again, they have to establish what this job looks like, what the training entails and everything else.

But could the two of you see this eventually hopefully maybe going down into the high school level where you just start maybe orienting these kids or at least getting them kind of a taste for it, so to speak? And then that moves maybe to them being able to get that certification or maybe that community college type training, or would that be, is it a little bit too beyond that?

Helen Patton: Yeah. That’s a super early beginning to the pipeline, yeah? One of the challenges that I see today in dealing with high school and college students who are looking for a job, when they come to me and say, Helen, I want to work in security.

I'll say what kind of job do you want? They say, I want to hack. It's like they've got one goal in mind. They want to hack. I'm sorry, but hacking and being an ethical hacker is a senior security position. You've got to know all kinds of tech. You've got to know how processes work. You've got to know that before you can hack.

One of the challenges we have right now is that we are not exposing students or people who are already in career that are looking to move into cybersecurity. We are not exposing them to the breadth of what cybersecurity is. And this is true even within our companies. People think cyber is one pillar of IT, and I would argue that cyber is its own discipline that sits beside IT and is as big as IT. So I think the opportunity in high school and middle school, for that matter, is getting exposed. Getting kids exposed to the potential of all the things that are cyber or security. And that's everything from cyber law and policy through to the technical aspects of encryption and authentication and all of those kinds of things, and everything in between. So that they're not coming into the field thinking, I'm going be a hacker.

They might be a hacker. We want them to hack, but there is so much more to this profession than just that. And so, at that high school level, it's that. But that's not going to get them a job, that's just going to let them know what skills they need to get the job they want. So they're still going to have to go through that learning process to get the skills acquisition for cyber law or cyber identity access management or whatever it is.

Will Markow: 

Yeah. I think that's a great point, and I think that implicit in what you're describing is something we see a lot in cyber, which is really a branding issue. I think the field still has that legacy brand of the hoodie wearing hacker in the background. And that's why everybody says, if I want to go into cyber, I want to go into hacking, I want to be a hacker

But to your point, Helen, there's so many different types of jobs in cyber and there's so many cyber adjacent jobs. And I think that's a story that hasn't been as clearly told to, especially a lot of high school students, but even people who are already starting their careers in it.

And I think that one of the big barriers to expanding the funnel of people who are interested in going into cyber is communicating just the diversity of opportunities within the cybersecurity field. And clarifying that you don't necessarily have to be a hacker to go into cyber or you don't have to start there.

To your point, you could go into the privacy side. You can be in cyber law. There are many other fields you can go into that are still supporting the broader cyber ecosystem. And I think that being able to communicate that and fixing that branding issue and communicating just how diverse those opportunities are across cyber is one of the things that's, I think, most challenging, but also could be most impactful to growing that entry level K through 12 funnel of people interested in moving into the field.

Vince Paradiso: 

Awesome. So I guess, and then just jumping now back to the workforce itself. Will, you had last brought up how understandably it's a lot more cost effective and efficient for a company itself to raise up its own employee base in order to get them trained well.

How would they go about keeping their team skills up to date in a field that does change as rapidly as cybersecurity itself?

Will Markow: 

Yeah, it's a good question. It really requires just a continuous learning mindset and a willingness to constantly keep a pulse of how the industry is changing.

And so you have to have some processes in place to try to peer into that crystal ball continuously and figure out not just what do I need my team to know today, but what are the technologies that they're going to be interfacing with six to 12 to even 24 months down the line? Now everybody's obviously talking about generative AI, but it might not be that.

There are many other things that depending upon your industry, you may need your people to be able to secure. It's very difficult as well because there are all these new technologies. All these new technologies have a digital component nowadays, and every technology with a digital component must have a security component baked into it as well.

And so I think that you have to be able to figure out within the context of your industry, what are the new challenges, the new technologies or even the new regulations that you are going to need to be aware of in the coming years? If you're in healthcare, for example, you're going to have a totally different set of privacy regulations that you need to contend with than if you're in retail or another field.

