CyberWire Daily - Cyber Talent Insights: Navigating the landscape for enterprise organizations. (Part 1 of 3) [Special Edition]
Episode Date: April 12, 2024Join us for this special three-part series where the N2K Cyber Talent Insights team guides you through effective strategies to develop your cybersecurity team, helping you stay ahead in the constantly... changing cybersecurity landscape. In the first episode of the series on cybersecurity workforce development, we dive into the complex world of cyber workforce management and planning, particularly as it pertains to the perspective of the enterprise. We explore the current state of the cybersecurity workforce, navigate various challenges in talent acquisition, and explore the nuances of job classifications, titles, compensation, and the dynamics of remote, onsite, and hybrid work environments. Our experts further address talent development strategies like professional development, training, conferences, mentorship programs, communities of interest, and corporate cyber academies. Finally, we touch upon the critical aspect of talent retention, an essential component in closing the cybersecurity talent gap. We hope you will join us on this journey. Connect with the N2K Cyber Workforce team on Linkedin: Dr. Sasha Vanterpool, Cyber Workforce Consultant Dr. Heather Monthie, Cybersecurity Workforce Consultant Jeff Welgan, Chief Learning Officer Resources for developing your cybersecurity teams: N2K Cyber Workforce Strategy Guide Workforce Media Resources Strategic Cyber Workforce Intelligence resources for your organization Cyber Talent Acquistion Woes for Enterprises Workforce Intelligence: What it is and why you need it for cyber teams webinar Setting Better Cyber Job Expectations to Attract & Retain Talent webinar Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this. How are they so red?
With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Don't worry. You can handle it. Visit AirTransat.com for details. Conditions apply.
AirTransat. Travel moves us.
Welcome to Cyber Talent Insights on the N2K Cyber Wire Network.
My name is Dr. Heather Monthe, and I am a cyber workforce consultant with N2K.
I'm joined here with my colleagues, Dr. Sasha Vanterpool and Jeff Welgen.
We're excited to be here today for this special three-part series on cyber workforce management and development.
On today's episode, we'll be talking about cybersecurity workforce intelligence from the perspective of the employer and people who are recruiting and attracting top cybersecurity talent.
Welcome Jeff and Sasha.
Hey, Heather.
Hey, thanks for having us. All right, let's get into our first question here.
So we are a great team of cyber workforce consultants who work every day with companies on their cyber workforce intelligence.
cyber workforce intelligence. So for those of you who are listening that might not understand what that term cyber workforce intelligence is or cyber workforce development is, Jeff, can you elaborate
a little bit on what this concept is? Yeah, and I realize this might be a new term for a lot of our
listeners who are cyber-focused practitioners, right? But workforce intelligence is actually a thing, right? It is a thing that really refers to the collection, analysis, utilization of data as it relates to a workforce, an organization's workforce.
So the concept really comprises a number of things.
Obviously, data collection, which we will talk a little bit about, I think, in this episode.
Which we will talk a little bit about, I think, in this episode.
But, you know, performance data, you know, skill data, gap data, job opening data.
That's kind of what we're really talking about here when we're talking about data collection. Then analyzing that in a useful way so that we can draw meaningful insights from that data.
Which then kind of feeds into a number of things across the enterprise, right?
Like particularly related to strategic workforce planning efforts.
I used to work in the intelligence field for a number of years.
And I think a good way to just think about any intelligence, whether it's workforce intelligence or cyber threat intelligence, your data that you provide or the intelligence needs to really be like three things.
It needs to be timely. It needs to be timely.
It needs to be relevant to what you're looking at.
And then most important, it has to be actionable.
So that's really what we're focused on is getting that data, analyzing that data so that enterprises and decision makers can take action.
Just in this case, it's around people.
Excellent.
So for those of us that are in the cybersecurity industry, we constantly are hearing about
a talent gap in the cybersecurity workforce.
So can you, for those that may not be familiar with some of the topics that we talk about
around the cybersecurity workforce talent gap, can you just give us a quick down and
dirty refresher on the state of the cyber workforce?
