Flip the funnel: Fixing the cybersecurity talent pipeline challenge

[00:00:00] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. For the next 12 days, Cyber Work will be releasing a new episode every single day. In these dozen episodes, we’ll discuss career strategies, hiring best practices, team development, security awareness essentials, the importance of storytelling in cybersecurity, and answer some questions from real cybersecurity professionals and new comers.

In our first episode entitled Flip the Funnel: Fixing the Cybersecurity Talent Pipeline Challenge, former Cyber Work podcast guest Karl Sharman, Head of Cyber Solutions and Consultancies, for Stott and May; and Infosec’s director of research and product marketing, Megan Sawle, drill down into the notion of the skills gap.

Karl and Megan know that these skills gap is a significant challenge with actionable guidance to help fill vacant cybersecurity roles. You can think like successful security and IT leaders and improve recruiting, hiring and retention without relying on unicorn candidates to wander in.

We hope you enjoy this 30-minute discussion between Karl and Megan. And if you want to learn cybersecurity, all Cyber Work listeners can get a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills. Be sure to use the code cyberwork when sigging up. Details are in the episode description. Catch new episodes of Cyber Work every Monday at 1PM Central Time on our YouTube channel. Now, let’s start the show.

[INTERVIEW]

[00:01:29] MS: What we’re here to talk about today is really that whole cybersecurity talent pipeline, and of course it’s one of the biggest challenges facing our industry today is recruiting and then retraining that cybersecurity talent. We need to let more people in the industry and then of course keep them there, so more on the top and less out the bottom. And right now it’s really more of the reverse. So we let few people on the top and we lose them along the way due to a variety of factors that I’m sure you all are already familiar with, right? It’s burnout, stress, workloads, diversity challenges and things like that. And as a marketing person, I like to think of the talent pipeline as really like a hiring funnel. And I think it’s time that we consider flipping that.

So when you think about challenges at the top, we have a whole lack of awareness as cybersecurity as a career, right? And there are a lot of really great organizations like Cyber Patriot who are working to amend this issue. But the fact of the matter is, is if our high school students and even our middle school students aren’t considering this as a career for them with lots of opportunity, we’ll likely continue to see sort of the drought in talent that we have today.

And of course, burdensome job qualifications. Does every really need the experience, right? The certifications and degrees for all levels of roles that we see out there in the job marketplace? And then we also have some issues with sort of non-inclusive language and JDs, and that really kind of circles back to burdensome qualifications. We already know that people of different genders are less likely to apply for job descriptions, maybe there’s a laundry list of qualifications, all of which might not be necessary.

So Karl, I’ve heard you reference the shape of the security org a lot as being more of like a diamond. Can you talk about that and sort of what those challenges in the middle might look like?

[00:03:17] KS: Yeah. It’s a really interesting subject, and I honestly believe that there is a diamond mainly because if you look at the job market, there are very few jobs at the top and there are very jobs at the bottom, and it’s a serious concern for the security industry moving forward. And some of it we’ve looked at is is security really an entry market job? Because the jobs don’t suggest it is. If you look at any JD, you’re looking at 5, maybe 3 years at the minimum sort of experience. So how do people go and get that experience when it’s just not there? The job is not there. Actually with a major Fortune 100 company that has an internship program or something similar. So there really is this diamond effect, where there are loads of middle jobs out there that are very middle of the road, but we haven’t got enough people, because people are looking to unicorns out there. And then that is really, really challenging to find for companies, which is why they come to companies like us to try and identify that. But ultimately, we want to make ourselves redundant in that respect and actually get to a point where they would be able to find that talent. And the only way we’re going to do that is like you say, is flipping the funnel and actually removing that diamond effect an actually getting more people positioned at the very early stages of their career into security to hopefully mitigate them and reach for organizations.

[00:04:44] MS: So what about towards the bottom of that funnel, Karl? What types of problems are we seeing? I know you mentioned a really interesting statistic the other day about the cost of actually getting someone on-boarded and potentially having to replace that person. Tell me about that.

[00:05:00] KS: Yeah. I mean, the cost of getting – Certainly, not going down, let’s say that. Obviously with COVID, that may change things with more people available on the market. But ultimately we’re seeing cost go through the roof, like we are a cost as an example of that. But also if you can say the cost of recruiting someone, we’re factoring in advertising, the time that that takes, that is cost. And when you’re talking about utility, that is something to really consider if you’re a hiring manager. Is it easier to promote from within? Does it save your time in terms of training? Is there someone already in your organization?

And when I say that, people are like, “Well, my team is small enough. I don’t have enough to utilize. Well, then, let’s start looking out where in your organization. Let’s start looking into IT. Let’s look at SAO. Is there transferable skills that you can go and get? That then you’re just going to do – You’ve got to come to companies like yourself and go, “Right, I need this person trained in the following areas. What can you offer?” And that might be cheaper than hiring. But if they aren’t internally, then you need to go out and hire. And what we’re suggesting is actually identify people that, again, have transferable skills. So you can take from within the industry and train them up. Or alternatively, you go soft skills. And you’re identifying people off their soft skills that match your values and match your ways of thinking and just hungry to learn, because there are so many young people out there that are hungry to learn and want to get into cybersecurity because of the possibilities in this industry. And cyber is one of very few areas where there are so much possibility right now and has survived pretty well out of COVID.

[00:06:42] MS: Yeah. And so whenever I think about these challenges, I always have like way more questions than answers, right? So in March we did a survey. We sent about 250 people IT and security hiring managers in the US to learn sort of what drives those hiring decisions at the very top of that funnel. Essentially what we did is we analyzed employer emphasis on candidate skills, abilities, experience degree, certifications, all of those things that we hear talked about a lot. And then we compared their responses on that hiring criteria to how they actually assess their ownability to fill open roles.

So essentially, what are successful hiring managers doing differently that the rest of us can potentially learn from? Honestly, one of the most interesting findings that we found was that 58% of our successful organizations, people are having success filling these open roles are regularly considering inexperienced candidates for open positions. And that’s compared to just 40% of organizations who are reporting challenges doing that same thing.

We also found that these organizations are challenged to fill positions were less likely to consider inexperienced candidates than all other respondents participating in the study. It’s actually 40% versus 54%. So pretty significant deviation there, Karl. Are you seeing more organizations consider candidates without previous experience? Is this something that’s actually working that you’re seeing firsthand?

[00:08:13] KS: I say it’s a whole no. I think you see in time to fill. Like we did a study previously where I think it was like 76% off the top of my head, took more than 8 weeks to fill a role and some even up to 16 weeks. I mean, you’re talking 4, 5 months there where these roles are just sitting there and not able to fill, which is the common reason why companies come to us, is after a certain period, normally a month, they will end up coming to us. Even longer in certain cases that I can think in the last 12 months.

And even during COVID, these certain companies I’ve spoken to are still looking for positions, not willing to use agency because of cost, and still going six months on. How can we be in a world where that is the case when unemployment is going through the roof and whatever else? So we need to think differently. We need to think outside the box. And the thing that I always say is to any company is let’s get your job description down. Let’s understand that and let’s actually go through that as a problem, because it is a problem. It’s causing companies constant problems, because it’s a HR tick box. It’s not actually solution-driven in terms of what we do with our job descriptions. So for me, it’s simple. We need to know what your free hardest skills that you can’t live without in this role, and what’s your free soft skills that you can’t live without the role? Everything else is irrelevant, everything else. You just don’t need that.

And I think even to a degree, depending on the level, you need to be a little bit more agile in terms of them have skills. Can you train them? How long would that take? What’s the cost? Is that going to save us money long run? Because if you start looking at like retained and attrition issues, if you look at an area like instant response, that’s down to less than 18 months in terms of how long someone is staying in a business world. So if you’ve got them sort of attrition issues where you know you’re only going to be here for 18 months, like what’s the question mark there? What’s the cost analysis? Do we need to train these people to keep them here longer? What do we need to take more risk in our hiring? And I would suggest you need to take more risks, absolutely.

[00:10:21] MS: So knowing that, I always like to be realistic with some of these research findings. It’s one thing to say hire experienced candidates, right? And it’s a whole another to look at that risk and decide like where can we take those risks? Have you seen anyone doing that in a creative way? Maybe it’s establishing feeder roles for security positions or something like.

[00:10:39] KS: Absolutely. Well, firstly, security has to be adverse to risk, is the way to look at it. I think security has so much pressure that they don’t want to take in, because hiring is another risk. Hiring is a risk in terms of breach that could happen if someone does something wrong, and that’s why junior people are not trusted in these positions, or less experienced people shall we say?