And so I think that it's really that dedication to a continuous learning mindset. But we also find that there are some frameworks you can use to help prioritize which skills to focus on in your training and learning and development initiatives. So one approach that we often work on with companies is to help them pinpoint what skills that we know are going to grow the fastest in the next two years, and which of those skills are going to have the highest value within the context of your team and your industry? 

There are a few ways you can do that. It can be a more qualitative exercise. You can also make it more quantitative by looking at how much you'd just have to pay in a salary premium for some of those skills in the open market which can be a great way to maximize the ROI on your re-skilling dollar because we see sometimes that just training for one set of high growth in demand skills, such as cloud security, that can save you a tremendous amount of money.

Just hiring for cloud security skills, for example, can cost $15,000 above and beyond what you're normally paying for a cybersecurity professional. It usually doesn't cost $15,000 to train someone up in at least the foundational skills you need in order to make them productive in securing your cloud infrastructure.

And we find that being able to really prioritize those high growth, highest value, and by extension, highest cost skills within the context of your industry is one of the best ways that you can try to prioritize skills for learning and development. 

Vince Paradiso: 

Helen? That's, that's a great answer, but I'm sure there's a way to even go in a little more having come from that background.

Helen Patton: 

Yeah, so one of the things I find interesting is when we talk about continuous learning, I think people have a tendency to think, “I've got to do that outside my day job.” Like it's my personal responsibility to continuously learn. And one of the, one of the things I would encourage employers to do, is to make sure that they're carving out time during the work days for their employees to be continuously learning.

So it takes a commitment to a training budget. It takes commitment to time so that security people can attend conferences where a lot of this emerging thought is happening. So over and above training, there should be conference attendance as part of a career path. And I would look for employees to manage their time so that they're at least getting three or four hours a month where they're focusing on learning something that is of interest to them. And they can go in any direction. It's really hard to do that crystal ball thing and say, I know I'm going to need generative AI or quantum or whatever. But even just being able to say, “Hey, I'm interested in this thing right now, I'm going to go play with it,” is a really great thing to be able to have a resilient career.

So there needs to be an understanding from the company that to have an effective security team requires team members who are supported in their learning. I would be looking for that in a hiring manager. So if you're someone looking for a job you should be asking during the interview process, how do you keep me up to date? What's your expectation of my time related to that? And then as a hiring manager, it can become a differentiator when you're looking for talent. So you should be putting it into your job postings that we expect you to be training on the job, right? And we will make room for you, time for you, money for you to train on the job.

Really important. 

Vince Paradiso: 

I think that's really key. You've got that double aspect of the candidate, employee themselves wanting to do it and going after it. But then that really determines the seriousness of an organization, if they're really ready to invest, wanting to invest in that, not only by providing the resources as far as financial resources, but the time as well, because they could come to you and say we want you to get four hours a month of training. And you could go, “I'm working 12 hour work days. When am I supposed to fit this in? On my own time, on the weekends when I'm trying to, even make up for work?”

So that's really great to call out. And I guess it's mainly more down that line of the person applying and the hiring. 

What advice would you have for HR teams that are looking to better support the business leaders with their talent challenges? Obviously by providing the L&D funds and everything else, but I'm sure there's more that you guys would recommend.

Helen Patton: 

Yeah. I'll just jump in real quick. I think most security managers have had a really spotty learning experience themselves in how to write job descriptions, and how to hire, and how to coach and mentor the people that they do hire. So I would be looking for the HR partners, whether that's recruiters or the HR partners themselves to be actively helping hiring managers in the security team know how to write a good job description, know how to only ask for the skills that they need not everything that they can think of that needs to go into a JD. Provide that resource support for that training, all of those things. So there is definitely a partnership with HR to make this work.

Will Markow: 

Yeah, I completely agree with what Helen said. I think where we have seen HR be very effective is when they are that trusted advisor for security teams or other teams for that matter, especially when it comes to building those job descriptions. To Helen's point, there's no shortage of examples of people asking for things that they should not be.

