Security Talent Management: Leveraging the “Cool”

When governments routinely address cybersecurity as part of their policy, you know that the topic is of national interest. When vulnerabilities are found in—and researchers demonstrate attacks against—computer systems in medical devices, automobiles and airplanes, you know that the significance extends even farther.

While that kind of recognition is important for the profession as a whole and is certainly impactful, there’s another area in which cybersecurity is gaining interest that is arguably more impactful to most practitioners on a day-to-day basis: increase in cultural interest.

TV shows (e.g., CSI: Cyber, Mr. Robot) and movies (e.g., Blackhat) that popularize the topic serve to guide younger professionals toward the discipline. You know that the cultural awareness has been firmly established when a movie like The Duff (a lighthearted teenage comedy) both features a hacker as a main character and incorporates security as a significant plot point.

When it comes to talent retention and acquisition for those in (or running) a security organization, understanding that this phenomenon exists – and knowing how to get it working in your favor – can be part of a security manager’s broader plans.

Leveraging cultural interest

Junior roles in any organization are the hardest to fill. Why? Because leaders tend to have more experience than the candidates they seek to hire; as a consequence, the folks in their virtual “rolodex” are those that they’ve worked with or collaborated with in the past – i.e., those with (most likely) a similar amount of work experience to their own.

Moreover, the folks moving into those junior roles are those more likely to be newer to the workforce.  A recent study from the Brookings Institution found that 64% of millennials (those born between 1980 and 2000) would prefer to make US $40,000 at a job they love (i.e., one they find interesting and engaging) vs. US $100,000 at a boring job. In other words, the work they value most is that which is most interesting. An increase in cultural interest on the topic of security means a corresponding uptick in the ability of security managers to find the best and brightest for their teams.  That said, it’s up to those same managers to retain them once they’re there.

This is where job rotation and cross-training within the organization can play a very beneficial role. Because, let’s face it, there are some jobs that are less interesting than others but still need to get done. Understanding that fulfillment and interest tie directly to employee satisfaction (and thereby attrition rate), periodically “refreshing” staff (sharing the load for those less interesting tasks) helps keep those folks from getting bored (and antsy to look outside the organization for more fulfilling work). Additionally, rotation of duties can help deepen internal understanding of the organization, cross-pollinate valuable skills and build a depth of experience for future leaders.

There’s a cultural phenomenon at work; at least for the moment, security has the interest of the media. The impact of this in the short term could mean an upcoming reduction in the pain we all feel as a result of the much-discussed security skills gap (an issue ISACA’s Cybersecurity Nexus [CSX] aims to address)—but for those thinking longer term, planning now for a way to hone, develop and retain those folks once they’re through the doors is time well spent.

Ed Moyle
Director of Emerging Business and Technology at ISACA

[ISACA]