It’s been 20 years since McKinsey & Company coined the term ‘war for talent’. Its enduring usage in management lexicon speaks to the aptness of the phrase in reflecting the struggle to attract and retain quality staff, with cyber security now a key battle front.
Many column inches have been dedicated to the global shortage of skilled cyber technicians and the projected widening of the gap between supply and demand.
Typically however, the factoids which tend to be quoted look at the aggregate numbers of projected unfilled vacancies across the spectrum of IT security jobs. While the magnitude of these numbers serve as a good wake-up call to signal the scale of the projected shortfall, they do not tell the full story.
The other side of the coin for organisations is the overall gap in coverage. That is, not just thinking about the number of people in seats, but also thinking at a higher level about whether the right mix of skills is present to meet the challenges of a world in which the goal posts keep shifting.
Commonwealth Bank’s General Manager, Cyber Security Centre, Brendan Hopper speaking at an industry event recently likened the difference in skills required to write code as opposed to testing the security of software to the distinction between an author and a proof reader.
“As an industry we now have specialists who are dedicated, not to writing code, but to going through software and finding classes of bugs and vulnerabilities and making software more secure,” Hopper said.
The reality for some organisations is that dedicated, specialised cyber resources may be neither practical nor affordable. But for those which identify the need to hire cyber specialists and have the wherewithal to do so the key question is how to ensure sufficient talent is available into the future.
Start cultivating relationships early
The risk posed by gaps in cyber security talent is not being felt in the private sector alone.
‘Developing skills and expertise’ formed a key part of the government’s 2016 Cyber Security Strategy in recognition of the shortage in trained cyber security professionals and the targeted actions required at all levels of the Australian education system to address this.
Organisations such as CBA are taking this remit seriously, looking to cultivate the right cyber mindset earlier than ever before with initiatives such as a government-backed industry alliance to bring cyber security into Australian high schools.
Through a series of challenges covering topics such as web application security and network security the thinking behind this is the earlier we start to focus on the core skills and competencies we need, the earlier we can inspire students to follow pathways that will lead to cyber security careers.
Traditionally, however, it is universities which have formed the recruiting ground for future talent and indeed many of the recent graduates we spoke to for this article ended up with their employer as a consequence of relationships formed at university.
Be flexible in your recruitment approach
Graduate programs, cadetships and internships are still in high demand among those pursuing tertiary level study in disciplines such as computer engineering, giving a sense of structure at a time during which a sense of certainty is appealing as many students transition to full-time work for the first time.
One common theme, however, was the desire to see more flexibility in the recruitment process to cater for different finishing times in the academic year.
“Spotting the talent and offering them a role 12 months before they graduate is a great strategy, but many students don’t start looking until later in the year, so a certain amount of flexibility is required to get the best talent. That also includes things like flexible start dates, and mid-year entry,” said CBA Enterprise Services graduate, Adam Smallhorn.
Several of the graduates also spoke about the importance of early initial engagement in providing incentives for graduates to apply.
Organisations which engaged later with cut-off dates after the first tranche tended to have a smaller pool of interested applicants as some students were already committed, observed the interviewees. Many structured graduate programs are also currently not open to international students which, Smallhorn says, may be closing the door on a pool of talent which has been trained to the same standard as local students.
A move away from prescriptive online tests for selection is a key callout from Brody Noonan, Cyber Security Engineer at Bankwest, who in spite of applying for the Bankwest grad program twice and missing out, nonetheless ended up at the organisation in a technical role.
“You can always teach the tech side of a role with on-the-job experience so I would think it should be more about the person and their motivations,” Noonan said.
Atlassian Security Intelligence Intern Clancy Rye says the barrier to entry for security can feel quite high and expressed the view that ultimately education should be a way to supplement and assist an otherwise ongoing lifestyle of “learning and tinkering”.
When asked about the skills required to perform his current role, which is a mix of incident detection and response, vulnerability detection, threat intelligence and cultural uplift, Rye spoke about the attributes required over and above the technical know-how.
“Technical competence and understanding are obviously quite important, but so is common sense, the ability to think critically and keep your head under pressure.