We've seen cases where people ask for certifications that require five years of prior work experience, and then they also say, and no more than two years of prior work experience, which doesn't work that way. And you also sometimes see hiring managers, they don't know that asking for certain skills can dramatically expand the hiring costs, the time to fill, things like that.

And so I think if HR can come in and provide hard data or resources and information around which skills should be included, which skills or certifications should not, we often see a real benefit to the employer, the company, and the hiring manager. One concrete example, there was a company that was looking to right-size some of its cyber analyst descriptions and just making a couple of small tweaks, such as pulling out a bachelor's degree when they really didn't need a bachelor's degree for that role, or pulling out a few skills that were really nice to haves but not need to haves and they could train on the job.

We found that on average it saved about $16,000 per role that they were trying to fill. And it expanded their candidate pool by over 60%. And so that can really have a dramatic impact, especially if you're a large employer trying to do this at scale. That can save a lot of money over time and make you look good to your CFO, which is never a bad thing.

The other thing I'll also mention that I think HR can do is really try to help educate the managers beyond the job descriptions, but just in general, give them resources on how to be better managers. We find that only about 20%, so two in 10 of existing cybersecurity managers, actually had any managerial experience in a prior role before their current managerial position. And so there's definitely a need to educate managers as well so that they know how to best support their people, so that they know how to best foster that continuous learning culture within their teams, and to help mentor the people who they're also managing.

So I think that HR can both be supportive in terms of helping with the job descriptions, providing more data and information to hiring managers to help them make better hiring decisions and write better job descriptions. But also make them better managers in general, because a lot of them have never had that managerial training.

Vince Paradiso: 

Yeah. And I guess just to jump on to, to go on that line of thinking with the partnership itself between HR and that department or business unit itself is really crucial and key because it's going to be hard. I could see both from both sides of trying to determine, in which circumstances do we need to build this up through our own staff? What circumstances do we just need to grab a new employee on, which again, has got financial implications, or is there a way we can borrow some workers? What would you guys recommend? Like determining which time to either build it up within you, to bring somebody in, or to borrow from a vendor, an outside resource.

Helen Patton: 

Yep. And in my experience, I have a tendency to want to hire and own the resources myself to the extent I can. There's a lot of benefits to having direct control over the resources you have in terms of being able to put them on different things at different times without having to renegotiate contracts, all that kind of stuff.

So for me it is preferred, the full-time employee position is, for things that I would consider core to the security program. So if I've got to keep that thing going forever and forever. Incident response, vulnerability management, identity management, those kinds of things, tend to lend themselves to a full-time employee. Where you end up with contract resources is where you've got a short-term need, or maybe it's something new that you want to try on.

Like I could see a lot of contract work going on right now around AI, right? Let's bring somebody in, let's see how things work, and once we really know what we are doing now we're ready to actually hire into a full-time capacity. That kind of thing is important. I think the other thing is sometimes it's just hard to find the talent in a full-time hiring capacity.

And so this is where you get into sort of managed services, kinds of contracts with vendor partners. Or maybe you've got a core of people that are internal to you and you augment with a service provider in addition that might give you round the clock coverage or some kind of skillset that you're just not going to be able to find yourself.

My preference is full-time employees for the stuff that's central to the security program. And after that it's an opportunity cost kind of conversation, I think.

Will Markow: 

Yeah, I totally agree with what Helen said. I think what we've seen is that there are probably three key dimensions that most companies are trying to balance these buy, build, borrow decisions across. One of which is the most obvious cost. That's always going to be a factor. You're going to have to report to your CFO at some point, so that's always going to play in the mix. But there's also a couple of others, which I think are really the two that Helen touched upon.

One is just the availability of the talent. Can you even hire enough people if you really need 10 FTEs, but in your market it's going to be almost impossible to get more than five, then you're probably going to have to at least augment what you can hire full-time with some outside resources. The other dimension though is the time dimension, and that can be either a question of how quickly you need the resource.

