“Talent shortage”, “skills gap”, “employee burnout in cybersecurity”, “high turnover rate” – as a cybersecurity professional, you must be familiar with these expressions, for better or for worse.
You may have seen the big headlines pointing out talent shortage issues in the latest news – that is sadly not a fake news. The talent war really exists in the cybersecurity market. Over the past months, we read numerous articles, academic papers, reports on this emerging subject; we discussed with CISO and Talent Managers (a real full-time job!) and the 3 main challenges remain the same: how to recruit, manage and nurture our talents?
In this article, we have compiled the different situations, our observations, and the initial lessons we can draw from the actions put in place to meet these challenges.
Take a moment to analyse the strengths and weaknesses of your team to identify the complementary skills and competencies you need to look for…
Beyond just filling the roles, it is essential to gain a strategic vision of the skills to draw up a sustained cyber division. Your mantra for this stage must be: “Getting the right people for today… and tomorrow!”.
When people’ skills match their roles, tasks are performed efficiently, with everyone contributing to a more (cyber)secure organization. I doubt anyone will contradict me here, but it’s often easier said than done.
Here are the first questions you can ask yourself to get moving in the right direction…
Do you know what you need? Have you defined all the cyber activities you need to run? Have you defined your “make or buy” (internalization vs outsourcing) strategy? Have you identified the skills and the people needed to run these activities?
This is a non-exhaustive list of questions that as an organisation you should ask yourself to better capture your need and know your people before launching a roadmap of actions.
Knowing your need and team is important as it: (1) helps for task allocation: before, cyber teams were smaller, therefore, versatility was crucial. Nowadays, bigger cyber teams make specialization possible and facilitate the optimization of complementary skills (2) helps to target training and development: having a clear vision on your team and its activities helps you identify skill gaps and provide the appropriate training and development opportunities to the people who need it the most. With the identified missing skills in one hand, and the identified needs in another hand, you can start seeking for your ideal candidates thanks to a job offer that speaks volumes (but don’t look for purple squirrels, they don’t exist)!
Keep an eye on the upcoming insights and focus on the cyber job descriptions topic! 😉
Fueling Team Today, Attracting Tomorrow: The recipe for Sustained Cyber Teams
That is to concretely explain what cyber is and what its activities are. #transparency
Based on the discussions with CISO and Talent Managers, being transparent on the job description works and gives people a sense of belonging and purpose, which in turns promotes a better teamwork.
Let us share some concrete and easy actions that you can do to get things moving:
- Promote internally the cyber jobs and the people behind the jobs: by explaining concretely what working in cybersecurity means, what the positions available are, and what the people really do, you can inspire people to join your team, increase internal mobilities, strengthen the sense of belonging to the cyber division, and give perspective to your team.
- Promote externally your cybersecurity activities: make yourself visible by participating to cyber associations and key conferences (school events, collaborations with universities, research institutions, or organisations, etc.).
- Organise/participate to upskilling/reskilling workshops (transferable skills).
- Include inspiring people in your recruitment process and branding (such as CISO, team lead, etc.
Cybersecurity is still an obscure topic for those outside the cyber world. To fix that, everyone needs to start explaining what they do.
Mastering the art of taking care of your people
By now, you must know that it’s a great asset to know who your team is, who your people are, who you really need to run the cyber activities, to have a great branding to attract people. But what will make the difference in the long run is to take good care of your people by offering a safe work environment and giving perspectives of evolution. When what is coming next is clear, it is easier for the people to project themselves in the company in the years to come.
And before taking care of their people, CISOs also need to take care of themselves. 40% of the CISOs say that they experience “high-stress” on a daily basis and 28% of them are close to burn-out (Cyber Workforce Study, ISC²). Tough to take care of people if you don’t take care of yourself first…
To avoid this, CISOs need to build a trusted relationship with their top management in order to be able to define the strategic objectives, prioritize the activities, obtain the resources, etc. And it is essential to know how to surround themselves with reliable individuals to delegate tasks and create an effective operational strategy.
Recruiting is just the beginning of the journey; nurturing is the ultimate goal. Nevertheless, organisations tend to forget (neglect) this last, but perhaps most important point. It’s like getting an ISO 27001 certification, quite easy (of course, it requires work!) but maintaining it, is the real deal.
In order to provide perspectives for team members, we need to establish career paths with their “pathways” and the means available to evolve on these paths: skills required per job and key milestones, training catalogue, internal mobilities, personalized evaluation process, etc.
Nurturing your talents means helping them to develop and strengthen their skills/capabilities through trainings, teamwork with colleagues or with cyber associations, giving them perspective of evolution/growth within your company. As a human-being, we need to know where we stand and where we are going, we need a vision to get us moving (in our life #existentialcrises).
If we take the example of the Maslow’s hierarchy of needs, people need to have a sense of belonging and feel that they are useful. Thus, part of nurturing talents also means creating a “team spirit” via rituals. It is not a secret that a friendly work environment/atmosphere is a crucial criterion when choosing a job and can increase people’ productivity by 12% (University of Warwick, UK), especially for young people nowadays.
Giving perspective of growth/evolution is essential, especially for experts. Many organizations still view management as the only path to success, but in certain sectors like industry, we can observe a shift. Expertise is increasingly valued as an alternative success route to management; some may combine both, but it is not a necessity. Therefore, expertise circles are key to give recognition to experts in and outside of their organisations – give them the opportunity to attend specific cyber events that can also enables them to grow their network and acquire more skills.
In a nutshell, attracting and nurturing talents take time, and talent recruitment emerges as a pivotal element in corporate strategies. By embracing diversity and promoting gender convergence, we venture into new dimensions to build robust, thoughtful, and resilient teams.
We aim to open the cyber field to those unfamiliar, fostering diversity, and creating vocations. Let’s reach out to people; and let’s not wait for them to come to us.
We have created a benchmark tool to explore this multi-faceted topic (along with the ongoing research) and assess organisation’s maturity. Reach out to us if you would like to be part of it! We would be very delighted to share with you the good ideas we have collected on the market… and the traps to avoid.
Unicorns (don’t misunderstand me, I am not talking about start-ups), Purple Squirrels, Ninja, Rockstars, don’t exist but if we combine diverse profiles, we can get this highly qualified team! 😎