Navigating The Cybersecurity Talent Management Maze: A Guide for Talent Management Enthusiasts

Are you a CISO, Talent Manager or Cybersecurity Specialist grappling with the challenge of recruiting and retaining top-notch cybersecurity talents? You’re not alone.

Recruiting in cybersecurity is increasingly challenging, with 4 million jobs currently unfilled – a 13% rise from 2022 (ISC2 2023). As studies over the past three years have confirms, this challenge is only deepening, leaving CISOs struggling to recruit, manage, and retain skilled professionals. Diversifying the talent pool is also a priority, with women making up only 25% of the workforce.

At Wavestone, we’ve been actively following this subject and have developed a benchmark to assess companies’ maturity level on this subject. With data from more than 20 organizations, we’re ready to share our insights.

In this article, we’ll dive into the results and focus on key topics such as career path, recruitment, trainings, and retention plans. And for those who stick around till the end, there’s a little surprise waiting for you. 😉

If you’re a CISO looking for practical solutions or just interested in cybersecurity talent management, this article is for you. Let’s tackle this challenge together.

 

A Global Maturity Score of 45% in Cyber Talent Management

Current Cyber Talent Management maturity stands at 45%, indicating significant room for improvement in this emerging field. The gap between the lowest and highest scores ranges from 27% to 62%.

On a positive note, there are strong performers in every area, suggesting that companies can benefit from sharing best practices. Ultimately, the goal is to build skilled and resilient cybersecurity teams.

 

The Energy sector has the highest maturity level, while Public & Institutions have the lowest. The graph above compares the maturity levels of various sectors on a scale from 0 to 100%. The sectors include Energy (58.2), Luxury & Retail (52.4), Services (50), Finance (45.9), Industry (47.2), and Public & Institutions (36.1).

 

Developing Career Path to Give Growth Perspectives to Talents

The cybersecurity field is facing a clear talent shortage. In 2023, 4 million cyber jobs were unfilled, and the figure is still increasing. Organizations have a real challenge to retain their cyber talents and to attract new ones. Yet a well-defined career path could help them. From an HR perspective, it empowers individuals to take charge of their own development, serves as a framework for self-assessing competencies and areas for growth, and supports individual fulfilment. However, building an effective career path requires careful planning and can take over a year to implement.

During our interviews with CISOs and Cyber Talent Managers, we observed that while 66% of the organizations have started initiatives to build their first cyber career path, these efforts are not yet fully materialized.

Here are tips from leading organizations in the market… Job repository: develop a detailed list of all cyber roles, including responsibilities and requirements. Skills mapping: identify essential skills for each role and create a skills matrix to pinpoint gaps and future needs. Training catalogue and mapping: align training programs with specific jobs or skills to ensure employees are equipped to excel in their roles.

 

Real-world example based on a client assignment…

• In a client project, after several phases of reviews and workshops on cyber jobs and skills frameworks, we identified 11 new cyber skills and 6 cyber jobs and integrated them into the repositories. This then led to the creation of an initial career path dedicated to cybersecurity workforce.

A well-defined career path is the cornerstone of Talent Management and represents a strategic advantage for organizations in retaining and attracting talents, prompting many to take action.

 

Tips to Diversify Your Recruitment Pool

The cybersecurity talent pool is both limited and lacking in diversity, making recruitment a critical challenge for organizations. Despite women making up 50% of the global population, they represent only 25% of cyber professionals (ISC2 2023). This highlights the urgent need for more inclusive recruitment strategies.

Nowadays, traditional job descriptions often demand too much, deterring potential female candidates. Only 27% of the organizations have adapted them. Studies show men apply if they meet 60% of the criteria, while women tend to wait until they meet 100%. Rewriting descriptions to be more inclusive, with input from female reviewers, can broaden their appeal.

In addition, few companies focus on internal (5%) or external (22%) branding, yet these strategies work. Transparent branding and communication can help to demystify cybersecurity roles, attract a more diverse talent pool and boost internal mobility, making them valuable recruitment tools.

Here are tips from leading organizations in the market… Job descriptions: create or revise job descriptions to ensure they are accessible and inclusive. And don’t forget to review your job descriptions to ensure you’re not listing 10 certifications 😉 Female review: have job descriptions reviewed by a female employee for inclusivity. Internal and external branding strategy: build a brand that emphasizes diversity and inclusivity, partner with universities, associations, and use female role models to promote cybersecurity. Recruitment training: train your team on inclusive recruitment methods to enhance diversity.

 

Offering Trainings to Reduce Skills Gaps Within Your Organization

Cybersecurity skills gaps are a major issue, with 92% of professionals reporting deficiencies and 75% finding the current landscape the most challenging ever (ISC2, 2023).

Our benchmark shows only 33% of companies have a skills-mapped training catalogue, and 94% address training reactively, based on demand. This reactive approach misses chances for proactive skills development. Effective training is crucial for equipping employees with the skills needed to handle evolving cybersecurity threats and trends.

Here are tips from the leading organizations in the market… Training catalogue: create a detailed training catalogue that aligns with cyber skills and job roles across various learning platforms (e.g. Pluralsight, LinkedIn Learning, free MOOC on national competencies centre’s website, etc.) Time and budget allocation: set aside dedicated time and budget for employee training to demonstrate the organization’s commitment to continuous learning and skill development.

 

Real-world example based on a client assignment…

• Automated Training Paths: implemented an automated tool that can generate personalized training paths based on employees’ needs and skills level.
• Consolidated Training Catalogue: a unified training catalogue, mapped to the 17 new cyber skills and 16 new cyber jobs, offering a clear development roadmap for employees.

 

Enhancing Retention Through Effective HR Collaboration

Collaborating closely with the HR team to create a robust retention plan is essential for organizational success. While many companies have processes to support talent development, these are often not formalized, leading to challenges in daily management.

Companies need to start by assessing the unique skills and strengths of each team member and determine how to best leverage them for the organization’s goals. Conducting individual interviews is a valuable strategy in this regard. Managers can gain insights into each employee’s current career stage and future aspirations. This information allows them to craft personalized development plans that align with their goals.

However, it’s important to remember that a retention plan is not a one-size-fits-all solution. It should be flexible and adaptable, capable to evolve with the changing needs of your team and the cybersecurity landscape. By working with HR to implement a tailored, adaptive plan, you ensure that your cyber talent feels valued, motivated, and committed. Remember, effective retention is as crucial as attracting top talent, so make strategic collaboration with HR a key component of your talent management strategy.

Here are tips from the leading organizations in the market… Employee retention steering: dedicate time to define your retention objectives, KPIs and concrete actions. Only one organization has quarterly leadership moment (1 day per quarter) to focus on people and discuss on the evolution of the team. Talent reviews: dedicated time (annual interview) to create a trustful management relationship and assess the skills, performance, and potential of cybersecurity professionals. Only 5% of the companies have implemented this process in their cyber talent management strategy.

 

A²BCⁿ framework: A Framework to Care for your Talents and Secure your Business

 

In conclusion, caring for talent is essential to securing your business. The A²BCⁿ framework provides a structured approach to achieve this. By focusing on Assessing and Attracting talent, Building Trust with your talents, and Caring and Nurturing your team, this mixed approach, blending cybersecurity and HR strategies, ensures an effective and resilient team ready to meet tomorrow’s challenges.