Cyber Security Talent Development Lessons Learned

cyber security talent development

There is little debate that organizations are struggling to defend against the myriad of cyber attacks they are facing on a daily basis. Further, that cyber security talent development is playing a big role in this.

This includes considerations like the ability of organizations to find and staff qualified security talent. The ability of schools to offer training programs that can effectively develop this required talent with quality, scale and as needed. Finally, making these programs feasible, available and essentially worth it for students that choose to develop their tech or cyber talent. It is a big concept with many audiences, perspectives and opinions.

I have been operating in this talent development ecosystem from a couple different aspects since 2015. This includes as a CEO and Career Technical Education (CTE) teacher. This article presents some opinions and recommendations based on these experiences and vantage point so far.

Further, since perspective is a big part of this conversation, you will notice that each consideration discussed below is stratified by these different audiences and perspectives.

First, from the view of organizations and/or security professionals within a security program. Then from that of students looking to enter the cyber domain, and then finally from that of a school.

Security programs are still not standardized

  • From a security professional or leader perspective, the more non-standardized your security program is, the harder it will be to find and develop talent for it.
  • From an aspiring student perspective, start with foundation training that provides a big picture understanding of key concepts. This will accelerate your progress and speed of development, finding that first job, and often then ascending the corporate ladder. This will help you navigate in non-standardized organizations. However, connecting these dots does take time.
  • From a school perspective, access to realistic professional environments and teachers is needed. These teachers need the right training and professional experience to properly prepare students for the road ahead.

Why can’t security programs standardize?

I agree that as an industry we need to develop more standardized ways of categorizing the program and work we do in an organizational security program. An example in terms of work roles and tasks alignment would be NIST NICE framework. At the same time, we need to recognize that security programs of today are highly variant. They lack standardization and one size definitely does not fit all situations.

As a discipline, we have a ton of conflicting and non-standard approaches. With so many different approaches it is no surprise that organizational security efforts highly vary. There are a multitude of best practice frameworks. There are also regulations based on where organizations do business and the types of data they manage.

Organizations also have varying security program management structures. Just as important, differences in the program maturity associated with those structures, roles and accountabilities with the IT organization, and overall technical architectures.

The common organization will have a security team that must manage or observe hundreds, if not thousands of different implemented security safeguards and technologies. This will be anything but the same across organizations.

As a result, talent development programs need to focus heavily on techniques and skills for developing students with a strong understanding of simply how to navigate and make sense in these situations and environments. Most that I have seen do not.

Instead, many cyber security talent development approaches are trying to teach this understanding overnight. However, this ability takes time and only comes with appropriate support, iterative development and coaching, experience, and time. More on these items a bit later.

Certification first programs slow cyber security talent development

Cyber security certifications are a strong part of the development process for a cyber security professional. However, it just should not be at the beginning of a student’s development journey.

  • From a security program perspective, there is almost no alignment between a certification and an ability to execute, unless the certification is for a very specific technology or niche position.
  • From a student perspective, be wary of going the certification route to start before you have a foundational understanding of how to navigate a modern security program.
  • From a school perspective, while there are motivations such as funding to align your curriculum to certifications, be cognizant of the impacts this can cause new students in a discipline like cyber security. The biggest impact of which being a limited or skewed big picture view of how to work in the discipline.

What is the problem with cyber security certifications?

There is a limited relationship between a cyber or technical certification and performance competency. However, this is the way we all seem to be programmed in cyber security talent development.

Cyber security certifications, of which there are currently more than 185+ and growing, often work against presenting an early developing student with the competencies they need to effectively perform their jobs. Even more so with a framework of understanding to perform that job in a non-standardized security program.

So why is this happening? Many high school and college programs are required to attach industry recognized certifications to their curriculum in order to receive certain funding.

When they then offer these courses, beginning students see this pathway. They often then think it is the best way, and sometimes the only way, forward. This can be overwhelming for newcomers. It also might lead to a superficial understanding of the material. For example, memorizing information for exams without truly understanding underlying concepts or how to apply them in real life. Full disclosure, we offer certificates of completion and now digital badges at CyberForward Academy. These are not the same as an industry recognized certification, but can still create some of the same issues.