“Being personable and able to work effectively in a team is also incredibly important, as is the drive to learn and improve.”
Provide opportunities to learn from the get-go
Flexibility in the recruitment process is one thing, but of additional appeal to many grads is the opportunity to experience multiple roles before making a decision on where in the organisation they’d like to end up based on both what they enjoy and where their strengths lie.
Opportunities for continued professional development and options to learn and build skills were of particular appeal to those joining cyber security functions from university.
“Coming straight from uni, the biggest change was there it was all general knowledge and concepts of how security works. Then you come into a role and the challenge is to translate that. You are looking at a real product, trying to learn and understand it from scratch, then relate that back to the knowledge you have and figure out what it means for the business,” said Bankwest’s Noonan.
An organisation with the capacity to provide ongoing training was also key: “For me that’s one of the things that attracted me to a bigger organisation. I felt a small company would pay you and expect you to know everything, whereas in a bigger company there would be more opportunity to learn products and the industry in a structured way,” Noonan said.
For CBA Cyber Security Analyst Jessica Mitchell, the provision of training is not just about the option to continue developing her skills and gaining further accreditation, it also sends a positive message from the organisation regarding a commitment to investing in her future, which can be a benefit of the current skills shortage.
“The skills shortage means there are opportunities to progress and move from role to role and they support you. It’s also nice to think you’re working to protect the bank and customers,” she said.
Making and shaping the talent
While developed grad programs with structured ongoing training opportunities may be easier for larger organisations to accomplish, one option open to those of varying sizes and degrees of sophistication is PR work aimed at drawing the talent to you.
Cybersecurity Associate at PwC, Peter Capon references the Industry Based Learning (IBL) program he participated in during his degree.
“I completed a placement at a large financial services organisation within their Information Security team. The experience was great, however I found the organisational structure to be quite rigid in terms of career pathways. From this experience I knew I eventually wanted to work somewhere which offered me a high degree of flexibility in terms of career experiences and opportunities, and consulting was an area which met that criteria,” Capon said.
“Around the same time as my IBL placement I participated in CySCA (Cyber Security Challenge Australia), a 24-hour hacking challenge. PwC was one of the main sponsors of the event, and I appreciated how they were actively investing in upskilling the next generation of cyber security professionals. This was what first interested me in working for PwC.”
Creating a name and a reputation for your organisation as one in which employees are likely to meet future influencers may be playing the long game, but it is an approach that nonetheless has the potential to be effective, particularly in attempting to recruit from non-traditional disciplines and backgrounds – a strategy which is gaining popularity.
A 2017 article published in the Harvard Business Review pointed to the reality that businesses looking for people with traditional technology credentials to fill cyber security vacancies may be limiting the talent pool and is at odds with the manner in which the “bad guys” are growing their ranks.
The article, written by IBM’s General Manager of Security, Marc van Zadelhoff spoke about IBM’s “new collar” jobs program, which looked at the underlying characteristics of a successful cyber security professional: natural curiosity, strong ability to problem solve, ethics and an understanding of risk.
IBM found those with these traits had the ability to quickly pick up the technical skills through a combination of on-the-job training and modern education programs.
Such has been the commitment to this approach that 20% of IBM’s US hiring in cyber security since 2015 has been “new collar” jobs, according to van Zadelhoff.
Outreach activities and investments aimed at strengthening community capability are among those which will be at the forefront of enabling these kinds of alternative approaches to addressing the skills shortage challenge.
Here at CBA we often make reference to “uplifting the ecosystem” and through connecting with government, investing heavily in partnerships with both industry and educational providers we are acting in the belief that it’s in everybody’s interests to grow our collective cyber skills and knowledge.
These are seen as necessary pathways not just to lifting the number of people we have equipped and available to fill vacant roles in the future, but also to ensuring we have the skills we need to adopt a ‘collective defence’ mentality, keeping everyone more secure.
This article first appeared in the September issue of CBA’s quarterly cyber security report ‘Signals’. You can view the full issue or sign up for our mailing list via the CommBank website.