It can also be a question of how long do you need the resource? Which is what Helen said, because in many cases you might just need someone for a short-term project, or in some cases you really just want to try something out, see if it works such as generative AI, and see if it makes sense to turn that into more of a full-time position or resource or capability within your team moving forward.

So I think that the balancing act between those three factors, cost, time, and just availability of talent are the three questions that we see most employers asking when they're trying to figure out should we buy, should we build, or should we borrow? All that said, I will say we often find that companies that take a build first approach when they can by doing all the things we just talked about, investing in career pathways and training your people before you say, okay, let's go throw money at some external person who has the perfect set of credentials, it's going to cost hundreds of thousands of dollars more than we want to pay. Or to get locked into a long-term contract with a service provider or contract or what have you. If you take that build first approach where possible, not always possible, but where it is possible you often find that you can save money. You can also find that you have better employee retention and you have better internal employee mobility.

And you often just have a better culture because people really appreciate it when they work for a company that's investing in them and their personal development. And I usually liken this to hiring missionaries versus mercenaries. A lot of companies, especially in cyber, just default to hiring mercenaries.

They say, “We need to find someone with CISSP, 12 plus years of work experience and every credential under the sun.” And it's hard to find them. They cost a lot of money, and as soon as you hire them, somebody else might just come in and offer them 20% more and they get poached from you. If you actually invest in building your talent though, then you can help to develop people who A.) have the skills that are most relevant for your team, but B.) also really are invested in your company because you've invested in them and their growth.

And that's when you're actually building a missionary who can support both the job you need them to do today, but also support your company longer term and support the culture in your company, which can also have many other spillover benefits for everybody else around. 

Vince Paradiso: 

Yeah anything to add to that, Helen?

Or did he hit it all?

Helen Patton: 

Oh, no, I think Will hit it all on the head.

Vince Paradiso: 

Yeah, it just keeps coming back to the idea of clearly defined roles, both on the job itself, on the employee side, on the manager side, the support there, both for the managers in their training and understanding for the employees themselves. The company itself also. It sounds like a lot. How would you even start this process of even going through it and then even just investing and growing and retaining these workers effectively?

Helen Patton: 

I think it's got to be in the context of what you're trying to do with the security program in the organization, right? And coming at it from the point of view of a security leader, whenever you take on a new role, one of the first things you do is you go in and you investigate what is it that the business needs out of the security team?

How then is the security team structured? What kinds of functions do you have? What maybe you don't, no longer need, or maybe you need to add? And then you're in a situation where you can say, okay, are the people who are already here, are they skilled up in the right ways for where we're headed? Not where we are, but where we're headed. 

And if I've gotta make changes to that organization somewhere along the line, how are we going to do that? Are we going to buy, build, or borrow, and over what time period? So I think once you have that general sense of the structure of what you're trying to achieve, then you can put in place strategies of how to get there.

So do you go on an internship path or an apprenticeship path? Do you partner up with other companies that are like you or if you're in state, local government, maybe other kind of agencies where you share resources, could be another way of thinking about it. The world's your oyster, but you’ve got to have a plan. And that plan's got to align to what the business needs and what the business needs over the next 18 to 24 months max, because it's really hard to plan beyond that at this point.

Will Markow: 

Yeah. I think Helen hit the nail on the head as well. I find that a lot of teams, not just security teams, we see this a lot in HR as well as other fields. They don't have a good sense of what the strategic direction of the company is, and it makes it more difficult for them to build that plan that they need, as Helen described. And I completely agree, you need to build that roadmap, which starts with understanding where have you stuck that flag in the ground?

You've said 12, 24 months from now, whatever it is, that you want to be as an organization and as a team. And then work backwards from that to figure out where you are today and what are the steps you need to take in order to get there. But I would argue that probably well over half of the teams that we work with, either in HR, security, wherever it is, I ask them, what are your company's strategic goals over the next two years and how does that align with your team, and what does your team need to do to support that?

