About the Author: Philip Casesa
Philip is the Director of Product Development at Focal Point, bringing years of insights from roles in cyber security, software development, and consulting. He is currently focused on new offerings from Focal Point Academy, working with their elite team of educators to pioneer new models for building world-class enterprise cyber security organizations.
Data breaches dominated headlines in 2017, and these were only the high-profile incidents. Data breaches reached an all-time high in 2016, with 1,093 confirmed, according to the Identity Theft Resource Center. We’re on pace to blow that record out of the water in 2017.
As of November 30, 2017, there were 1,202 data breaches reported with a whopping 172,381,976 records exposed – that’s equivalent to roughly half the population of the United States.
These attacks victimize organizations of all sizes and in every industry. Nobody is immune. Even companies that sell cyber security services are breached (see Deloitte, RSA, and others). Smaller companies — once seen as low-value targets — now make up the bulk of breaches. Verizon’s 2017 Data Breach Investigations Report found that 61% of data breach victims had fewer than 1,000 employees. With the increasing sophistication of nation-state and criminal attackers, defenders will find it more and more challenging to respond.
The current threat environment ramps up pressure on already overworked and understaffed security teams to shore up defenses. It also means that teams need to have the skills and capability to proactively probe their own defenses, locate attacks in progress, detect breaches in near real time, respond to those incidents, investigate their root causes, and restore normal operations. If an organization wants a chance of staying out of the headlines (and protecting their data), they’re going to need to execute these steps in a dramatically compressed timeframe.
Achieving this requires:
In other words, organizations need a program that enables cyber talent to grow and evolve, not only to match the tactics of changing external threats and ensure mission readiness, but also to make sure that the team remains equipped despite turnover.
Faced with the challenge of an under-filled labor market and a bad case of skills misalignment, this seems like an impossible mountain to scale – but it’s not.
Solving the cyber security workforce shortage is one of the most important challenges our economy will face over the next 20 years. It’s our Everest to climb, our white whale to chase.
When it comes to building and maintaining a security team, most organizations source candidates the same way they recruit for jobs in marketing, accounting, and everything else.
They write a job posting based on a mix of experience, skills, and certifications, and then hope the perfect person walks through the door. Unfortunately, this approach doesn’t work in cyber security. What most organizations really need are security professionals with very specialized skill sets, specific industry knowledge, and a proven ability to perform against their standards.
Even if an organization can hire the right person, they often fall prey to parasitic recruiting efforts, convincing the hard-won talent to leave for the promise of an ever-increasing salary and an over-the-top benefits package. Hiring a resource from another company creates an opening, and this behavior repeats ad infinitum. Because of what’s at stake, we’re not just playing musical chairs - it’s like we’re playing it on the Titanic.
This behavior also raises the cost of delivering security in general, making it more difficult to fill the open roles in an organization. When the economics of cyber talent get too far out of balance, organizations may change how they make decisions around risk mitigatation, leading to more data exposure over time.
In (ISC)2’s 2015 Global Information Workforce Study, Frost & Sullivan forecasted a 1.5 million worker shortage by 2020. In the most recent version of the study, released in 2017, that forecast was revised to a 1.8 million worker shortage by 2022.
Almost half of organizations globally have trouble finding qualified personnel to fill their needs. Then combine this statistic with two others from the ISACA 2017 State of the Workforce study: 56% of respondents take between 3 and 6 months to fill an open position, and 6% cannot fill the positions at all.
These difficulties can stem from any number of issues, including:
With all these challenges at hand, it is critical for organizations to take ownership of their talent pipeline to ensure they have the resources and skills needed to protect the enterprise. Without a robust talent pipeline, interruptions from turnover or unsustainable growth can threaten the organization’s ability to perform its core functions securely.
Perhaps there are different ways to think about this problem. What if the workforce shortage is not Everest, as it’s often made out to be, but a smaller, somewhat easier-to-climb mountain like Kilimanjaro? Like climbing Kilimanjaro, workforce shortages aren’t solved instantly, but with some preparation and effort, it’s accessible to most as opposed to just an elite few.
For starters, consider today’s abundant cyber security job listings; many require multiple years of experience for lower-level or entry positions. Most organizations summarily dismiss candidates not meeting their often arbitrarily determined minimum requirements. When we exclude those looking to break into the field, we unwittingly increase the cyber security workforce shortage and create a logic loop: How will they ever have the experience to fill a role if we never give them a chance to earn it? Recognizing that 87% of today’s cyber security workforce started their careers outside the industry, including virtually all of today’s most celebrated and respected experts, it would be reasonable to institute a structured on-ramp for those lacking the prerequisite experience but demonstrating a passion for the field.
Despite the wealth of new hardware and software magic bullet solutions on the market, truly effective cyber security still requires an enormous amount of human analytic effort. Ideally, a well-rounded team should include individuals with all kinds backgrounds from diverse disciplines like engineering, architecture, and business, or even the arts. Their collective experiences can pay dividends when married with cyber security skills, bringing unique perspectives and advantages into the organization.
These “new collar” jobs are often based on aptitude characteristics, rather than a set of specific skills or employment experience, opening the gates to a more varied range of potential hires. Combining the right set of personality traits with a well-designed workforce development program may be one recipe for closing the gap within cyber security.
So, where to start? We suggest looking at existing IT staff or technically oriented business users first. They often have a strong technical acumen, familiarity with the business, and are able to make an immediate impact when armed with the right set of cyber security skills. For many organizations, this is the clichéd “low-hanging fruit” that achieves the fastest time-to-value.
Once an organization decides to grow their own cyber talent, they must adopt a new mentality, moving from “we don’t have time” or “we can’t afford to train” to “we will create the time” and “we can’t afford not to train.”
So, what should organizations be looking for when building a cyber security workforce development program? While the exact answer may vary from place to place, there are some characteristics innate to top cyber security performers that set them apart from the rest.
Did we miss any?
In the cyber security industry, certifications are everywhere. There is intense competition for recognition, and professionals obtain certifications to distinguish themselves, often holding several from different organizations. A whopping 70% of cyber security job descriptions require a certification of some kind.
Certifications are good for showing one’s commitment to the industry, and they demonstrate at least baseline competence in the principles the certification supports. But, unfortunately, most certifications in cyber security test knowledge only and may not be indicators of actual skills. Relying on certifications as a screening mechanism can filter out talented resources that (1) don’t believe as firmly in the certification process, (2) have chosen instead to focus on building skills, or (3) may not have had access to the resources needed to pursue a certification. This results in a smaller pool of candidates who may or may not be capable of performing adequately in a role.
Before starting a development program, ask what and why? What are the risks facing the organization? Why do these risks exist? What is needed to protect data, people, and reputation? Why is this needed?
Answering these questions, and getting senior leadership’s buy-in, is critical to the process.
Given the many breaches featured in headline news, cyber security has the rapt attention of key decision makers and boards of directors. While this is a welcome development, the 2017 Cyber Balance Sheet Report reveals broad disconnects between Chief Information Security Officers (CISOs) and boards on the value and objectives for a security program. This is amplified by the fact that 49% of boards are not confident in the effectiveness of their own security programs.
These fundamental disconnects must be bridged before taking on the monumental task of building a workforce development program. Security leaders must engage with senior leadership and boards to understand the business objectives, the most critical assets, the threat landscape, and the organizational risk appetite. It is only then, when a mutual understanding is achieved, that a plan can be crafted that addresses the people, processes, and technology necessary to satisfy stakeholders’ expectations.
The shared vision of what needs to be protected and why is the bedrock upon which a workforce development program can be built. Anything less means the investment may not meet the organization’s ultimate goals, and the long-term support needed to build an accomplished team will be contested by senior leadership.
There are many ways to build a workforce development program – and not all of them will be right for your organization. But we have found the framework above to be an effective method for establishing and maintaining best-in-class programs. The framework, of course, is predicated on the idea that your organization already has a solid understanding of the cyber security risks it faces and is committed to mitigating those risks.
With the threats and business goals understood, begin by outlining broad tasks the security team must complete to bring the organization’s risk to an acceptable level. These tasks will include everything from operating the existing security infrastructure, to configuring and analyzing logs and activity feeds, to red teaming and incident response, to fulfilling specialized tasks, such as malware analysis.
Then group these tasks into high-level job roles. This step, of course, will likely include roles that exist currently, plus those you hope to add in the future. With high-level roles in mind, and depending on the size of your organization, you may need to establish performance levels within each role (e.g., Incident Handler – Level I, Incident Handler – Level II). These roles will likely include positions such as red team penetration tester, network security analyst, incident responder, and security architect. NIST publication 800-181 lays out a recommended set of roles.
Then the real work begins.
Each job role should be mapped to the specific set of knowledge, skills, and abilities (KSAs) a team member needs to possess to complete the tasks required of them. An example of the recommended KSAs for enterprise and government security teams can be found in the NICE Cybersecurity Framework (NIST SP 800-181).
KSAs are far more granular than job tasks, and cover the very specific skill sets and areas of expertise required to perform the daily work assigned to them. Mapping KSAs may take time, and the developers will almost certainly need to revisit and reevaluate these KSAs as new tools, technologies, and threats are introduced into an environment.