But yeah, absolutely. There’s some really good schemes, especially the bigger companies that can take that risk, I suppose. But that doesn’t mean that smaller companies can’t. I build out about a thousand people bank. We’re a team of 8, security folks, and they took risk on people that have been out of work, firstly. They took risk on younger people they could team up with more senior people and have that mentoring to double up. And that hits so many different areas, because there’s no cost. There’s less cost. They got them for cheaper because they were out of work, or they were less experienced. But also, they created this loyalty. And a lot of people that we placed 18 months ago, 2 years ago, are still there, because they feel that they’ve been engaged with. They feel like they get in the actual real-life experience. Thirdly, they’ve been trained, which I think is such an under-invested area even when we talk about human resources and talent attraction. It’s such an under-resourced area currently that is out there in the market. And security needs to rely on that evermore as well as HR partnerships and recruitment partnerships.

[00:12:11] MS: Yeah, and this segues really well into the next research finding, which was of course if you hire these inexperienced candidates, where do you go from there? And there’s, like I said, obviously risk involved. And what was interesting about the data is we found that hiring managers who are more likely to consider these inexperienced candidates are more likely to also work at organizations with established rescaling programs. So that’s probably not a total shock to you, Karl. I think it’s really clear, you can’t hire these people and not help them be successful in their role. That doesn’t happen on its own. So how are people that you’re working with, Karl, sort of overcoming this challenge and making sure that when they do role that dice, when they do bring in inexperienced candidates, making sure that they’re adequately prepared for the roles. What’s working out there?

[00:12:59] KS: Yeah, it’s really different things. You’ve got sourcing the right talent is obviously the ultimate goal with that. But when you’re looking for these unicorns and they don’t see what is the next alternative, as you were saying. So you’ve got training programs. You’ve got mentoring programs, as I’ve said. You’ve got using third-parties or outsourcing, which is stuff like yourself or some of the other training providers in the market. And I think they’re great as a starting point.

I think also this stuff where you can actually build a ton of program and actually develop that talent in-house, which isn’t as costly as people believe it is, which you have to remember your talent pool is only as wide as your talent program. So I think that’s really, really important to go. What is our talent program? What is our talent management program? Where are our gaps that we need to identify? Where it is we have attrition with training or with development? And it’s also providing a pathway to people. Ultimately, that is what it is. People often are frustrated because they either don’t see a future at the company, or certainly they’re falling out with their managers. So how do you identify that? And that’s why I always say, partnerships with recruitment firms are critical, because they would tell you if something is up or they would tell you what’s going on in a market if there’s like attrition rates or different stuff that you might not be seeing, because you’re blinkered in your approach to be respectful.

But secondly, internally, like actually having them relationships, and that’s what it is. It’s about knowing as much as possible and being able to take as many opportunities as possible both internally and externally with your partners. But I think you just to build a talent program, which offers them mentorships, offer that training and offer that pathway ultimately to make sure that people stick around, but also improve and mitigate and future risk for the organization.

[00:14:59] MS: Yeah, I like your comment. This isn’t just for new hires either, right? This is to help reduce that, that turnover and that churn. So it’s a really good comment. So one of the tools that we use here at Infosec in the hiring process is actually projects. And so I’ve seen really beautiful projects submitted by seemingly unqualified people, right? Maybe their resume was not impressive, but something in there caught your attention. You assign them a project. You got something great back. Of course, I’ve seen the opposite. People with beautiful resumes who weren’t actually able to demonstrate the skillset you needed to get the job done.

And what was interesting about the study is we ask this question. This was something that hiring managers and security are looking at. And what we found was that hiring managers at organizations experiencing this recruiting success are 433% more likely to use projects in the candidate evaluation process. I think this is super significant, very interesting. It’s a specific focus on demonstrable skills, right? Not just how well someone can write a resume or hire someone else to write that resume for them.

So Karl, I mean, everyone relies on traditional success signals, right? It’s like degrees and certifications and experience is the reason why they’re listed in job requirements. It’s a signal. It might not be the best signal to go on based on candidate success, but it is one of them. And so projects and assessments come in in a really big way here, because it’s a way that employers can evaluate that fit. But when you’re in this hiring process, what else can organizations do to sort of widen that selection criteria while making sure candidates are actually still qualified? Because as we know, filling open roles is not a super-fast project.

[00:16:41] KS: No, but it can. Just on that, it’s like it really can be about speed, and you’ve got to prioritize this. What we talked about about utilization of your time compared to cost, because the longer it takes, the more costly it becomes. But ultimately coming back to your actual questions, like I always go back to my football or soccer days and think about like when I was hiring scouts, like everyone in football or soccer, majority of people can talk very well and they can talk about it all day because we’re all fans of the game and stuff like that. But how do you actually identify a scout? Well, the only way I could do it was actually getting them to go out to a game and do a written report and actually see what their writing is like. And you’ve seen that more and more in cyber now in the last couple of years in the US mainly, is you’re starting to see with the consultancy is that they’re getting people to see how good their writing is when doing a security assessment or whatever it might be, a report for the end client, because that’s how they need to judge them.