I usually get a, “I'll get back to you on that,” or “I'll have to check around internally,” or “let me ask some people,” and it can take weeks, sometimes even months for them to get those answers. And I think that there are many reasons for that. I won't dive into that. But I think that to the best of your ability as a leader in security or a hiring manager in another field, or even just an HR business partner, if you can have that clarity around the goals of the business and how those goals then need to be supported by different teams within the organization, yours or others, and it's going to make it much easier for you to build that strategic plan.

And to build that roadmap to get you from where you are to where you need to be and to then to walk backwards and say, okay, what people, capabilities, and skill sets do I need on my team in order to support that? And do I have that today or do I need to figure out how to incorporate that into my team with the right mix of buy, build, borrow, or whatever strategies you want to take.

And so I always say, I say this to HR all the time and definitely goes for security leaders as well. Start with the business value, what is the business value and the business strategy that you are trying to support? And then work backwards from that. Helen?

Helen Patton: 

No, I would agree. I think Will's comment that sometimes it's hard to know that answer is actually one of the biggest problems from a security leadership perspective, particularly if you're in an organization where the security team is buried down in the bottom of it somewhere. Like going to the CIO or the CTO and having to ask that question can sometimes come across as a little bit impertinent. Like, aren't you just engineering? Just get on with it. 

So yeah, it takes a little while to even get the right answers out of the business. And the challenge is that the business doesn't know what they should be expecting out of the security team. So it's going to be up to the security leader to be able to take business objectives and then interpret that into what does that mean from a security functional perspective and a skillset perspective? 

That is the role of the security leader to do that interpretation, because the business just doesn't know what security does at the moment. It might change, but they don't know right now. So it's going to take some time to work that out, but once you have it, and assuming that you've now got the channels open, that if those strategies and objectives of the business change over time, you're going to know it and stay on top of it.

Then you should be able to iteratively, keep your organization up to date. But it does take some preparation to get to that point.

Vince Paradiso: 

Have you guys I guess in both your experiences, it sounds like that there is, even at that level, there's a lot of, a lack of understanding and preparedness, for lack of a better word, in just “okay we have this problem, but there doesn't seem to be a way to solve it,” at least from their perspective, and even to go about it.

Helen Patton: 

Yeah, I would agree.

Vince Paradiso: 

So Helen, what has worked for you, from your role as a cybersecurity leader, what has worked for you in the past and what hasn't worked for you?

I'm sure with your years of experience, there's been times where you're like, that was not the best idea, or this worked, I wish we had just thought about it, you know this is a great idea.

Helen Patton: 

I think one of the biggest challenges is actually when you're doing security in an organization and there's a management change, and management comes in from a different kind of organization, or sometimes it's even worse. A similar organization where they think things should work the same, but the culture isn't the same culture, and you've got this misalignment of leadership expectations.

And as I personally experienced this where what I expected out of my leadership was not what they were able to give because their background was just different. And it took us a while to do this dance and work out where each of us were coming from and then how to communicate properly with one another so that we could then get to this question of, well what is it you really want?

So this, it's actually this sort of concept of culture strategy for breakfast. The cultural differences of leadership coming in from different places and then trying to fit into your organization. Or you are coming from a different organization and trying to start somewhere new. That takes time to navigate and that's actually one of the hardest things. Once you know what the cultural expectations of an organization are, working out the security strategy is easy. It's all the people stuff. Like people go, cybersecurity is a technology field. I'm like, yeah, no it's not, sorry. It's a people and a process field actually. And if you don't have a degree in psychology, you're going to learn it on the job because you will be successful based on how you work with people, not based on whether or not you can hack an operating system.

That's just where it is.

Vince Paradiso: 

I'll hand off to Will in a second, but yeah, I mean I think that's the key thing is just assuming everybody may want to be like Apple, but your organization may not be geared to be like Apple. Apple is what it is because of who they are and what they've done and the employees they have and the skills that they have at that.

