Collaboration is key: IBM and Booz Allen Hamilton weigh in on attracting and retaining cyber talent
For the organizations on the front lines of cyber defense, defeating cybercriminals isn’t the only challenge; it’s hiring and retaining the very people who do the defeating. Companies in all industries struggle to attract and retain cybersecurity professionals between the skills gap and the difficulty of finding qualified candidates. A whopping 3.5 million cybersecurity jobs were predicted to be unfilled in 2021 alone.
What can organizations do to attract and retain talent? And how can partnering with human resources and learning and development teams help? To answer these questions, industry experts Garrettson Blight, Director of Dark Labs at Booz Allen Hamilton, and Eric Jeffery, Sr. Security Solutions Architect at IBM Security and podcast host of the Cybersecurity Grey Beard, shared their experience with Infosec.
Closing the skills gap with learning and development
By now, we’re all too familiar with the dreaded skills gap that’s been plaguing cybersecurity hiring and retention for more than a decade. Both Garrettson and Eric agree that one of the best ways to attract new cybersecurity talent — and retain them for many years to come — is to commit to meeting their educational needs. And that commitment should be communicated on day one of the recruitment processes.
Eric explains that benefits like educational stipends and access to educational resources can be a make-or-break decision factor for many cybersecurity professionals. He advises hiring managers to “understand that education in some ways is more important than healthcare.” This is especially true for early career recruits and military veterans looking to re-skill. Eric is adamant that educational benefits need to be at the forefront of the conversation during the hiring process.
Garrettson adds to this by advising management to look ahead and anticipate what skills the organization will need in the future. Management should be able to say with confidence, “This is where I see the business going, and so this is where I see our hires needing to be. Therefore, we’re going to need future L&D programs in these new technologies.” Keeping L&D in the loop is one of Booz Allen’s strategies for attracting new talent and boosting employee retention in the long run. And it worked wonders when Garrettson realized that Booz Allen’s operations research staff would need to upskill into artificial intelligence and machine learning. “We held a Data Science 5k, as we called it, which was a kitschy name for a program where we could train a lot of people across the firm with challenges.”
For training and career pathing, collaboration is key
When an organization signals to an employee that it truly cares about its long-term growth, the employee is less likely to leave for greener employment pastures. Investing in an employee’s training and career pathing is one of the best ways to send that message. Booz Allen and IBM have unique training and career pathing, which we’ll explore below. But despite these differences, one thing remains consistent: ongoing communication between cybersecurity teams, L&D and HR.
At Booz Allen, the bedrock of their career pathing program is a system of job families. Every role at the company is grouped within a job family based on core skills and responsibilities. Employees join a job family when they’re first hired and can change families if they gain new skills or select a new career path. Depending on what family someone falls into, they’ll go through different training routes. For example, new hires from non-cybersecurity backgrounds go through a five-week Technical Excellence program. Hires with more technical backgrounds will receive advanced hands-on training and labs handled by the L&D team. The goal is to ensure that all staff can hit the ground running on day one of their jobs and continuously update their skills during their tenure.
Garrettson builds on this by adding, “If you can’t meet the intentions and motivations of the people, they’re gonna move on. It’s a lot more costly to invest in somebody new than to retain someone who is already a quality contributor and performer.”
IBM takes a different approach to employee learning and development. Their employees have access to a learning platform called Think 40. Everyone at the company is encouraged to have at least 40 hours a year of ongoing learning, and Friday afternoons are blocked off for self-improvement. Training is self-guided and cross-functional, so someone in finance can take a cybersecurity course.
But employees need more than a massive library of training materials to succeed. Since the sheer amount of options can be overwhelming to choose from, Eric suggests mentoring employees to help them narrow down which resources are best based on their career goals. This is just one example of how management and L&D can work together to help staff get the most out of their professional development activities.
Best practices for collaborating with internal partners
Start building connections with L&D and HR sooner than later — even if you don’t have a specific project on the horizon just yet. Garrettson explains that you should be familiar with these departments long before you start pitching projects or making requests. With good rapport comes trust, which is a key ingredient to getting the support and buy-in you need to succeed in your training program.
He also advises that everyone involved, regardless of their department, should feel like an equal stakeholder. “Just treating everyone as equal partners across the organization has been very helpful. We have routine working sessions when we’re trying to evolve a new training program, or just think about how else can we evolve what we’re doing today?”
Phishing simulations & training
A word of advice to early career cybersecurity professionals
For Garrettson, the best thing someone can do at the start of their career is communicate their needs. “If you don’t say something, nobody knows what your needs are.” And for professionals who are further along in their careers, he emphasizes the importance of consistency. He explains that when managers are inconsistent with their expectations, it’s confusing to staff. Maintaining clear, consistent expectations with staff will help them understand their goals and feel confident that they’re achieving them.
Eric has this message for managers working with trainees. “When you’re teaching somebody or learning with somebody, find out what’s best for them. Find out what they want.” He recommends different formats for different learning styles, like podcasts for audio learners, YouTube for visual learners, Amazon web service for hands-on learners.
Ultimately, the best way to attract new talent and retain existing workers is by investing in ongoing training and development. And rather than being something a manager has to tackle alone, it’s most effective when done in tandem with Human Resources and Learning and Development.
Want more content like this? Check out upcoming events at webinars here.
Sources:
- The Mad Dash to Find a Cybersecurity Force, New York Times
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Collaboration is key: IBM and Booz Allen Hamilton weigh in on attracting and retaining cyber talent
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization