Saturday, November 14, 2015

Addressing the cybersecurity talent shortage

20 Years ago I had the opportunity to work at health-focused fast food restaurant in San Jose California. My job was to serve guests and make sure the buffet and dining area was as close to spotless at all times. This location also happened to be the training restaurant for new franchisees, and as a result the management was very focused on building skill in the new owners, because they were key to success of the organization.

At that restaurant, I was just a part-time, hourly worker making minimum wage. It wasn’t a career move for me — I was only working part time to support my real job at the time: the missionary work that I was doing that year. I wasn’t on anyone’s radar for development. Even so, this job was incredibly valuable to my career because of Sean, the restaurant manager, who was responsible for training new managers.

Sean modeled excellence, set a clear standard for what he expected, circled back to inspect and ensure that it was being done, and praised it whenever he saw it. He taught managers how to develop their employees. I suspect I was a good training subject for him, because I had a lot of room for improvement. 

My first month, Sean gave me a $20 bonus for keeping my area up to standard at all times. My first reward for excellence, and my first exposure to success-focused management. I was hooked, and I have been chasing excellence for my teams and for myself ever since.

Flash forward to 2015. There’s a critical shortage of skilled cybersecurity specialists in every sector. This persists despite lots of smart, ambitious new graduates entering the workforce each year. These graduates arrive alongside many capable experienced workers who want a career reboot in a new field. Information Security pay is excellent, and there are no end of training opportunities from self-taught to MOOCs to online and onsite University programs. Meanwhile, across the rest of the economy, economic growth remains anemic.

So if demand is high, wages are strong, and there are few barriers to becoming skilled and entering the field, why the shortage?

Lots of evidence points to a management skill shortage as the single most limiting factor. Management is not effectively and systematically developing the talent it receives. The most likely reason for failing to develop talent is that we are not focusing on it effectively. And when we do think about talent development, its mostly about attending training and conferences, and gaining knowledge.

While that is important, the best information security practitioners have more than just knowledge. They are skilled. And they’ve build that skill by seeing the standard for excellence, practicing it, and receiving constructive feedback that motivates them to get better.

If information security managers can institutionalize these practices into routines that define, measure and improve skilled practice, then we can close the skills shortage in just a few years. Recruiting talent is only half the battle. Developing that talent takes focus and sustained effort.

My former CISO was adamant that skilled management starts with good general management practices. IN practice, that has always held true. So for my team, I look for our leaders to be effective in the following categories:
Work Onboarding
Planning and Organizing

The purpose of this toolbox is to share approaches I’ve used over the most common management tasks over the past five years in a former role. None of the concepts that follow are original. I’ll cite the sources where I can, and hopefully not forget any. That’s the biggest challenge with ideas that you’ve learned early and carried for a long time. They become a part of you, to the point you risk forgetting where they came from. 

Most of this should be familiar. But as with Sean’s example, consistently calling out effective principles and being mindful on a daily basis is the best way to measure improvement and recognize it.