Yeah, I think one of the best definitive sources for this is actually at CyberSeek.org, a number of good folks who are analyzing the workforce regularly and doing good updates on kind of the state of the industry and the workforce there.
They just about, I think over the summer of last year, updated the data and the 2023 supply and demand ratio is at 72%. So what does that mean?
That means that there are 72% of qualified candidates to fill those job roles that exist
out there. So there's still a shortage of supply for the demand in the workforce. It's a little
bit better that this past year's data, 2023 data,
is a little bit better than the 2022 data, but it's really just marginally better. And I think
there are some underlying causes why that might be the case, although we can't definitively point
to one thing or another. But as we know, 2023 saw a lot of layoffs, especially impacting cybersecurity professionals, large tech organizations.
So that would certainly lower the number of job postings, or i.e. the demand.
So I think that's kind of one key component of it, of course.
And then there's an ever-evolving profession here as well that I think we need to kind of pay attention to as professionals in this space.
And it's just similar to cyber. Technology and needs and skill sets evolve
dynamically with the business, dynamically evolve with innovation. So that I think plays a key role
in not only the importance of workforce intelligence, but just kind of the supply of relevant skills.
And I would point to, just as an example,
the rise of AI and the demand around skill sets related to AI,
whether that's prompt engineering or kind of on the database side,
because more and more companies are leveraging that skill set
for a number of different applications across
a workforce.
So that certainly would impact the talent gap in a number of ways, too.
It could be AI, it could be other things.
Excellent.
Thank you.
So, Sasha, so there is a lot of complex scenarios that we need to consider when we're talking
with clients about cyber workforce strategy and how do we develop and upskill
existing cybersecurity teams. So when we're thinking about the complexity of some of these
different things, we look at things from a talent acquisition perspective, talent management
perspective, and then talent retention. So can you talk a little bit to the talent acquisition
piece and some of the work that you've done with employers on how do we make sure that
we've got well-written job descriptions that are actually looking for the correct skills,
responsibilities, qualifications that are needed for a work role, and just some of the things that
you've seen with working with employers on the talent acquisition piece of cyber workforce.
Yeah, I think it's important to, you know,
think about it as those different phases of the life cycle.
So, you know, specifically thinking about talent acquisition,
I think when we're talking about talent sourcing,
we're talking about, you know, where to look for those candidates
and, you know, when they are actually applying for these jobs.
I think that's the first piece is as far as making sure that the job descriptions are effectively communicating what the job roles
and responsibilities are for that actual position. Some of the work that, you know, we've done with
clients can be really simple as far as just working on standardizing the formatting and how
the actual job description looks on paper and how it's organized in different sections like that. That's kind of like the easy part. But I think, you know,
where it gets the most challenging is the content that's included. And I think when it comes down
to it, we want to make sure that these job descriptions are accurately representing what
the responsibilities are of this role. So if I'm applying for this, can I get a good idea of what
I'm going to be doing
on a day-to-day basis, what the responsibilities are, and then what are the actual skills that
you're looking for and really breaking those skills down between the technical skills,
but then also making sure that those professional skills, those power skills, those soft skills,
employability skills, whatever you call it, are being communicated on
there as well because they're just as important as those technical skills. And then also really
emphasizing the difference between what skills are you looking for and then what experience are
you looking for. And when it comes down to experience, it's important to, sure, be familiar
with if you're working with specific software, that could be helpful. That might be a preference. But at the end of the day, what it comes down to is,
do you understand or are you able to perform this particular action that this software or tool
is looking for? As far as one software to another, it doesn't really matter as far as the brand.
But again, going back to that actual skill
that's being asked for and looking for that specific experience. I think we're also seeing
differences as far as the changes when it comes to those requirements, when it's education or
years of experience, things like that. These are ever-changing as the actual roles are changing.
And then, of course, there's always that challenge
of every job being listed as a cybersecurity analyst
or engineer or architect
and making sure that we are advising these companies
of taking a look at what functionality
is this role really focusing on here
and making some adjustments
to how these roles are classified.
