Apptega's recent nonprofit cybersecurity expert panel spent some time discussing the talent gap in the market for cybersecurity resources. We wanted to share some of the highlights...
Stan Kubis, CIO and Senior VP of IT at the Boys & Girls Clubs of America is a firm believer in taking advantage of the talent gap as a career development opportunity. The Boys & Girls Clubs focus on growing staff internally; circumnavigating the gap of cybersecurity professionals and building a team of people he already knows and trusts.
Kubis restructured his department to be as lean as possible, taking advantage of efficiencies gained over the years through outsourcing. Outsourcing functions like help-desk, application development and infrastructure management allowed them to refocus headcount around leadership roles and security. “It’s a multi-pronged approach, working with our service providers, our internal staff and so forth,” said Kubis.
James Baird, VP IT Security and Compliance at the American Cancer Society also believes that the talent gap is an excellent opportunity for learning. “I’ve taken the opportunity to identify…people who currently work for me and train them. I’m upgrading their skills which is a retention tactic that I use. Now, I’ve given them PCI certifications so that they can do our internal security assessments themselves.”
Baird has also constructed a capability model and documentation that explains what a role in cybersecurity looks like so his current employees can see if they could be a good fit. Baird built this process using NIST’s NICE Cybersecurity Workforce Framework. “I’ve made capability models that show exactly what the role is by utilizing the NICE framework. The NICE framework has KSAs, the knowledge skills and abilities as well as typical job responsibilities.
These NICE components are very valuable for me because it does a couple of things. Number one is, it lets the people who currently have the roles that are identified through the NIST NICE framework, allowing them to understand where they have gaps. Maybe that's their chance to move from a junior level position to a medium level position, or to a senior level position. It also shows people who are outside of security, if they want to join the security team, this is how you get there from where you are working now…This doesn't cost me any money, by the way. I'm investing in my own people, and I'm investing in developing that internal job pool of people who can come and join my team should somebody leave.”
In short, the consensus for what to do in regard to the lack of talent in cybersecurity can be summed up in Baird's own words: “…my answer to this unemployment situation is if I don’t have to go back out to the market to look for somebody else, then I don’t have a problem at all with the unemployment. I can grab people from inside.”