Your organization may be completely different and you applying that to that organization is just set up for disaster, and actually even just misaligned thinking because they actually might be a lot better doing something else that may be just as great as Apple, but isn't what Apple's doing. And Will, with your experience having been part of our team, you've done applied research and consulting, like what have you seen that's worked and hasn't worked?

Will Markow: 

Yeah I think you hit the nail on the head in that what doesn't work is just trying to emulate what somebody else is doing and assuming it will work just as well within the context of your team or your organization. There are many processes and technologies that work in one company, but just don't work in yours for whatever reason.

There are many reasons that could be, it could be cultural, it could just be based upon where you are at in terms of your technological maturity. Many other reasons for that. But I think what has worked more effectively is when companies tried to embrace what made them different and really tried to think long and hard about what resources do we have? What capabilities do we have? What people do we have, and how can we leverage that as a competitive advantage? Or if we don't see a competitive advantage today, how can we almost re-architect our team in a way so that we do have a competitive advantage? Now that does require competitive intelligence in order to know how you have competitive advantage. And there is a step you need to go through to try to understand what are the capabilities of my competitors or others within my industry? And then using that information, figuring out how I can differentiate my team and my capabilities. One of the other frameworks that we sometimes use, we call the disruptive skills matrix. I use the word disruption in there, I'm told it's good branding. But we use that to help organizations really pinpoint what are those skills that are very early on in their adoption curve and not everybody else has invested in it yet. So when we first did this, it was actually a project we did for IBM for a report back in, I think it was 2015, something like that.

And at the time there were a lot of skills related to machine learning, data science, big data, et cetera, that were still very early on in the adoption curve. And we found those were some of the most disruptive skills that you could invest in to differentiate your team in most industries at that point.

Now everybody's using those skills, everybody's talking about them across every industry. But at the time, they were very disruptive. And we found that if you can pinpoint those skills that not everybody in your industry has, or the capabilities that not everybody in your industry has, and you have a good reason for wanting them, which is key because a lot of companies, they just throw money at a new technology and assume it's a silver bullet, and then just becomes money down the drain. But if you actually have a good idea of how you're gonna leverage those new capabilities, and you can figure out how it will differentiate you from your competitors, that can be a very effective way to, I almost liken it to a workforce alchemy, because you can craft the workforce in the way that you want and build it in a way that differentiates your capabilities from those of your competitors.

Vince Paradiso: 

And if anybody on the line that’s watched this, you’re welcome to send in questions. That's most of the ones we have. But maybe as a way to help button this up a little bit, Helen, how would you summarize ways in which these problems can be solved from your perspective as a security leader?

And then we'll ask Will his perspective of course, as well. 

Helen Patton: 

Yeah. Good question. I think a security leader needs to pay attention to being able to develop people who are already in the organization and to grow their own skills so that they can train people on the job from where they are.

So one of the things I've observed in other forums is that I actually don't think we've got a skill shortage for quote-unquote entry level jobs. There is, for a single entry level job posting, there are hundreds of applicants and that's not an issue. Where we seem to be struggling as an industry is in sort of the five to 10 year window and there, we are not going to be finding people out of college to come into those roles, but we are going to find people who are already working somewhere else who want to come laterally into the profession. And there isn't a good academic path for them to do that, where it allows them to stay working and get the practical skills that they need to be able to come into a cybersecurity job.

That means that the hiring managers are going to have to do that. So we need to be training our cybersecurity managers to be able to train on the job, to be able to identify the skills they need for the future, and then to be able to mentor and coach the people who are already there so that they can also train people on the job. Because it can't just be the hiring manager, it's got to be the whole team. So I think this is a whole new skillset for cybersecurity managers who typically become cybersecurity managers because they're really good at cyber, not because they're really good at people. So we need to think of this as a required skill for management in cybersecurity, and make sure that the people who are coming into management have these skills actually.