And of course, making sure that that is
communicated on the job description one thing i think was like super interesting this is really
for for heather you as well as like just the other week where you were working with one of our
really large global clients and in an effort to rewrite and make some suggestions on their job
descriptions and um one thing we talked about internally for a while and presented back to them was like,
what style do you want this job description written in?
You know, because there are a lot of different stylistic changes too.
Like some organizations kind of want to go with something a little more hip and others
want to kind of say, in this role, you can imagine yourself doing x y and z and others are just more straightforward of like here's the skills
or how do you group those skills i didn't know if you had like additional perspective or just
opinions on stylistic changes or differences in the job description component of of this work
yeah i think that when you are looking at specifically entry-level job descriptions,
you know, I think there's a lot of people that are very frustrated right now with
people calling a cybersecurity job entry-level when they're requiring two to five years of
experience or, you know, name your certification. So it's not truly an entry-level position. But I
think that if you are an organization that is open to hiring
people coming directly out of an educational program, whether it's a four-year university
or it's a sort of a re-careering academy type of program, that you can write those job descriptions
in a way that really behooves the person that's going to apply for that job. So you can write it in a way that says,
in this job, you will learn how to do X, Y, and Z.
So you can really frame it in a way
that really helps them to understand
that they're not expected to know
all of this stuff just yet.
It's that these are the things that you're going to learn
in what is expected to be probably
your first role in cybersecurity.
So when I think about some of the stylistic things, I think it's about more on the perspective of the person who's reading it and who you're trying to attract to come to your company and making sure that you're speaking in a way that's really going to intrigue them and say, wow, I want to come work for this organization.
Sasha, do you have any other ideas or thoughts?
No, I think that's a really good point.
And thinking about like, yeah, the audience as far as who do you think is going to be
the ideal candidate that you're going to be actually reviewing it.
I think just some other things as far as like stylistic or like formatting kind of things.
I personally like when a job description is kind of categorized as, you know, the role
responsibilities on being separate from, you know, the role responsibilities,
being separate from, you know, the preferred experience, and then having a separate section
for any skills or specific competencies, you know, that they're looking for. And then even
if there's an opportunity within those sections to break it down and categorize it by, you know,
particular, you know, domains or functionalities or whatever it may be, technicalities. I think it
just kind of helps as far as compartmentalizing it a little bit more and makes it a little bit
more digestible and maybe not as overwhelming, especially for those entry-level folks.
All right, Jeff. So when we're talking about cyber workforce intelligence or cyber workforce
strategy, we think of it in
three different areas, talent acquisition, talent management, and talent retention. And Sasha has
touched on the talent acquisition piece. What might you add to that? But then also, as we're
talking about, we've got a cybersecurity team, how do we develop them? How do we upskill them?
But then also, how do we retain them and keep them from jumping ship and going to a different company?
How do we retain them and keep them from jumping ship and going to a different company?
Yeah, I'm a visual guy.
So I think it's really important to kind of like in your mind's eye visualize this problem set as a lifecycle or a continuum. And yes, on the left-hand side of that or the starting point of that is talent acquisition.
And Sasha, you did a great job talking about the sourcing issues and job descriptions were key components of that but as you kind of
continue that life cycle you move into talent management right and that is things like how you
do job family classifications or pay banding right making sure that you're titling those job roles
the right way saying it's an engineer if it truly is an engineering
kind of role versus analyst to Sasha's points earlier. But what are the appropriate pay bands
for that too? If it's a really technical and niche role and it's hard to find, you might have to pay
a little bit more than something a little bit, you know, a little easier to find or not as
technically hard or difficult as a skill set.
But if someone's lumped in,
if you're a really technical professional
and you're lumped into a pay band or a job title
that doesn't emphasize that, you may be underpaid.
So getting that right for an enterprise
is a key component of the talent management phase
of the lifecycle, if you will.
Role analysis, and I hope we can talk a little bit more about role analysis, because I think
this is kind of the center point, the keystone of
doing cyber talent management effectively.
But role analysis is really thinking about what is the role actually
required. What skills do you actually need in this role
at this specific level to be
successful for our specific organization? So that's important. Skill gaps analysis, right?