Security Vendor Certifications

Another cause is security vendor product certifications. These programs are very common and often free. These teach someone how to perform tasks within the construct of just that product architecture universe.

Now there are some great cyber product companies out there. Many also have great training academies. However, an organization almost never solely implements only one brand of technologies. This makes presenting a full picture difficult for students.

Now don’t get me wrong, there is a time for certifications, just a little down the development journey. This occurs best when a student has a better frame of understanding and some competency after some fundamental development.

The farther down this “certification first” path we go, the farther from standardization we get. Thus, the longer it will take to develop talent and then make them effective working in organizations.

Students need to start earlier in cyber security talent development

Students need up to two years to really become competent in cyber security at mid-level roles. Further, when students start earlier, such as in high school or community college, they can get the training for minimal cost or even free.

  • From a security professional perspective, most would agree that it takes time to develop a competent security professional. The earlier a student starts the more development time they will have when they do enter the workforce.
  • From a student perspective, the best time to get security training is when the school pays for it and it is free. However, the tradeoff is that you may not have access to a teacher with professional experience. Further, there are still not enough opportunities in schools for all the students that want them.
  • From a school perspective, to really build effective cyber pathways you will need to build partnerships with the cyber industry.

There are lots of opinions floating around about training programs, often called bootcamps, that promise to develop students in a short time frame <1 year and get them into cyber security jobs. Adding more complexity, these training programs are often very expensive for the student. 

A student can best solve these problems of expense and duration with this earlier start. From a duration perspective, when students start in high school, they can get 2-3 years of development by the time they graduate. Finally, if they go on to college, great, then they can continue to develop their skills with increasing levels of work experience within the discipline.  

Finally, to make this happen more high schools and community colleges need to implement more effective programs. This includes programs that consider and span across the entire talent development lifecycle. We need to continue to develop more teachers and coaches at scale and students need appropriately supported work positions as they develop.

More entry level positions wont solve cyber security talent development

Many people say there are either no entry level positions in cyber because the work is too hard. Or, that hiring security leaders are simply not designing enough entry level positions. So far, I have not seen success in the application of entry level positions in most cyber security programs. However, I have seen success when businesses or schools set up standardized work environments. Within these environments, there is proper support for newer workers.

•     From a security program perspective, many organizations are looking to develop training systems internally to develop and support talent in their environments. Be aware this can work but there are many considerations in its application. Namely it is very expensive, difficult to implement and generally can be very hard on the morale of the existing team when not done correctly.

•     From a student perspective, choose training and development programs that provide the right level of support during development for at least two years. Further, as you transition from student to worker during that time you should look to do so in an environment where you are doing real work with the right support levels. Finally, make sure you are ready based on your current training to enter a supportive work environment.

•     From a school perspective, you will want to ensure that your training programs extend into support systems that continue the development of your students when they start and during real work in the discipline.

Are cyber security apprenticeships the answer?

The right level of support for the level of the resource is crucial in cyber security talent development. For newer talent, they must have direct access and participation to organized execution teams and coaches. This must happen in the right managed and supportive work environments while they continue their development and successfully execute as a worker.

Now these supportive technical work environments might sound a lot like an apprenticeship. In spirit they are, but there are two big challenges.

First, we are still using the same tech apprenticeship model from the 1700’s. Essentially, think back to a metal worker or blacksmith teaching his son as the apprentice the skill to make a sword. It was a one-on-one relationship and not designed for scale.

Modern technical apprenticeship requirements today are still using close to the same execution model. These are the requirements an employer must follow to have a “registered” apprenticeship. Specifically, most use a ratio of experts (teachers) to apprentices of 1 to 2 . This, coupled with the administrative requirements make apprenticeships in technical roles really expensive and effectively not make sense for most organizations.

Are cyber security internships the answer in cyber security talent development?

So, you may be thinking as an employer that ok, we will use an internship model instead. This is becoming very popular in many organizations now to run massive summer internship programs through their technology organization. These programs are a good step forward and thank you to the organizations that do them, but they do present risks.

