Corporate ‘Boot Camps’ and Other Ways to Find and Retain Security Talent

Security operations teams are drowning under a sea of alerts that aren’t quieting down anytime soon, and the threat of the growing skills gap has fomented lots of worry about how to fill the talent pipeline.

A recent Ponemon study found that 75 percent of organizations report they have an understaffed security team. The same number of respondents are also having difficulty attracting qualified candidates.

Sure cybersecurity degrees are becoming more commonplace across colleges and universities, but those students aren’t graduating with a wealth of hands-on experience. And, while a recent graduate with little to no experience can be trained, graduates can also be myopic in their job searches.

Unlike organizations who are in desperate need of qualified candidates that they want to hold onto for the long term, grads are often focused on the almighty dollar. They want to start earning and often see their first job as a stepping stone.

Something Old, Something New

According to the Advanced Cyber Security Center (ACSC), those students who do find positions often ask for and receive six-figure salaries straight out of school with little to no work experience, only to jump somewhere else when the job doesn’t completely fit what the employee wants to do. In addition, hiring managers and security executives are reporting a gap between the skills students learn in those programs and those needed to make an immediate impact.

Promoting from within can be seen as a reward for high-performing employees, who in return, are more inclined to stick around and grow roots. Leveraging existing staff can even be more cost efficient than hiring new staff, particularly when they are given incentives to stay.

A few years ago, IBM started thinking outside the box about how to find and retain talent, which resulted in its New Collar Jobs initiative. The premise is that employers need candidates with skills, not necessarily with degrees. Those who innately possess talent can be trained to do just about anything, which is why many large organizations have established their own on-the-job “boot camps” for entry-level security personnel. It’s an approach that is mutually beneficial for both employers and employees.

What’s Better Than Boot Camp?

While many corporate ‘boot camps’ have just started thinking about how to incorporate security into their curriculum, the SecureSet Academy has taken its model of immersive cybersecurity education to Washington, D.C. Earlier this summer, the organization created a new campus to train prospective candidates to help serve the growing need for cybersecurity professionals in the region.

“The talent gap we see indicates that employers are struggling to find qualified candidates. That presents a perfect opportunity to match prospective cybersecurity professionals with both the education and employment opportunities needed to help them enter the workforce,” Jon Ferris, DC Metro Campus Director, SecureSet said in a June press release.

Reach ’em and Teach ’em

The reality is that the high school and college students of today are the leaders of tomorrow. That’s why so many universities across the country are offering new cyber certification courses and degree programs.

The California Cybersecurity Institute (CCI) at Cal Poly recently announced it has partnered with Stronger International and Mile2 to bring 27 new cybersecurity courses ranging from foundational to expert-level, offered online, onsite or remotely.

Back on the east coast, in a joint effort to build relationships between academia and the private sector, the University of Massachusetts and the ACSC created the Cybersecurity Education and Training Consortium (CETC) just last year. The collaborative is an effort to support the Commonwealth’s cybersecurity efforts.

Let Us Give Thanks

Academia and the private sector are actively developing innovative ways to build a highly skilled cybersecurity workforce, and the talent you need could come from any of these sources. From college graduates to internal candidates and professionals who are newly trained by reputable organizations, cybersecurity candidates are being churned out from coast to coast.

What’s critically important in these types of partnerships is that participants have the ability to gain hands-on experience so that they are better prepared to face real-world cybersecurity challenges. Yet, if the focus is only on training, companies inevitably will face the problem of attrition and potentially lose their most valuable players.

A recent Exabeam survey found that “participants who had been working as security professionals for less time (0-2 years) were more satisfied with their jobs than those who had been working for longer.”

The survey also found that security professionals are eager to learn something new, they love a challenge and they get great satisfaction from defending their company. What they don’t like is constant interruption.

Once you find the right fit for your organization, retaining that talent means not only that you have to continuously challenge your security team, but you also have to provide them with the resources they need to do their jobs. The occasional pat on the back can also go a long way.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus