Submitted by: Alexis Culp

We have been facing a cybersecurity talent shortage in this industry since the industry was born.  As time elapsed, we started integrating more and more of our businesses and lives around the internet, which allowed for more vectors of entries, evolutions of attacks, and thus the need for more cybersecurity professionals.  The skills gap alone is approaching 2.7 million worldwide, forcing hiring managers to deprioritize experience when choosing candidates who show promise.  Historically the talent pool for cybersecurity would evolve out of the physical security divisions and/or the IT divisions within an organization.  Cybersecurity is genuinely a new field of academic/professional studies. In 5-years, the growth has more than doubled.  Churning out talent that enters the field with a firm grasp of knowledge in the space.



Referenced: “CyberSecuirty Degree Programs” – https://www.cybersecuritydegree.com/ 

That brings me to the point of this blog; a topic near and dear to my heart is how we bridge the gap in talent shortage within the cybersecurity industry. My personal opinion is a long-game strategy with talent retention that really starts with talent acquisition.  

Start with an internship program. I suggest partnering with your local universities that offer cybersecurity as a focus within their education tracks. Don’t overlook the community colleges either, as a wealth of talent can also be found within these smaller, more local academic programs.  This will allow your organization to create a funnel to attract bright and diverse talent before they enter the job market. It also creates a community connection within your business’s cities.  As you develop partnerships with various educational institutions, you benefit from meeting long-term employment objectives while getting your brand out there in a positive light.

Summer interns are an excellent resource for evaluating security vendors when you have an active project.  I myself, from the vendor side, have partnered with interns at various organizations to perform evaluations of cybersecurity solutions. It’s a win-win equation. The intern learns about one slice of the industry from the guise of one or more tools they are evaluating.  Interns can test workflows and even break things safely when running an evaluation versus toying around in your production environment.  The business wins in multiple ways. More seasoned and skilled employees can spend cycles on things that require their expertise.  This also allows the business to review other types of technology that may have otherwise been overlooked due to resource constraints and lack of personnel to support an evaluation.  It is very likely that these interns would entertain joining your team as permanent employees upon graduation, as they would have already started to develop connections across groups, and they understand how your team functions.

When it comes to retention, there are a lot of options here from a benefits perspective.  When you build your talent pool from the ground up, you should also invest in retaining those employees. I find that folks that stay at a company for more than two years typically do so because they have a clear career path, feel well-compensated, and have an excellent work-life balance. 

  • A clear career path requires some ongoing training investment. Individuals that stay with the same company for five years or more have completed certifications, advanced education such as a master’s, or have taken skills-based classes with the support of their employer (time & money). Consider creating internal company programs that support these certifications and continued educational tracks. For example, to obtain a CISSP, one must pass an exam and be endorsed by someone with a CISSP.  Consider being a mentor and helping foster your intern’s and employees’ future career growth. For a new graduate who is entry-level, knowing that their continued education and career path are achievable within one given company will increase the likelihood that they would want to stay in said company.  

 

  • Feeling well-compensated, especially when inflation and the price of gas directly impact everyone, means that annual cost of living raises may need to come back as a more frequent activity and benefit offered regardless of industry.  Most college graduates have educational debt and are renters.  Ensuring their compensation changes as their cost of living does will entice them to stay versus leave after 1-2 years for a higher-paying position with the same responsibilities.

 

  • To me, having a good work-life balance means benefits regardless of gender for family leave to be generous.  Entry-level college graduates most likely, haven’t started to build their families, but when the time comes that they do, they will want benefits that encourage family growth and support them. Ensuring that your policies include inclusive family benefits creates a sense of belonging for all.  Another point on work-life I feel is essential to address is the more common benefit of unlimited PTO. This is a desirable benefit and is excellent on paper, but some companies don’t have enough talent to cover when a person is on PTO, specifically in the cybersecurity function, and there can be a feeling of being constantly on call in that kind of environment.  Ensure that PTO is taken when it is unlimited.  We take this one step further where I currently work at Blue Lava.  We offer unlimited PTO and add a Friday to the standard company Monday holidays like Martin Luther King Day, Memorial Day, Juneteenth, and Indigenous Peoples Day.

I hope you have enjoyed this blog post, and I welcome your comments and suggestions on how we can improve the talent pipeline and increase talent retention in cybersecurity.