You want to be able to identify if there are areas of improvement for your team or an individual. So
that's a component of talent management, as well as those training and development plans. And then
you kind of move into the next phase, and that's really around retention or attrition. There's kind of a bleed over there, but career pathing is a component of that, right? People want to understand there's mobility, upward mobility, sometimes lateral mobility as well.
What is the company doing to reduce attrition and keep people longer?
Then we'll get a little bit into company culture and other things that kind of play into that along with training. But those are kind of the key pieces.
And I think of all of those components as essentially levers.
Because if you adjust one of them, they are interconnected.
It will make improvements or deficits in another area. So that's why I kind of really gravitate towards that job role analysis, because if you really start there and get that right, it makes some of those other levers a little easier to know where to adjust them appropriately.
client on that job role analysis, that actual task? What does that mean? What kinds of things are we doing? How are we partnering with these organizations to do that job role analysis and
get some actionable data from that analysis? Yeah, a number of things we do, but I think
that are kind of just generally really important to do for anybody who's kind of doing this on
their own or working with someone who's helping them. One important piece is just to have a common taxonomy. You want to be able to
compare apples to apples across your job roles. We leverage the NIST NICE framework, the National
Initiative for Cybersecurity Education. We don't really lean into the defined work roles there,
but what we do lean into are defined competencies. So we really like
the version of the NICE framework where it has those 60 defined competencies and they span across
technical stuff as well as those power skills, whether it's leadership, operational, or
professional skill sets. So there's 60 of them that allows us a common language to kind of compare
different job roles. Then you really need to
start to understand what the roles are requiring. And we also look at job descriptions to kind of
get an insight into that. But we know oftentimes, and we're all guilty of it, job descriptions are
a pain in the butt to do. So what do you do? You copy and paste from a previous version. And
what happens over time is that through copying and pasting or quickly getting that work done, you're moving working with job managers to better understand what their expectations are
for those job roles,
and then really triangulate a lot of data
to kind of define what is the actual fingerprint
for this job role as it relates to competencies.
And then again, like when you do that,
and you do that right,
you can then start to compare those job roles
with each other.
So if you're moving up,
you can kind of see that level one to level two
to level three progression, and then what skills are emerging from an expectation
perspective to be successful in any of those target roles. Same thing lateral. You want to
go from SOC to incident response. What's the difference there? Where can we build a career
path for that lateral movement for those teams? So the data is very, very important as it relates to the job role analysis.
I think that's a really good point in that lateral shift or that lateral pathway that
somebody could make within their cybersecurity organization. When you look at some of the
research that's been done on how do we retain cybersecurity talent, one of the things that people are looking for is the opportunity to
grow, learn, develop their skills, and then have a very clear pathway of where can they move within
the organization. So like you said, if you're in incident response, you want to move to a SOC,
with this job role analysis, you can really see as an individual person, as somebody who's saying,
what do I want to do next with my career? You can look at that and say, these are the skills I already have.
These are the skills I need to acquire in order to move laterally into that new cybersecurity role.
So I think that's really helpful for companies to have it as a strategy to help retain that talent.
Sasha, what are some other things that you've seen that companies might do with that? Can I just add one really quick thing? I don't mean to interrupt you,
Sasha, because I know you're going to say something really great here. But I wanted to
emphasize something you said, Heather, and that is it's really important to the employee, right?
So this is why enterprises need to get this right is because it's important. And if you think back
to these levers and the interconnectedness of those, which is the kind of a key stat point to highlight.
Employees have a 75% likelihood of staying with a company when they're making an internal move.
So you want to like understand how the career pathing connects to retention.
That's something especially people in this field are really paying attention to. Does
the company offer me that mobility and give me a path? So sorry to interject there, Sasha, but
I'd love for you to kind of continue on with the question. I think that's a great point to make.
And I think going back to your earlier point, it then also can impact the talent acquisition piece
because after you've collected this data and have a better understanding, okay, these are the actual skills that somebody in this role needs to be successful,
then can I go back and make sure that the job description is accurately reflecting that
and emphasizing certain skills, certain experiences that need to be included on that.
So at the very beginning, I'm hiring this talent that actually reflects what I'm looking for.
I'm hiring, you know, this talent that actually reflects what I'm looking for.
So it really does all, you know, combine and really hits all of those pieces of this, you know,
life cycle. When it comes down to it, that's what you want to have as an employee. You want to make sure that, okay, I'm getting hired into a position that I am going to enjoy. I'm going to be able to
excel in. I'm going to be able to learn. And then I'm going to be able to grow and flourish and hopefully be able to stay with the organization because that's, you know, pretty much the whole point, right? Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
Yeah, so I think that as somebody who has worked in cybersecurity and the tech field for a long time, my brain just really likes this idea of frameworks and really putting things into something that's
very easy to digest and understand.
So I really like this concept of a cyber workforce management lifecycle.
So the talent acquisition, talent management, and talent retention.
And Jeff, you were talking a little bit about some of these levers that you can pull to
start doing some of these tactics, right?
And one of the things
was the job role analysis. What are some of the other sort of levers that you can pull within
this framework or this concept of cyber workforce management? And what are some of the things that
companies can do outside of that job role analysis? Yeah, let me just kind of back up
from that question a little bit and re-emphasize the
importance of the job role analysis as it relates to those tactical actions, right? Because you can
adjust another lever, say you wanted to take a swing at job titles and classifications, right?
If you do that without first understanding those job roles, you may be moving it the wrong
way. And that can start setting you back, right? So if you change the pay range and you're asking,
again, for something really technical or high demand and you are underpaying or you're offering
a salary that's underpaid in the market, you're not going to find the talent you want, right?
So making sure the data is driving your decisions the right way
in that actionable way is really, really important.
It becomes the foundation.
Whatever levers we have.
Right, exactly.
That's why I kind of referenced it as like a keystone.
It kind of holds the arch together
and allows you to kind of make adjustments
other places as needed.
Then I think there's other things, Heather,
you asked, like, what else can you do?
It kind of goes a little bit outside
on the peripheries of that framework
and the eight or so discrete kind of components of it
that I highlighted. You can start talking about
how do we want to organize our work-life balance for the organization, depending on the mission
and the culture of the company or agency or organization, if you're kind of looking at
government institutions, right? Can you have a work-from-home policy?
Does that work?
Do people want to work from home versus be together,
co-located, working together on something in person?
So those are other levers, right?
Something silly as dress code.
I used to work for a large management consulting firm,
and it was a big deal.
We all wore suits in 2010. We all wore suits to work.
And then we got a new CEO. And the new CEO was like, you know what? We are moving forward
into cyber and we want to attract more cyber talent for our contracts and our professions.
And they did a study and they're like, yeah, professionals viewed us as a stuffy consulting
organization who wore suits and they didn't want to wear suits.
So we made a jean policy and it fixed a lot of things.
So something that might seem silly like that can have huge impacts
if you identify, you do the right work to kind of identify
where the source issues are and, you know, actions that might make improvements. Sasha, what are your thoughts about, you know, just sort of the company culture and,
you know, what are some things that employers can do to sort of shift that company culture to attract
a really good cybersecurity talent and keep them? Yeah, so I think, you know, Jeff brought up some
good points. I think, you know, company culture and, you know, how people interact with one another, whether they
do individual work or on a team, being able to be familiar with their other co-workers and
colleagues, whether they're in person or not. I think having just opportunities to get to know,
hey, you know, I don't really work with X, Y, and Z department, but I want to be comfortable
with knowing what they do and, you know, what they're responsible for. So that way, if, you know, I don't really work with X, Y, and Z department, but I want to be comfortable with knowing what they do and, you know, what they're responsible for. So that way, if, you
know, something comes up, there's, I know who to get in contact with if I need having that, you
know, transparency and communication flow amongst the different teams or departments, I think is
a really nice feature to have. But then also making sure that as an employee, I feel comfortable
that I just want to learn more and I want to be able to, you know, whether I'm thinking about a
promotion or a lateral move or what have you, or just trying to get, become more of an expert in
the work that I do, having those opportunities for professional development. So it can be,
you know, training, it can be going to conferences, it can be going to
networking events, just being able to stay, you know, up to date in what's going on in the field,
in the specific, you know, industry sector that I worked in. I think being able to have that sense
of comfort and support, knowing that, you know, my company supports my growth and professional,
you know, development and learning, again, can be on a smaller scale or a larger scale, going for certifications or being able to fund me to get another degree or whatever it is that that particular individual is interested in. and community, you know, is I think another really important feature of that. And that again,
goes back to, I feel supported by this company. I want to stay with this company and how can I
continue to grow and develop laterally or, you know, moving up into a different level or position.
