By Jeremy Wittkop, InteliSecure CTO
For many large organizations, there are people on the inside who possess both the technical skill and the willingness to learn to become cybersecurity professionals. In order to effectively pursue this strategy, it is key to ensure that there are enough qualified and experienced team members on staff to mentor the newer professionals being groomed to fill out the team. Therefore, if you choose this strategy, you must be patient with your people, as they will take time to develop. You must also make a concerted effort to retain this talent as they will soon have their inboxes flooded with suitors eager to court their new talents. Remember, there are few college courses that can adequately prepare someone to be a cybersecurity professional. Certifications are better, but there is no substitute for real-world experience. This attention will be new and exciting to many younger team members. You must be prepared to show them both growth opportunity and a career path that is commensurate, or ideally superior, to what they will be offered on the open market. If you do not, you are simply training them for their next job. Of course, this could apply to any of your other departments, but the problem is exasperated when the skills we are discussing are in short supply and high demand.
To reap what you sow, the three keys to the “cultivate and retain” strategy are:
- Ensure you have enough willing and able mentors to truly develop the talent.
- Be patient and realistic with respect to how long it will take to develop these resources. Ensure you understand how long they must be retained after they have gained the skill set they need in order for this to be a good investment for the organization.
- Create a holistic Human Capital program with a formal structure and strategy to cultivate and retain talent. Understand the marketplace for your employees’ talents will be competitive as soon as they gain the skills you need.
“He will therefore have to use what knowledge he can achieve, not to shape the results as the craftsman shapes his handiwork, but rather to cultivate a growth by providing the appropriate environment, in the manner in which the gardener does this for his plants.” -Friedrich August von Hayek
When you aim to cultivate talent, it is important to keep the above quote from Friedrich August von Hayek in mind. We cannot shape cybersecurity professionals that are truly effective. We certainly can teach them what they need to know and provide them with the training and tools necessary to be effective, but cybersecurity is not a static task, it’s a conflict between White Hats and Black Hats, good and evil. This is a battle, and the adversaries are human, smart, and adaptable. Therefore, good cybersecurity professionals are well-trained, but also exist in an environment that is designed to help them grow, learn and discover. Much like learning a new language, it is best to learn cybersecurity while being immersed in it. This is why education systems and universities struggle to yield battle-ready professionals upon graduation. It takes experience to become truly effective just like a soldier directly out of basic training isn’t fully combat ready. They have the skills and knowledge they need, but it requires experience to be truly effective.
“You cannot hold on to anything good. You must be continually giving – and getting. You cannot hold on to your seed. You must sow it – and reap anew. You cannot hold on to riches. You must use them and get other riches in return.” -Robert Collier
We must retain our quality talent, especially when we have just armed them with a very marketable skill in high demand and short supply. In order to continue to receive value in terms of services, we need to be sure our organization is continuing to give to, and to invest in, these individuals. This is a “What have you done for me lately?” world and attention spans are shortening by the day. Individuals need to be valued and challenged. There are plenty of things that we can do to maintain that sense of challenge and intrigue inside an organization, and allowing someone to go from a trainee to a trainer is one example of an experience that can be of value to the organization and the team member. The key is to ensure you have set out to map where the individual would like to go in his or her career, and that your management team is consistently communicating with the individual to show them how the work they are doing today is helping them reach their long term goals. If you don’t value your employees, someone else will, and you will be right back where you started. Since it takes significant amounts of time to cultivate talent, losing talent you have cultivated can be very costly.
None of this is rocket science. After all, you would hire these people away from other companies if you were using the hiring to win strategy outlined in the previous post. Your recruiters would be reaching out to people that other organizations have cultivated as soon as they gained enough experience to be valuable. Assume the same will happen to you.
Admittedly, as the Managed Services Director at InteliSecure, I deployed this strategy when my budget fell short and the sheer number of professionals I needed to hire outpaced the available labor pool. I did not have the size of the organization that would allow me to cultivate talents for other departments, so I hired people in roles that had the mindset I wanted. We executed this strategy and learned the lessons to allow us to retain our high potential employees as their experience level grew.
Alas, some went to work elsewhere for a variety of reasons. Many of them provided valuable feedback that allowed me to retain subsequent employees. Personally, I am very proud of the people that left as well as the people that stayed, not only with InteliSecure, but with all of the organizations I have had the pleasure of being a part of. Looking back on my career, I wish I had done more to keep some of the individuals that chose to move on. Dwelling on mistakes is not helpful, but learning from them is.
Don’t be like me back then. Be more like I am now. Reap what you sow. Harvest what you cultivate. Do what is necessary to retain your talent. It is much more difficult and costly to replace good people than it is to retain them.
The next post of the series addresses Managed Security Services Providers (MSSPs) as a potential solution to the cybersecurity skills gap that is growing in popularity. Managed Security Services is near and dear to my heart and I’m looking forward to sharing the details of that approach with you. If you find the content of this post to be insightful or useful, please share. If you would like to learn more about InteliSecure or this topic, please visit us at www.intelisecure.com and connect with us on Linked In!