The cybersecurity talent thing is getting old. Everyone talks about it, but nothing really changes across the industry. We don't have the cybersecurity talent, we don't have the skillset, we can't keep our cybersecurity talent. But honestly, we are not doing ourselves any favors. My feeling on the topic can be summed by a quote from the movie the Borne Legacy "you were given a Ferrari and your people treated it like a lawnmower".
I should stop here and let you fill in the rest, but I can't leave it there.
Cybersecurity has a branding and marketing problem. Too many people enter the cybersecurity field with unrealistic expectations of what they will be doing and their career trajectory. They expect to be the hacker in the hoodie sitting in the corner watching green characters scroll down a computer screen like a scene out of the Matrix, while crafting a wicked python script that would make Guido van Rossum jealous. (he created python by the way)
The day to day grind of cybersecurity at many organizations comes up short of what most people are expecting when they get their first paid cybersecurity gig. Interestingly, many prospects are less interested in being a cyber trope and more interested in using their technical ability. The public perception of cyber security may in fact be hindering our ability to draw in the best talent. Sarah Coble from Infosecurity Magazine wrote an article titled "Cybersecurity Isn't "Cool" Enough to Attract New Talent". The gist of the article is that cyber security is that most people actually perceive cyber security as being boring and “full of dorks.” Sure, we can be dorky. A lot of us relish in our dorkiness, but that’s not the reality of cybersecurity. It is a technical profession that’s finally beginning to diversify. Everyone with a passion for technology and a willingness to learn can and will flourish.
What exactly can we as an industry do today to solve our recruiting and retention issues?
Step 1: Find the right people and set the correct expectation.
Step 1, getting talent into our field requires we paint an accurate image of what a career in cybersecurity looks like. Obviously easier said than done but it starts with all of us doing our part. Prospects are less interested in marketing fluff and more interested in what systems they will work with, what technical skills they'll learn, and how they will be challenged. They want to know about the team and how they fit into the big picture. Unfortunately, most companies fail to complete step 1.
If you get step 1 right, you are probably ahead of the many of your peers. So now that you have found someone for a position, you need to start preparing the skillset they need to work for your organization. Universities are doing a great job laying the groundwork for a successful cybersecurity career, but recent graduates are not coming out fully prepared. They need more training to be effective within the cyber security industry. At NuHarbor for example, we hire a lot of people fresh out of school. In general, we’re investing another $15,000-$20,000 in additional training to bring them up to speed. This way, they can contribute to the broader team effort. Companies should not expect a student with a baseline degree to be ready for deployment. Your investment in your team will keep people around for the long haul and make sure your staff has the tools they need to do the work you hired them to do.
Step 2: Develop your cybersecurity talent
If you are fortunate enough to find someone with the right aptitude for the position, get them through your training, and now release them into your organization, you can't put them in the corner and churn widgets. If you’re going to keep this new member interested and get them to invest themselves in your company, you need to develop them. During my days in the Federal Government, I found that many people were hired to accomplish "cyber tasks". Essentially using someone to accomplish the same tasks day in and day out. They show up and spend their days resetting passwords, onboarding users, monitoring a single technology, tracking silly things like rolling residential IP addresses for BOT activity (by the way, don't do that unless you like whack-a-mole.) If you’re working your staff like this, your limiting their development to a few key areas. Even if they do this for 20 years, they really only have a junior skillset in cyber security. This limits their value in your company. Also, if they decide to leave, the next company is getting someone getting someone with a senior level pay requirement with a junior level skill set. This combination is detrimental to our industry and frankly makes us, collectively, look like ass-hats.
If you are an employer, you have an obligation to train and develop your staff. If you are employee, you should ask your employer to help you diversify your skill sets.
Step 3: Figure out how to keep your cybersecurity talent from leaving
Finding good talent is hard, keeping good talent is nearly impossible. The reality is that your best staff members are the hardest to keep. Good people are sought after and other companies are going to do their best to poach your talent. Most cybersecurity professionals I know want to work with other talented people and be challenged and inspired. Pay, benefits, working from home, and all your other benefits are very important. However, If people look around the office and realize they’re light years ahead of everyone around them, like in the movie Idiocracy, they’re eventually going to leave. (If you don’t remember the movie, average guy Luke Wilson wakes 500 years later to find he's the smartest person on Earth.)
It's a pretty simple solution, "A" players want to work with other "A" players.
Keeping your best people requires strong cybersecurity leadership, top talent wants to be inspired and challenged. As a leader if you can't move the "intellectual cyber needle" how to do expect to challenge your staff. Cybersecurity leadership is hard, especially if you do it right. Leading from the front, ability to push the boundaries of what your staff was possible, and removing barriers to staff success is a hard and thankless job. But it could mean that you don't have to rehire your staff every year.
Next time someone mentions cyber talent issues ask them:
- If you do not have the talent you’re looking for - what have you done to market and sell cybersecurity a viable career path?
- If you do not have the skillsets in your organization needed to accomplish your mission - what have you done to train your staff?
- If you cannot keep your talent - have you built a team of successful and smart professionals?
Do You Want to Work in Cybersecurity?
If you are someone looking to get into Cybersecurity, you might be wondering where to start and what employers are looking for.
You need a grasp of the basics. There’s no shortcut to learning some fundamental skills, but that doesn’t mean you need a degree from MIT. In fact, you can complete a lot of your training using free courses and software. Anyone can enter the market if they dedicate time and commitment to building skills. Many cybersecurity technologies offer a "free version" or "trial version", you can install on your local PC or your home lab. By learning how various software and technology works, how to deploy them, and how to administer them, you’ll develop a great baseline and set yourself apart. Your willingness to learn on your own time tells employers three things: you are passionate about cybersecurity, you have the aptitude to learn, and you took the initiative to teach yourself.
Certifications are also worth pursuing while you try to build your resume. Many cybersecurity professionals do not have cybersecurity certifications so don't think of them as a "requirement" to get into the cybersecurity industry. Certifications tell employers that you have enough interest in the field to spend time studying it. In lieu of experience and education, they can provide some proof of expertise and knowledge. Honestly, some of the best cybersecurity professionals I've worked with don't have expensive certifications, rather they have a passion for the industry and that shows because they practice in their spare time as a hobby.
Many employers are looking for you to at least have an entry level proficiency in cybersecurity and that you know enough to be conversant on cyber topics. They are looking for evidence that you understand the subject matter of the job you're applying for—knowing something about the job you are applying for is not just good for cyber security, that’s good for any job. The Cybersecurity landscape if shifting VERY fast. If you can show an employer that you have the aptitude to learn and keep up, that is valuable. Even if you don’t currently have what’s needed, they will be able to train you. A track record of learning the latest and greatest skills showing you keeping up with the industry, is a really good story to show employers.
Employers can often find people who are willing to get paid to do a job. It’s really hard finding people who are truly passionate. You can show that you’re not just another cog in the machine by providing evidence that this is something you really enjoy doing. Spending your free time building cybersecurity skills, showing an aptitude to learn new and current cybersecurity technologies, and most important, having a good attitude (e.g. people like to work with you) will get you hired.
Follow us on Social Media for more information:
Twitter facebook LinkedIn instagram
[hubspot type=form portal=9212203 id=78ed4f55-84a0-4cb8-bae7-8d92e16878ab]

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.