Data breaches dominated headlines in 2017, with more than 1200 breaches affecting up to half of the US population. Almost every week brings a new unsettling headline.
The current threat environment accelerates pressure on already overworked and understaffed security teams to shore up their organization’s defenses. There simply aren’t enough well-trained workers to cover the need. The Center for Cyber Safety and Education’s 2017 Global Information Workforce Study forecasted a 1.8 million cyber worker shortage by 2022. Solving it is one of the most important challenges our economy will face over the next 20 years.
Worried organizations may be inclined to exhaust their budgets poaching cyber-skilled individuals from other companies. A better approach would be to explore a deliberate, well defined workforce development program that enables cyber talent to grow and evolve, not only to match the tactics of changing external threats, but to maintain an equipped team for the long term, despite turnover.
When it comes to building and maintaining a security team, most organizations source candidates the same way they recruit for jobs in marketing, accounting, and everything else: they write a job posting based on a mix of experience, skills and certifications, and then hope the perfect person walks through the door. Unfortunately this approach doesn’t work in cyber.
For starters, consider today’s abundant cyber security job listings; many require multiple years of experience for entry- or lower-level positions. Most organizations summarily dismiss candidates not meeting often arbitrarily determined minimum requirements. When we exclude those looking to break into the field, we unwittingly decrease the cyber security workforce. Recognizing that 87 percent of today’s cyber security workforce started their careers outside the industry, it would be reasonable to institute a structured on-ramp for those lacking preferred experience but demonstrating a passion for the field.
Truly effective cyber security still requires an enormous amount of human analytic effort. These "new collar" jobs are often based on aptitude characteristics rather than a set of specific skills or employment experience, opening the gates to a broader range of potential hires. Ideally, a well-rounded team should include people with varied backgrounds from diverse disciplines like engineering, architecture, business or even the arts. Their collective experiences can pay dividends when married with cyber skills, bringing unique perspectives and advantages into the organization.
There are also some characteristics innate to top cyber security performers. They are passionate about their field. They have a great love of problem solving. They’re creative. They’re strategic big-picture thinkers. And they’re adaptable to frequent, continual change. Combining the right set of personality traits with a well-designed workforce development program may be one recipe for closing the workforce gap.
Where to start? Once your organization decides to grow its own cyber talent, you must adopt a new mentality, moving from "we don’t have time" or "we can’t afford to train" to "we will create the time" and "we can’t afford not to train." Look to the low-hanging fruit of your existing IT staff or technically oriented business users first. They often have a strong technical acumen, familiarity with the business, and can make an immediate impact when armed with the right cyber skillset.
While each organization’s needs will be different, these seven steps will help you establish and maintain a best-in-class program:
Step 1: Identify Roles
Begin by outlining broad tasks the security team must complete to bring the organization’s risk to an acceptable level, such as operating the existing security infrastructure, configuring and analyzing logs and activity feeds, red teaming and incident response, and fulfilling specialized tasks like malware analysis. Then group these tasks into job roles and performance levels -- those that currently exist, and those you hope to add. A useful guide is the NIST publication 800-181 which lays out its NICE framework and recommended roles.
Step 2: Define Skills
Each job role should be mapped to the specific, granular set of knowledge, skills and abilities (KSAs) a team member needs to possess to complete the tasks required of them. This makes the expectations and qualifications for the job clear. Mapping KSAs may take time, and the developers will almost certainly need to revisit and reevaluate them as new tools, technologies and threats are introduced into an environment.
Step 3: Assess Workforce
An honest workforce assessment is perhaps the most critical step in the process. At the team level, mapping the assessment results against the requisite KSAs reveals the program’s competency gap. Gaps are normal and expected -- even new hires can’t be expected to have mastered every KSA for their role upon hiring. This is what makes the development process so important.
For individual team members, evaluating ability is vital to consistent development. Security staff will join the team with different experiences and skills, so assessments will baseline their abilities. Further, regular skills assessments can help create a training plan that sets expectations for what is required for job advancement.
Step 4: Develop a Plan
Once you’ve defined the roles and identified your workforce’s skill gaps, it’s time to create a plan that fills the gaps and fully enables your cyber security capabilities. Not only does a defined plan create a pathway to success, it also establishes a mechanism for enrolling current staff and new hires into a program that will mold them into the resources the organization needs to achieve its security objectives.
The goal of your plan should be sustainability to ensure that you have a pipeline of resources to fill your security team over the long term.
Step 5: Acquire Skills
Acquiring skills within a true workforce development program is a cycle. Many companies think they’re doing this effectively now, but they’re often doing it in a way that is ad hoc, expensive and largely ineffective. In the best development programs, there is very little wasted effort in this process. That’s because elite security programs train in skills-based modules that tie directly to KSAs. These programs offer micro-training: hour-long or half-day sessions with 100 percent applicability to the job role. In this targeted, outcome-based approach, employees are acquiring skills constantly, and not during once-a-year training seminars.
Step 6: Validate Skills
Individual skill validation is important and should be part of the foundation of any good cyber security workforce development program. But team validation exercises go an important step beyond. Such exercises leverage programmed security scenarios, such as simulated attacks in contained virtual environments, to test the team’s ability to detect, identify, and respond to common scenarios as a unit. These exercises build teamwork, cooperation, trust and respect in high-pressure situations. They may also help identify weaknesses in process, communication, or technology that aren’t readily apparent through individual skill assessments.
Step 7: Adapt and Revise
Tools, technologies, and threats change rapidly. It’s important to revisit your organization’s roles and the KSAs assigned to them to ensure your team keeps pace. Your workforce development plan is meant to be a living document that bends and flexes with the security landscape. For it to be effective, review it at least annually, but more often if you can, alongside other critical policy documents.
Building a workforce development program with these best practices in mind will ensure a consistent supply of mission-ready resources for your organization. Setting growth objectives for both new hires and experienced staff ensures that the team can take a "next person up" approach when advancement opportunities are available. And it’s that approach that makes a security program resilient and sustainable over time while maintaining an extremely high performance level.