And you’re seeing more technical assessments around more technical areas, like penetration testing and stuff like that. Now the concerns are, from clients mainly, and the concerns that candidates get is, “I don’t have time to do that.” So you need to make sure it works both sides, and the only way you can do that really is trial and error, is seeing what people are going to do. But the common argument that we go back to candidates, where if you’re not invested in this by spending 30 minutes or an hour on this assessment, you’re not invested in the whole process, because it is an investment. No matter if you want to interview or not, it’s an investment. You’re still going to want to do the research. The best candidates go out there and do the research, do the time if they really want this job.

So you can actually work out who really wants this job by putting the time in, and that’s what we found with a number of consultancies that have gone down this route. In the private sector, not so much. There’s certainly been a slow uptake with this sort of thing. But I have to remind companies all the time that standard interviewing, i.e. like what we’re doing here, is only effective 0.31 of the time. Projects, assessments, reports are great ways of screening, and they actually increase that level of investment and obviously decrease the level of risk in terms of their interviewing.

So I’m always pushing on that. The second part to this is interview focusing on culture fit, motivations, learning styles, and do that via video, because you’re going to get a lot more information in a standard interview as I keep seeing getting frustrated with. And then they get further down the line, they’re like, “Yeah. They’re not the right fit because of so and so, and so and so.” And often it comes down to culture fit, because they only actually see them on the final stage, because that’s normally when you would invite pre-COVID. Anyway, invite people in. And actually them being able to assess them at that point. So there are certain issues around that that you can mitigate for a hiring manager a lot earlier in the processes from doing video calls, from doing assessments, from doing reports or projects that you can actually start mitigating and actually get an idea at this person. Because I always say to every hiring manager, “Wouldn’t it be great the first day that candidate comes in you’ve got their reports, their assessments, all their feedback from previous interviews. You’ve got their understanding of what their learning styles are, what motivates them all in a report so you can actually go through that and understand the person 100 times quicker.” That’s where it comes back to your pace-point.

[00:20:08] MS: Yeah, absolutely. And you mentioned culture fit earlier. So I want to talk a little bit about that, because I hear this a lot lately, and I was curious what our industry is doing around culture. And when we ask survey respondents about the importance of cultural fit in the hiring process, we got some pretty interesting responses. So hiring managers who are more successful filling these open positions are much more likely to emphasize cultural fit during the hiring process than their counterparts. And that could go to what you’re saying earlier. You just know they’re going to be a better fit on the team if that’s something that you’re looking for early on.

And hiring managers, of course, from organizations struggling to fill open roles valued cultural fit less than all other survey responses, similar than the benchmark. And I think this is interesting, because evaluating candidates on things like cultural fit can be beneficial, but of course it’s potentially dangerous, right? It often comes under fire for being biases. Are we just looking for people like ourselves to fill these open roles? What do you think about this, Karl? Should we be looking at this? The data says yes, but how can we make sure we’re going this without introducing those cognitive biases and things like that?

[00:21:20] KS: Yeah, it’s a really good question. I mean, how you get around the biases is incredible difficult, and there are people challenging this all the time. It’s the reason that people are so difficult to read and hard to predict, because choices and motivations in people differ all the time. And that means behavior does and so does action. So I think it’s really, really challenging. I think the way that we’ve done it is for a lot more video screenings. So actually, screening our candidates heavily before we present them to a client actually saying like, “These are what we’re picking up.” And then if I think about – If I, again, go back to soccer and football, because they do it a lot better than Cybersecurity as, which is why my experience hopefully is enabling hiring managers do this better, is one person in our dressing can actually destroy that whole environment that you spent months building. And it can turn your whole season. And it’s exactly the same in security, is like that one person can really integer in terms of what you’re trying to build and actually interfere in terms of talent attraction, attrition, stuff like that. And as I said, number one reason people leave companies is because of their managers or because of that environment.

