- Johna Till Johnson, Nemertes Research
Cybersecurity is one of the hottest disciplines around. It's an open secret among enterprise technology organizations that they can't keep senior-level cybersecurity professionals around longer than a few months before they're hired away, usually with significant salary increases.
While not as obvious, the characteristics of the ideal cybersecurity professional are changing, making hiring and retention even more challenging. Ten years ago, policy and networking were the two main paths to cybersecurity. Policy-based cybersecurity professionals started from a base of policy, program management and related disciplines: risk, risk management, compliance and the like. The focus and emphasis of this path was on understanding the foundational principles of cybersecurity without necessarily mastering each and every technical detail.
The other path was via networking. Practitioners here typically started by managing firewalls and learned the detailed technical nuances of network-based cybersecurity often by gaining certifications from network and firewall providers (such as Cisco, Palo Alto, Fortinet and others.) They moved on to work at security operations centers and focused on analytics, using tools like Splunk. As they progressed up the ranks, they ended up managing teams of technical professionals like their former selves.
But what happens when cybersecurity duties change? With the advent of cloud, cybersecurity professionals now have the option of getting cloud-specific certifications from providers like AWS. And with the rise of DevSecOps, software developers are being pulled ever-deeper into emerging areas of cybersecurity.
As an example, a recent posting for a cybersecurity job read:
The ideal candidate will have the following skills and experience:
- S./B.A. in computer science and five years of directly related experience;
- knowledge and experience with software applications, Agile development and continuous development;
- experience with one or more of the following is desired:
- virtual machines
- AWS, Azure
- containers (Kubernetes)
Cloud and coding have become a new pathway into the cybersecurity profession. But the trend is actually more fundamental. Coding is increasingly a requirement for the job. "I won't hire cybersecurity professionals unless they can code," a CISO told me recently.
The ideal cybersecurity professional is now someone who is a triple threat with expertise in policy, programs and compliance; fluent in networking concepts and technology; and well versed in emerging technical specialties -- and their inherent risks -- such as cloud and coding. These people are few and far between. One answer: Use cybersecurity upskilling to fill out the team.
Putting cybersecurity upskilling in place
What does all this mean for CISOs? The major consequence is that they must set up and manage their own internal cybersecurity talent training programs to broaden and strengthen the technical caliber of their bench. That, in turn, requires the following steps:
- Set up a certification roadmap. Review relevant certifications -- both vendor-specific and vendor-neutral -- select the certifications that are top priority for the organization; and establish a training program to encourage certification. Additional options include financial support for training programs, bonuses for achieving certifications and retention programs to ensure cybersecurity professionals don't jump ship after obtaining their certifications. A good current list of vendor-neutral cybersecurity certifications can be found here.
- Create internal cybersecurity talent boot camps. In many cases, on-the-job training is the best kind of training. Financial services firms I deal with have had success training coders in the fundamentals of application security through their "AppSec boot camps." Here, coders undergo a week or two of intensive training, taught by internal application security professionals. An important point in the training is not just the technical knowledge transfer, but also establishing relationships so boot camp participants learn who they can go to for support, guidance and mentorship.
- Develop multiple career paths. While not every cybersecurity professional wants to be a CISO, many crave increased technical expertise. Others may ultimately want to launch products or programs that serve internal users or external customers. Providing cybersecurity professionals with the skills to take their talents to the next level -- ideally, within the organization rather than outside it -- is a critical part of talent retention.
- Look beyond the obvious. Cybersecurity specialists can come from the most unlikely of places: corporate support staff, like administrative assistants; physical security specialists; and, of course, the military and law enforcement. Just because people lack a technical degree doesn't mean they won't make stellar cybersecurity professionals. Turning someone who lacks any technical background into a cybersecurity professional may take longer, but it can result in higher quality overall if the individual is intelligent and motivated.
As cybersecurity duties change, the face of the cybersecurity professional is changing, too. To ensure they don't find their teams short-staffed or missing critical skills, CISOs need to think proactively and use cybersecurity upskilling to grow that internal cybersecurity talent. In-house training can turn existing team members into elusive triple-threat practitioners with expertise in policy, networks and code.