Talent in cybersecurity: avoid recruitment fatigue, promote internal mobility!
The situation is clear: there is a shortage of talent in cybersecurity. The numerous figures and studies show that there are tens of thousands of positions going unfilled, and every country around the world is facing the same situation. With this in mind, we wanted to explain this situation and identify what organizations are doing right now to tackle this problem.
Through interviews with some fifteen companies, we gathered information on their maturity in terms of cybersecurity talent management, using methodologies derived from the Harvard Business Review. Talent management practices are sorted and assessed on two axes: individual/collective and short-term/long-term.
The complete results will be published soon, but the initial analyses speak volumes and are consistent with what we see on the ground. Maturity is low, around 40%. Companies are adopting an individualistic, short-term, salary-based approach to attract talent, which is leading to the inflation that we are currently seeing.
But the most striking weakness lies in the long-term management of individuals. What are their career paths? What training programs does this entail? What future does each profession have? What goals are being met? The collective approach is also suffering; there is little meaning being fostered within teams, and knowledge management is often lacking.
This leads to two problems: high staff turnover and a lack of attractivity for the entire cybersecurity industry. Internally, cybersecurity teams are often seen as isolated entities disconnected from the other business units with staff that work a lot (perhaps too much), are stressed and locked in for the future. Imagine if we could show all the richness and prospects the cybersecurity field can offer to build an incredible pool of talent: of course, I am talking about the employees in your own organization.
Obviously, cybersecurity talent management involves more than just hiring difficulties. CISOs should think about promoting and cultivating their teams and fields internally and work to explain the variety in the professions and skills we need.
The goal is to incite others to want to work in our field. This technique works, although it requires effort. I know of a company that managed to bring ten people from within their company into their cybersecurity team. Of course, they were not cybersecurity experts; they needed training. But these employees came with a background that was very useful to understanding the company and how it works, not to mention the networks they had already created. This is an excellent way to help advance cybersecurity projects.
Let’s attract those with the skills we lack and who can learn the skills that they lack. The rare-bird expert that everyone is looking for is out there – if you know how to combine talents!