Namely, the lack of an official or standard structure like you see in an apprenticeship. Items such as the work an apprentice will do, for how long, and who must provide support. There is none of this with an internship and there are many different types.

An employer can structure them in any way. This can cause varying support levels for developing talent. It also puts workers in a position where they now must be teachers without often having proper guidance and training to do so.

I did this at CISOSHARE, when we first started CyberForward Academy from within it. It ended up working out, but this led to a lot of mistakes and some very hard lessons.

I will always be thankful to those that worked so hard in those early days. We had people working over 100% on their day jobs then spending countless more time on training support for students. It was tough. However, some of the things we learned then have shaped the items presented here. It also shaped the current application of CyberForward Academy.

How do we scale when students need so much support?

Three main things. First, we need to use a team-based approach earlier in development. This is because everything in cyber security happens in teams. Everything. 

Even if you are a firewall administrator that changes that rule by yourself you are on a team. You are still getting that rule reviewed by a supervisor. This includes working through change control, or on a firewall team in larger organizations. You are on a team making that change, and this is the case for almost all cyber and technology roles.

Most importantly, when done right the majority of this support for developing workers can come from the power of a team. The majority of training for technology still is not taking advantage of this consideration. By design, recorded content programs you can take at your own pace offer very little team aspects.

Second, we need more teachers and coaches. Coaches provide feedback and technique guidance for developing team members during practice and after games. Except on the soccer field and basketball court at high schools, they are close to non-existent in academia in technical disciplines.

We need programs that develop teachers and coaches at scale. We need teachers for early courses on the development path, then coaches as tech students transition to workers.

Finally, we need more practice environments. These environments have the tooling, environments and visibility by coaches for developing students to improve.

Align talent supply, transition & demand

Systems for developing talent need to be aligned but separate from systems for offering and delivering those services. As important, the best development models for technical talent will provide a roadmap that traverses and connects the supply elements with the demand elements.  We call this the transition phase of the technical talent ecosystem.

•     From a business or security program perspective, consider how you are building a talent system that connects the supply of talent (training and work readiness), with the demand portion (ability to produce work and demand in businesses for it). As important, how  you are supporting the transition from supply to demand.

•     From a student perspective, you need to find programs that will develop you from your early classes into your first paid work situations. This includes making yourself work ready in addition to just being certified as you transition from student to worker. They are very different. Most important is ensuring that you have supportive programs or work centers to help you across the supply to demand chasm.

•     From a school perspective, just like businesses, you need to build development systems that create a multi-year program  getting participants from student to worker . You may also want to explore having work centers with the right support on your campuses to better achieve this.

Why does alignment matter?

Looking at talent development from an ecosystem perspective is important for three primary reasons. First, students will traverse all aspects of it from the supply side (training in schools). Then, during a transition phase they move from student to worker. Lastly, the will move into the demand phase (work and job performance).

The best talent systems will be developed if communities, schools and businesses within them consider and align across the entire system. Even if they focus on only one aspect of it.

The better we do this, the faster we will develop talent, the more valuable they will become, and the better they will help organizations with their services. Better services mean better protection in organizations from attacks. A win-win for all.

Finally, to support collaboration, communication and readiness of the components of this ecosystem, we need more standardization between communities, schools, businesses and students. We all need to speak the same language as we focus on different aspects of the talent development process. We are spending a lot of time here and trying to help organizations with this effort.

Cyber security talent development conclusion

There is still more to learn as we explore this cyber security talent development and overall high technology development approaches in general. In the end, our work is not done until organizations are more effectively able to manage cyber attacks and students are more effectively being developed. Please let me know your thoughts and feedback and let’s make this happen together.

About the author

Mike Gentile serves as the Founder and CEO of CISOSHARE, an Inc. 5000 cyber security consultancy, CyberForward Academy, a high school and adult professional development organization, and TalentSplit, a technical talent ecosystem service provider. In addition to his leadership roles, Mike is co-author of the CISO Handbook and also an active credentialed CTE teacher for high school, community college and adult learners.