With the roles mapped to KSAs, the expectations and qualifications for the job become clear.
An honest assessment of a workforce is perhaps the most critical step in the process. During the assessment, it’s important to examine the existing skills of the team and how well the team functions. This gives a clear operational picture of the team’s current response capabilities and helps identify areas needing growth.
At the team level, mapping the assessment results against the requisite KSAs reveals the program’s competency gap. Gaps are normal and expected – even new hires brought in to fill a specific role can’t be expected to have mastered every KSA defined for their role immediately upon hiring. This is what makes the development process so important.
When it comes to each team member, evaluation of ability is vital to consistent development. Security staff will join the team with different experiences and skills – assessments are a necessary step to baseline their abilities. Regular skills assessments can also help create a training plan that sets expectations for the requirements for advancement, putting employees on a path to master their current position and prepare for the next one.
The results of the workforce assessment will allow you to build a plan to close the competency gap.
Once an organization has defined the roles and identified the workforce’s skill gaps, it’s time to create a plan that fills the gaps and fully enables your cyber security capabilities. Not only does a defined plan create a pathway to success, it also establishes a mechanism for enrolling current staff and new hires into a program that will mold them into the resources the organization needs to achieve its security objectives.
The goal of your plan should be sustainability. Remember, you’re not building a plan for a point in time – you’re building a plan to ensure that you have a pipeline of resources to fill your security team over the long term.
Many companies think they’re doing this effectively now, but they’re often doing it in a way that is ad hoc, expensive, and largely ineffective. Acquiring skills within the context of a true workforce development program is a cycle. Every employee is on a path, designed specifically to help them close their portion of the competency gap and give them the skillset needed for the next position in their career progression.
In the best development programs, there is very little wasted effort in this process. That’s because elite security programs train in skills-based modules that tie directly to KSAs. No more week-long training courses, where only 20% of the information is relevant. Instead, these programs offer micro-training: hour-long or half-day sessions with 100% applicability to the job role. In this targeted, outcome-based approach, employees are acquiring skills constantly, and not during once-a-year training seminars.
This approach allows you to take a “next person up” approach, so that when attrition happens, you have another resource ready to step in with a similar skillset.
Individual skill validation is important and should be part of the foundation of any good cyber security workforce development program. But the top commercial and government cyber programs incorporate robust and regular team validation exercises as well.
Team validation leverages programmed security scenarios, such as simulated attacks in contained virtual environments, to test the team’s ability to detect, identify, and respond to common scenarios as a unit. These exercises build teamwork in high-pressure situations and forge elevated levels of cooperation, trust, and respect among team members. Real-world training scenarios are invaluable to high performing teams and a primary indicator of readiness to defend against real threats. They may also help identify weaknesses in process, communication, or technology that aren’t readily apparent through individual skills assessments.
Tools, technologies, and threats change rapidly. As they do, it’s important to revisit your roles, as well as the KSAs assigned to them, to ensure your team keeps pace with the changes. Your workforce development plan is meant to be a living document that bends and flexes with the security landscape. Reviewing it annually — alongside other critical policy documents — is a requirement for its effectiveness. Larger organizations will see benefit in reviewing their plan more regularly.
Organizations often take an ad hoc approach to talent development – one that involves registering employees for training or seminars only at their request or in cases of dire need. In some cases, this may be an agreeable quick fix, but it doesn’t offer cyber security personnel the learning objectives they need to operate and advance on a security team. This situation leads to several challenges.
Attending expensive third-party technical training is the solution du jour – there’s a perception that price equals value and that organizations that spend more on training are better equipped. However, when speaking with large organizations about the performance of such classes, they indicate that the effectiveness of these courses is often muted, because the material simply doesn’t match the organization’s capabilities, needs, or technical competencies. The full cost of a class, including enrollment, travel, and meals, may exceed $10,000 for a week of training with some vendors.
When the class doesn’t deliver full value to the learner, the organization has squandered precious resources. In many cases, these classes can’t be customized to meet specific organizational needs because they cater to a common ability level. Organizations need to know exactly what competencies they need, and match internal or external training resources to these as closely as possible. If a provider can’t meet the needs in an effective manner and within the budget allocated, then other options must be explored.
A designed development program is a very different approach, built specifically to meet the security objectives of your organization in both the short and long term. Unlike ad hoc talent development, the goal isn’t to patch the biggest leaks in the dam – it’s to build a better dam.
As described above, all of the best workforce development programs begin with robust planning, followed by mapping risks to security roles, then roles to knowledge, skills, and abilities. But strong programs also share the following basic characteristics:
Building a workforce development program with these best practices in mind will ensure a consistent supply of mission-ready resources. Setting growth objectives for both new hires and experienced staff ensures that the team can take a “next person up” approach when advancement opportunities are available. And it’s that approach that makes a security program resilient and sustainable over time while maintaining an extremely high performance level.
Sign up for our monthly newsletter and get them delivered straight to your inbox.
Some learning needs are so specific that there is no workable alternative to developing internal training and exercises for the security team. This approach is particularly useful when a security team relies heavily on internally developed tools or follows complicated internal processes.
However, it is a costly investment, requiring a large portion of training resources dedicated to developing modules and senior security staff allocating time to creation and delivery. This approach can pay dividends in the short term, but, while using senior staff may come with less direct, upfront cost, those savings can be offset by a high opportunity cost. Additionally, and perhaps more importantly, your average security resource has not been formally trained to deliver professional education material. Despite their technical expertise, if your trainer isn’t engaging, articulate, and patient, your time and money may end up wasted on unabsorbed training.
For more common KSAs (likely the bulk of your training needs), finding a professional development training partner that can build courses tailored to your needs is key. The most effective external development service partners offer highly customizable or modular curricula to fill in gaps and form a complete education program. This best-of-both-worlds scenario allows you to prevent wasted spend on irrelevant training, demonstrate a high program-maturity level, and achieve superior results.
Some outsourced providers will even offer flexible delivery models, such as self-paced e-learning, live instructor-led, or virtual live training. These alternative training methods can reduce spend on travel and expenses. They also integrate more fluidly into your regular work day, preventing significant interruptions to your security operations. Before making the decision to insource or outsource, organizations should consider speaking with a handful of workforce development partners to understand the full range of options.
Focal Point recently had the privilege of helping a large retailer assess the sustainability and effectiveness of its workforce development program. This program is, to date, one of the most advanced we have seen in the industry. Take a closer look at what they’re doing...
The rise of cyber security programs in universities and graduate programs is relatively new. Often, students from these programs are not mission-ready for the challenges that enterprise organizations face. Graduates without defined onboarding and training processes could take between 8 and 18 months before they achieve full job readiness and make valuable contributions to the team. These graduates are also more likely to jump ship for higher-paying positions that require experience, as soon as they have a year of training under their belts.
For organizations with evolved cyber security workforce development programs incoporating defined roles and skills, the transition may take closer to six months of heavy training and practice before new graduates are ready to operate independently. When there is a clear path in career progression and established security culture, these employees will demonstrate remarkable organizational loyalty. The time to value is short, but the payoff is long tenure and skilled resources fully capable of delivering on the role responsibilities.
Aside from finding enough talent to fill the seats in the security operations room, IT and security leaders are faced with another daunting challenge: creating a work environment that incentivizes employees — particularly those new to the workforce — to stay with the company. The shortage of talent, as we have described, incentivizes job hopping and puts most companies in a race to out-pay and out-benefit their competitors.
But a closer look at the numbers reveals that money and benefits aren’t the only factors that security employees care about (and maybe they’re not even the most important). Opportunities for advancement and ongoing education are frequently cited as top motivators for staying with a company, particularly for younger employees and those in IT-related fields. In fact, more than a quarter of cyber security professionals believe a lack of clear career paths is directly contributing to the workforce shortage itself.
A workforce development program that provides clear paths of career progression for your security employees can help solve these problems, paying dividends for your organization above and beyond the obvious improvements to your company’s security. A strong development program, when built with forethought and input from your employees, can reduce employee turnover, drive workplace engagement, and improve performance.
It can differentiate your company as one that offers “upskill opportunities” for its employees and cares about its employees’ long-term success. And it's a far less expensive (and more productive) use of resources than constantly attempting to one-up competing employers on salary and benefits.
In fact, some particularly innovative companies we’ve worked with have seen a new and welcomed trend arise. Their workforce development programs are so good, they have almost no turnover. For most companies, that’s an enviable position.
Building a workforce development program for your security team won’t be easy. It requires commitment from senior leadership, some degree of upfront investment, and a cultural change for most organizations.
But the payoff is worth it. Organizations that take the time to approach workforce development intentionally and thoughtfully solve the workforce shortage for themselves. As a result, they build more sustainable and effective security teams – the holy grail for CISOs and IT leaders.
The key takeaways from this paper — and the most important things to keep in mind as you set out to build your workforce development program — are:
In 2022, when the global cyber workforce shortage hits 1.8 million, how will your company fare? The answer depends largely on what you do today.
To get started, visit the helpful resources we’ve linked to below. Or contact Focal Point for a free workforce consultation and Q&A with one of our workforce development experts.