Quite often cybersecurity risks are associated with technology and research, underestimating the importance of the human factor. In recent years, this resulted in strategies that favors technology over talent acquisition.
However, cybersecurity skills shortage is a remarkable challenge for many enterprises: the market offers only a limited pool of experts, and the competition to attract them is quite fierce. Highly motivated and skilled young professionals are the main component of this pool.
Organisations have little to no control on this shortage. Significant investments and changes in our educational systems will be required to address it, with effects expected only in the long term. For instance, NATO’s cybersecurity requires technical specialists from several disciplines (forensics, malware analysis, incident handlers, and so on), policy advisors, project, and program managers.
Not having the right talent is one of the main cybersecurity risks today, requiring a revision of talent acquisition strategies. Large organisations (and especially public sector ones) tend to use a “traditional” approach to talent management. Financial offering and job stability are the top negotiation elements used to attract and retain talent across the board, including cybersecurity positions. Whilst they once constituted the main levers observed on the market, young professionals (and especially cybersecurity ones) follow a different logic.
Considering “new factors”
For instance, popular questions received from candidates during cybersecurity interviews tend to focus on topics such as how much teleworking, availability of training and development and the nature of working tools/technologies to be used. The overall package offered tends to be less important than these elements, denoting a remarkable change in the way professionals choose their next job.
Organizations need to understand how new factors, including gender and generational differences amongst others, drive the choices of professionals and establish new tools to manage them. This requires a revision and improvement of the way we identify, select, and hire cybersecurity professionals.
Values such as the mission of the organisation and its impact on society, the pursuit of excellence in operations, the adoption of the latest technology tools constitute differentiating factors that can (and must) be identified, acknowledged, and communicated when offering a new position.
The skills shortage in cybersecurity, and the vast number of unfilled positions available on the market, impacts not only the selection but also the (in)ability of modern organisations to retain cybersecurity talent. The “traditional” approach mentioned above is based on the idea that, once acquired, talent should be incorporated in the organisation and retained for as long as possible. Conversely, considering the shortage, the fast-changing environment and the new approach to work-life balance adopted by younger generations, retaining talent proves to be a nearly impossible mission.
In such a complex environment, organisations should change their thinking from “retain at all cost” to “fast turnover is inevitable”. In NATO’s case, instead of trying to beat the competition and retain talent for as long as possible, we should accept the concept of high turnover and rebuild our talent management accordingly. People who work with us should hold on to our values and become ambassadors of our mission in current and future roles and retain them both throughout their career paths.
Another important dimension, which is quite relevant for government entities, pertains to competition in selecting and attracting talent. Triggering competition between entities that are part of the same administration is a natural conclusion of the “traditional” approach described above. Considering the structure of the market, a more effective strategy would be to limit the competition between these entities and encourage personnel exchange between them. Recruitment and retention are complex and expensive processes: once talent has been on-boarded, it would make sense to encourage access to other parts of the same administration rather than trying (and probably failing) to retain them at all costs.
Changing the way we manage human capital in large organisations such as NATO is hard, but is urgently needed and requires attention and support from decision-makers and leaders. If we want to be ready for the next generation of cybersecurity challenges, we need to act today.