Industry insights

After certification: Investing in employees' cybersecurity career pathways

Patrick Mallory
March 28, 2022 by
Patrick Mallory

If your organization said goodbye to several high-performing employees this past year and you were left wondering why, you weren't alone.

One in four workers quit their job in 2021, creating what many economists have referred to as the "Great Resignation."

While every worker's situation and reasons for moving on are different, there is one common thread for helping employers fight back and stem the tide of their valued employees from following suit: professional development.

According to one survey, 21 percent of employees left their organization due to a lack of career advancement opportunities. In another eye-catching workplace survey, the researchers found that 94 percent of employees would stay longer with their current company if they invested in helping them learn. 

Add these trends on top of an already-difficult cybersecurity job market and estimates that note that it can cost organizations 50 percent of an employee's salary to replace them, and you can see why many employers are looking for a better path forward.

These industry trends set the scene for the recent Infosec Inspire session, featuring Mark Cheeks, Director, Cybersecurity, Rotary and Mission Systems, for Lockheed Martin and Leo Van Duyn, Cybersecurity and Technology Workforce Development Strategy, at JP Morgan and Chase Co. they spoke about how cyber career pathways support professional development and reduce churn.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

Certifications are just the beginning of development

While certification programs are a great way to demonstrate an applicant's experience with a specific security domain or skill, employers can also use these formal programs to help shape job roles and career paths.

At Chase, for example, Van Duyn explains how their organization uses certifications to "level set proficiencies" for each job role within a larger cybersecurity job family. This gives employees a way to assess their capabilities within their job roles and a chance to shape their plans for future development.

"With that information, we can then offer them different learning communities that are aligned to those areas to help them develop," notes Van Duyn. Chase then asks employees to "think of which [learning community] is best aligned to you" based on their goals and motivations. "We do this," Van Duyn adds, "because pursuing the one that most aligns to your core goals is the one you're probably going to gravitate to, that you'll be the most successful in."

This can then lead to cross-trained and continuously developing employees and employees who are happier and feel their organizations are investing in them.

Using employee development as a differentiator and motivator

The panelists also noted how their organizations view professional development not just as a budget line item but as a way to help invest in their employees and provide more well-rounded experiences.

At Chase, for example, Van Duyn notes that their employees are encouraged to participate in training, join mentorship groups or attend conferences on topics related to their current role and other career interests or on a new skill that they want to develop.

"The benefit to this is that we can then make educational recommendations based on trends that we see in the data versus just decisions that come from managers," notes Van Duyn.

Similarly, Cheeks noted that he views the act of participating in professional development programs outside of non-traditional learning paths as a great way for businesses to find the right candidates who are either career changers or that come from underserved communities or rural areas. 

Ultimately, as Van Duyn notes, it is about "balancing training resources to make sure that we properly support both the development of professionals that really need that specific, specialized training with ensuring that we're offering training that is engaging to people that I would call 'cyber curious.'"

"This balancing act is really the key toward allowing us to find that newer talent that'll help fill that skill gap that everybody's experiencing in the industry right now," Van Duyn emphasized while also retaining those hard-to-find specialists.

Building successful professional development programs: Lessons learned

So what recommendations and lessons learned do the panelists have for other organizations looking to build career paths and boost the effectiveness of their professional development programs?

Find a trusted training and learning management partner

With increasing scrutiny on budgets and an eye toward capturing a return on investment, many organizations can struggle to find the right training provider to support the diversity of their learning goals.

Cheeks and Lockheed Martin found a great fit with Infosec 

"With Infosec, we've been able to maximize the bottom line dollars that we have because of the catalog that's provided," notes Cheeks. "The catalog crosses a myriad of different technologies that we currently work within, and it allows us to be flexible and agile in terms of the certifications that may be needed as well."

It is also important to find a partner that can offer your employees various learning options, from self-paced to live virtual learning and instructor-based courses. 

"It is also about understanding your budget, too, and how you are going to get the most bang for your buck." Cheeks continued, "And within Infosec, they have a catalog that stays current with the technologies, so it's just a great place for us to use our budget to meet all of our training requirements."

Balance formal training with hands-on experience

Van Duyn also recommends organizations find the time and capacity to add hands-on experience to their training, which is also a "really good way to evaluate their skills."

"Some companies may have their own cyber range or access to virtual environments for you to practice that hands-on-keyboard type approach to developing that skill," Van Duyn notes, "These are things you should consider when you're developing a program because they still need keyboard time to actually develop that skill."

At the same time, both panelists also noted the value that management support plays in giving employees the time and space to learn. As Van Duyn puts it, "It takes the pressure off the employee" that they can pursue training knowing that their work isn't piling up back in the office.

Set clear learning goals for positions and employees

Finally, the panelists emphasized setting clear expectations for both job roles and individual team members.

"If you don't have a clear definition of what role you're trying to develop, you could try using an existing taxonomy to help you describe that language that you need," notes Van Duyn, "or engage with your SMEs during the role definition process."

This includes members of human resources or other business process experts, like legal and talent development, so you have collective buy-in on your organization's expectations for the role. 

These expectations can then be aligned to training goals, certification expectations, and other qualities that successful candidates need to bring to the table.

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.

Bringing it all together

While there is no "one-size-fits-all" approach to professional development and encouraging talented employees to stay, as the panelists note, businesses that focus on their staff's personalities, experiences and goals versus just the task of passing a certification exam will continue to stand out from the competition.

 

Sources:

Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.