So it’s so important to get the culture fit right firstly. But secondly, the way to do it really is by gaining everyone’s opinion. So the people you’re pulling your interview process, including the external recruiter, including us in that group, respect, is gaining opinions consistently and trying to see where the trends are. So when you’re getting these snippets of reports and you put them all in one document, you should see the key trends. So like good communication, actually working out what they are in the first place and define them. So if you’re looking for someone who’s motivated by their job or motivated by the company or is a good communicator or is a loyal and honest, what do then things need to look like? What do then things need to sound like? What do then people need to say in that interview? And then how do we then train our interviewers to go and do that? So is it that we prepare them a sheet, an interview sheet to pick up on endpoints? Or secondly is it that they need to go through some biased and like non-biased training to pick up on them sort of things? And ideally as the more and more we do this, the report should get better. It should get more detailed. It should have more trends, and ultimately it should give out better results.

And I know this sounds hard and sounds difficult, but that’s exactly what we do in football or soccer. We get 3 or 4 scouts to watch a player 8 or 9 times and then we interview that player 2 or 3 times and ideally we’re trying to see the trends in terms of what they do on the pitch, who they are off the pitch, and then that will allow us to make a better investment and ideally get a return of investment, which is what cyber should be looking for all the time in people.

[00:24:16] MS: Yeah, absolutely. Culture should not be defined at the individual level, right? It’s important that the organization and the teams are aligned to that as well. So great points. And I think it’s pretty clear that HR is not going to patch our talent pipeline issues on their own. So in our study we found that successful hiring managers were actually 113% more likely to recruit their own candidates and 58% more likely to screen them. So much more involved in that really early stages of the hiring process.

So Karl, how else can hiring managers get more diverse, more qualified candidates in the door? And then, of course, keep them? How can we help HR and recruiters like yourselves sort of help ourselves, right?

[00:25:03] KS: Yeah, absolutely. Again, it’s a fascinating question and a question that we get asked a lot is what more can we do? And I think ultimately it’s about partnerships, as I’ve said initially. It’s about partnering with HR. I understand that everyone in a lot of people in HR or talent acquisition internally are not security experts. So you need to make sure that within your salary you’re trying to get an agency fee, or trying to be a little bit more agile in terms of being able to get an external agency and who’s a specialist in this area, firstly. But in terms of when we’re looking about job descriptions or screening candidates or interviewing candidates, you need HR to be a part of that process. But the hiring manager need to lead on this, because they know what they want. And ultimately, that needs to come down from the CISOs. That needs to be coming down as well as coming up in the process of who’s good? What are we looking for? Who do we need to go off and what types of companies do we need to go off? There will be questions that you should be asking consistently and you should be challenging it consistently, like on a weekly basis. Every time a new position comes up, you should be going, “Well, what worked? What didn’t work? What do we need to improve?”

And I think if you keep repeating and process this consistently, then we’d get better and better overtime, but you can’t do that without external providers and internal providers. And everyone needs to move into the same direction. So when you think about agency and recruiters like myself, you need to be challenging them. How many people have they spoke to about your position this week? What have you seen? What’s the key trend? Are we in the right ballpark? I have so much data that I give back to my clients, because I need to give them insight in order for them to learn and find out the reason that this might not be working. And that’s why people partner with companies like us, and HR need that information, but HR also need that relationship and feedback from hiring managers, because they need to understand what’s not going right as well. So it’s really a mixture of relationships. It’s a mixture of problem solving and challenging. But ultimately, everyone needs to improve in this. I honestly think it starts at job descriptions, because I think companies, there isn’t a talent shortage as much as people say there is. All of it is hype. So we need to get away from that hype and actually start coming up with solutions and challenges, and that ultimately starts at HR, the hiring manager and in job descriptions.

[00:27:29] MS: Yeah. I know alignment is like the most overused term of 2020, but having that alignment and make sure we’re all kind of rowing in the right direction, it makes perfect sense.

[00:27:40] CS: Thanks for checking out Flip the Funnel with Karl Sharman and Megan Sawle. Join us tomorrow for Close Your Skills Gap: Putting the Nice Workforce Framework for Cybersecurity to work, with gest Leo Van Duyn of J.P. Morgan Chase, and Danielle Santos of the National Institute for Cybersecurity Education, better known as NICE.

Cyber Work with Infosec is produced weekly by Infosec and is aimed at cybersecurity professionals and those who wish to enter the cybersecurity field. New episodes of Cyber Work are released every Monday on our YouTube channel and on all podcast platforms. To claim one free month of our Infosec Skills platform, please visit infosecinstitute.com/skills and enter the promo code cyberwork, all one word, all small letters, for a free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for your to try.

Thank you for listening, and I’ll see you back here tomorrow for more cyber work.