But this company cares about me. I care about it. And I want to stay with it for the long term,
I think is the ultimate goal. You bring up a really good point about
professional development and training that I think that there's, you know, a lot of organizations
will go and purchase sort of this blanket, you know, subscription to, you know, X, Y, and Z
cybersecurity training or project management training or name your thing. And generally
speaking from an adult education and training standpoint,
people will generally gravitate
towards things that interest them.
It's very easy to spend time
and it's a lot more motivational to yourself
to actually take training that you might be interested in.
What I think is interesting about what we're doing
with the Cyber Talent Insights
and some of the job role analysis work that we're doing is that it can really help security leaders identify what skills gaps you have in your team.
I've managed a large team. I've managed small teams.
And as your team grows, it's very difficult to really just sort of keep track of what the skills are that you have on your team.
And you might not necessarily know where those skills gaps are.
And through some of these insights that we can work with an organization to help them see where
some of these skills gaps might be on their team. And that could potentially be a cyber risk that
if you've got nobody on your team that understands identity and access management to the level that
is needed, that's a risk for your cybersecurity team.
So from there, you can then either, you have two decisions.
You either hire somebody that has those skills or you can upskill people that might be interested in identity and access management.
It's just not something that's ever really been on their radar.
So I just, no question here.
I just, I think it's an interesting perspective when you're looking at professional development
that it's not just, you know,
we're going to give you training
on whatever it is that you want.
That's great.
That's a really great employee benefit.
It helps with company culture.
But also we want to make sure
that we're identifying where those skills gaps are
on our teams and closing those gaps.
Providing a sense of direction.
Yeah.
I mean, because like, you know, at the end of the day, you know, for enterprises, it's all about ROI, return on investment, right?
Like, is that training program I'm putting in place a good return on that investment made?
where you should be making an investment into certain training areas
is a really important data point
for enterprises and decision makers there.
But I will emphasize that the ROI
just doesn't stop with the enterprise.
It's important for the employee too.
Like no employee wants to go through
basic identity access and management
if you understand it already.
So if they understand it already,
let's fast forward, double tap that, we'll move forward and we'll do something more complex.
Let's focus on an area that you do need some support because we don't want to waste your
valuable time too. So it's really beneficial in both perspectives and that's where the data really
kind of helps guide decisions there. Yeah. And I think just to add to that, I think it's also making sure we're not just focusing
on those technical skills. And so if it's identified, especially as you progress,
as trying to go into a manager role, for example, having those power skills. And so giving these
employees the opportunity to either maybe mentor a job shadow with somebody who's already in that position,
but then also giving them the opportunity, hey, you lead this presentation and we want to work
on those communication skills, you know, both written and verbal. But let's say it's, you know,
a presentation, giving them the actual experience, the practice. So, okay, are you comfortable
presenting to, you know, high level leadership? And you want to make sure that you're getting that experience.
It's not always something that, you know, you sign up for a course, you know, to do.
It's sometimes just getting more experience.
But again, using the data to pinpoint that area of focus and a sense of direction on,
okay, what kind of training, what kind of experience can we help develop in you?
Yeah, HelpNet did a survey last year,
HelpNet Security, around the soft skills.
And they found of the soft skills,
these are the five that were in most demand
from employers looking at cybersecurity candidates.
Communication, critical thinking,
problem solving, teamwork, and attention to detail.
And we see it every time we talk to a
client. It's like, yeah, there's no soft skills, no power skills listed on the job description.
You ask the job manager, is that important? They're like, oh, absolutely. Well, then we
need to fix that, right? I love that you brought that up. So in closing, if you're talking to a
cybersecurity leader, so somebody who who it could be any one of
these, it could be a CISO, it could be a director on a cybersecurity team, a manager of a cybersecurity
team, or even somebody in maybe HR or on the learning and development team that might be
responsible for helping to develop the cybersecurity talent in the organization. what is just one really good piece of advice
that you would give somebody
that really just has that responsibility
as part of their job?
What is one piece of advice that you might give them?
You want to go first, Sasha?
Sure.
I think, you know,
and as we're talking about all this,
I want to tell them,
make sure you're friends with your HR
and learning and development, you know, department or team and collaborate and work together. And I think,
you know, so many times, I mean, I think that can be a whole nother conversation within itself, but
we see how, you know, they're so silent off from each other and not talking to one another. But I
think, you know, those in human resources, learning and development, they obviously have specific
skillset and education experience that can really help with some of the things that we talked about, whether it comes to just
the job descriptions or the training piece and things like that. But making sure that there's
that communication and collaboration between the CISO or, you know, just the cybersecurity
department in general, and making sure that they're aware of what they're looking for.
So that way they can collaborate and work together to make sure that at all pieces of this
life cycle that we're talking about, from the talent acquisition to the management and to
retention, there's collaboration and communication there. So everybody is kind of happy and getting
what they're looking for. I would definitely echo that. I think that a lot of the work that I've done over the years,
I really just kind of introduced myself to people as I'm the bridge between the CIO,
the CTO, or the CISO and the HR learning and development team. I'm sort of that bridge.
Because in a lot of organizations, especially as organizations get bigger and bigger,
the two aren't talking to each other. And so I really think that that's a great piece of advice for anybody in any size organization,
Sasha. So thank you. Jeff, what might you provide as a piece of advice? I mean, I would also echo
the same, but for the sake of listeners, I will highlight a different part of it, although that
is a really important component here.
I would say that understanding that this is complex.
We're talking about people,
and I think people is always complex.
And I think a lot of organizations,
well, I should back up.
A lot of the cyber teams
feel like they have to take this on themselves.
I think, too, some of the disconnect with HR or L&D that we just mentioned here,
that HR doesn't understand technical things, they're not getting things right,
and each are pointing fingers at each other.
Not all organizations, but some.
So it is complex.
And because it's complex, a lot of times cyber security teams take it on themselves to do it. And I think
that's fine, but because it is hard to do,
it is hard to do in addition to your regular duties, and that's what we see all the time.
Some SOC managers trying to take on a lot
of components of workforce planning and workforce intelligence
as a side duty to the
organization. And I don't think you kind of move through it as effectively because they have other
priorities to deal with. So highlighting that point along with that, there's an approach to do
it. And that approach really centers on data collection and data analysis so that you're not
just going into a room blindfolded. You can actually turn the lights on and see what's around you so you know where to kind of move next and what you're looking
for as you kind of, you know, traverse this complex labyrinth of issues. So those would be
the things I would kind of add to it.
That's it for this first episode of Cyber Talent Insights.
We would love to continue the conversation with you offline.
Feel free to connect with Sasha, Jeff, or me on LinkedIn.
Send us a message and we're happy to talk about cybersecurity workforce intelligence.
For additional resources from today's episode and our LinkedIn profiles, check out our show notes.
Please join us for the next two episodes in this series
where we cover cybersecurity workforce intelligence
from the individual's point of view in episode two
and how to strengthen the cyber talent pipeline
in episode three.
We'd love to know what you think about this podcast series. You can email us at
cybertalentinsights at n2k.com. Your feedback ensures we deliver relevant information to
develop effective cybersecurity teams in the constantly changing landscape of the industry.
We're privileged that N2K and podcasts like Cyber Talent Insights are part of the regular routine of many of the
most influential leaders and operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic
Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes.
Mixing, original music, and sound design by Elliot Peltzman. Our executive producers are
Jennifer Iben and Brandon Karf. My co-hosts are Dr. Sasha Van Der Poel and Jeff Welgen,
and I'm Dr. Heather Monty. Thanks for listening.