So that's another KSA for us to put into the nice framework. And I think if we can do that, we will also, one, get a more diverse candidate slate. And number two, we should eliminate a bit of a leaky pipeline that happens as well. So if people come into security, they want to stay because they're supported. And that burnout is a thing for our industry, we need to be supporting our people. So that's the other benefit to thinking about it that way.

Will Markow: 

Yeah, I think Helen articulated it perfectly. I think that we do have a case in the industry of often making your best teacher principal. And you have, like Helen said, somebody who's great at technology, not great at people being asked to lead people. Totally different set of skills and we need to equip them with the skills themselves in order to support the development of their teams. That can range all the way from just better understanding interpersonal skill sets and working with people on your team as a human, not as a computer. It can also mean helping them to understand what we talked about earlier of how do you hire effectively and how do you write job descriptions effectively, and how do you arm them with the information and the data that they need to make better decisions about the recruiting that they're doing, and how can they be responsible recruiters?

It also means that they need to understand, how do you develop people? How do you really invest in people's personal growth, and how is that a real boon to your team? I think that everything Helen said about the entry-level versus mid-level talent challenges are also spot on and are actually reflected in the data.

Although when you look at cyber jobs overall, we only have about 69% of the workers we need. If you look at the entry level opportunities, we actually see that we're graduating roughly as many graduates as there are openings. The place where there's a misalignment is the level at which we're demanding these people and the level at which we're graduating them.

We have a lot of people graduating with an associate's or a master's degree, but almost all of the entry level job openings are calling for a bachelor's degree. And so there's also, I think, a piece of helping the employers to understand, do you need that bachelor's degree? Or can you look for a different degree level for some of those entry level roles? Or can you look internally to fill some of these positions as well, by investing in redeploying and re-skilling workers who have an interest and an aptitude for cyber? But perhaps they were right under your nose and you just overlooked them. So I think that this is actually also going back to what we talked about earlier, a place where HR can be a very effective partner for cybersecurity leaders by arming them with the information, the tools, the skills, and the data to make some of these better informed decisions and to really have the capabilities to invest in their team and grow their team rather than just being technically proficient people who then were placed in a position of people leadership. 

Vince Paradiso: 

Yeah, and I think you called out something, well the two things in my mind, is I've seen it also on my end where, to your point, that just because they're a great teacher doesn't make them a great principal.

They could be a great principal, but they may not be one. And sometimes the person moves out of a role thinking, oh, I get this leadership position, but I'm getting this extra pay also, so I'm going to go for it. And the guy and the person looking down at them, they're a great worker, so obviously they'll be good at this position also. Not necessarily. The other thing I thought of that goes back to the disconnect both of you called out, is the fact of just the understanding of what the job requires. For example, if I was graduating from high school and wanting to go into cybersecurity, if my institution and even myself in that matter isn't understanding what's required of the job, I'm going on and getting that master's degree or just that bachelor's and missing what I'm trying to shoot for.

And so it's helpful to have that understanding of really what I'm going for and what it requires, maybe what the base level is, and at least achieving that. And then, to both of your points, of where maybe either the organization then helps upskill me to a master's degree or with certifications, as opposed to I'm eliminated because I went and got this master's degree and now there's no work for me. But I've spent all this time and I've got all this knowledge and everything else.

Thank you both. This was extremely informative and it was a great talk with you guys and dialoguing over this concern that we have in the workforce. Once again, this is Lightcast. We do these once a month, so please be sure to come back. We have Helen Patton on the call with tons of CISO experience, and Will, who's our own Vice President of Applied Research and Consulting.

So please, if you didn’t get a chance to watch the whole thing, we'll send it out and you can review it. And just keep us in mind for both your data and your employment challenges and problems that we're happy to help with. Thank you both again for your time. Really appreciate it. 

Helen Patton: 

Thank you.

Will Markow: 

Thank you so much.