Own Your Cyber Talent

Photo by Lagos Techie on Unsplash

Cybersecurity leaders across the industry have a workforce development problem. We constantly struggle to find, hire, and deploy talented professionals into our organizations.

If you believe what’s in the workforce surveys published each year, industry is not to blame. According to survey findings, blame for this ongoing, global crises, rests almost exclusively with the academic and training institutions.

If this sounds a bit ludicrous,… it should. Because it is.

Regardless of the industry, building organizational talent is a leadership function. The responsibility for building cyber talent is ours. Not the academic institutions. And not the commercial training vendors.

If we want solve our workforce woes, we have to own the problem. Which means owning the outcomes.

Here are three strategies we are implementing to “own our cyber talent.”

1. Minimize reactive recruiting.

Like everyone else, we recruit and hire in response to business needs. These needs are forecasted as firm needs, or anticipated. In both cases, we are working to fill “gaps”. But the problem is, when hiring to fill gaps, we find ourselves in a “must hire” situation. And ‘must-hire’ situations are undesirable because they limit options. Especially any option that includes building for the future; which is the only long-term viable solution to address a workforce gap.

We’re making a concerted effort to minimize our reactive recruiting and move intentionally towards a proactive approach. The goal is to be able to absorb the near term, forecasted staffing demands, within our existing talent pool. This key is a measured, but continuous focus on acquiring emerging talent before we need it. With this approach, we are able to leverage lower-cost, slower-paced OJT to teach the skills we want, and develop the talent we need.

Plus, not being in “must hire” mode, allows us to be much more selective about the talent we want. Which is the next piece.

2. Stop using certifications as a talent “gold card”.

This is a biggie. Being credentialed is not the same as being talented. Nor do credentials ensure an organizational fit, or provide any realistic forecast of success. For a great perspective on this, read any of Christian Espinosa’s publications that discuss “paper tigers”.

My own experiences are full of examples of paper tigers. I’ve hired a few, and have had a few for customers. And while the email signatures where quite impressive. What they brought to the party, left a lot to be desired. To minimize the risk of hiring, or worse, creating paper tigers, requires a clear understanding of what talent is for your organization.The first step is breaking free from the reliance on certifications to define your talent needs.

Today, we continuously define & refine what talent “looks like” for our us. Having this clearly in front of us, allows us to accurately recognize and select the emerging talent we’re searching for.

3. Maximize training investment ROI.

This is probably the biggest. In my opinion, not enough cybersecurity leaders consider return on investment, when deciding how to invest their portion of the company’s training budget. Conferences and add-on certs might seem like good choices, but in my experience, rarely can we trace the benefit form attending these, to a specific business goal or objective. So the actual ROI to the company from these expensive, one off, investments is marginal at best.

The approach we’re adopting is a mix of i) near term business needs, ii) our forecasted organizational needs, and iii) the employee’s career objectives, to guide our decision making.

Clearly, investing in workforce development that ties back to business needs is essential. But ignoring our own organizational needs only complicates the talent management process; especially when we suffer a loss, or face unusual growth. Having a clear understanding of the talent we have on staff, and comparing it to our near and mid term needs, allows us to prioritize and making good investment decisions.

Lastly, if we’ve identified our training needs well enough, it’s fairly easy to measure the “return” we are generating for the company. It will prove invaluable for increasing your training budget next year.

Cybersecurity leader. Futurist. Writes about the future of cybersecurity leadership, cultural issues, and workforce strategies.