Over the past 10 years, we’ve seen a boom in automated technologies that help organizations rapidly prevent, detect, and remediate attacks and threats. These technologies effectively advanced our ability to quickly identify and synthesize data, but it also had the unintended effect of creating a gaping chasm between the workforce needed to manage these systems and interpret their outputs, and the available talent to fill those roles.

It was long thought that artificial intelligence would fill the workforce gap by taking over repeatable, manual tasks that previously required specialized knowledge. But these algorithms, tools and services produce large amounts of incident and network data to be analyzed and interpreted, and organizations now need individuals who can identify problems well-suited to data science projects, comb through that data, identify potential threats and take the necessary actions. So in reality, AI hasn’t replaced human cyber jobs—it’s displaced them.

One Problem, a Host of Solutions

This proliferation of AI, specifically machine learning, has caused a shift in the profile of these much needed information security professionals, shifting the skills gap from repeatable network monitoring to more complex network and incident data analysis. Study after study shows that the workforce shortage isn’t going away. While universities and schools work to prepare future generations of infosec workers, organizations need a more sustainable and job performance-specific solution to their talent shortage than outsourcing jobs or overpaying for top talent. Cybersecurity leaders must reframe how they invest in the short-term gains of identifying new talent and focus on the long-term return of investing in growing talent to fill their needs. Until they adjust the way they think about sourcing employees, the gap will continue to widen.

One of the most efficient ways for organizations to keep up with shifting personnel profiles is to turn their talent hunt inward and upskill or reskill existing employees. Employers immediately benefit from an employee’s institutional knowledge of internal business processes and the organization’s goals, reduced onboarding period and the goodwill created when employees feel like employers are invested in their career growth. The key, though, is to resist the temptation to throw dollars at costly training programs, curriculum and platforms before identifying the root of what needs to be accomplished. You can’t fix a problem that you don’t fully understand, and building and deploying an in-house program without an accurate evaluation of your workforce is a little like trying to build a house without a blueprint. Not only does it become time-consuming, costly and difficult to maintain, but it doesn’t ultimately result in an experienced workforce for your organization and its needs.

In order to effectively chart a path forward to upskilling or reskilling individuals based on actual job roles and requirements, employers need a foundational roadmap of their job families, job roles and the skills needed to succeed in those roles. Once you have this blueprint of your cyber organization, an assessment or diagnostic can provide quantitative data of team and individual’s strengths and weaknesses, helping to appropriately identify the roles they are suited for and outline a targeted training plan to bring up their competency levels.

The Hero They Deserve

So with talent right under their noses, why are employers still struggling to source the talent they so desperately need? In many organizations, the issue is that the wrong department is leading the search. CISOs have to stop letting HR drive the hiring of cyber talent and become the strategic driver for their department. Unless infosec leaders spearhead the initiative themselves, HR on their own will continue to produce disappointing results.

Executives across industries are leading the charge and taking a more active role in establishing learning frameworks and career paths for upskilling or reskilling their employees.

  • JP Morgan Chase: In addition to sourcing external talent, JP Morgan looks across various lines of business to find individuals who have the institutional knowledge of the business impact of cybersecurity threats. These employees are cross-trained in cybersecurity and given the technical knowledge to succeed. This approach has yielded a diverse and high-performing team.

  • Stanley Black & Decker: Within the past decade, the manufacturing industry has worked to future-proof their processes by embracing the Internet of Things and implementing technologies that enable their smart factories. Stanley Black & Decker’s CEO, Jim Loree, saw the opportunity to establish pathways to reskill employees whose jobs may have been displaced by automation.

  • Dell: When faced with the need to rapidly expand its cybersecurity department, Dell realized that understanding the underlying skills within their teams was fundamental to the development of an employer-driven workforce plan for current and anticipated cyber staff. Dell’s Chief Security Officer, John Scimone, partnered with their Human Resources department to conduct an audit of existing cyber roles, identify the skills associated with those jobs and create a roadmap aligned to the National Initiative for Cybersecurity Education (NICE) and the National Cybersecurity Workforce Framework (NCWF) for requirements and skills.
Contributors: