by Heather Monthie, PhD
One of the most difficult tasks of a cybersecurity leader in any organization is to find new employees to fill critical cybersecurity positions in your organization. The current state of the cybersecurity workforce means that you might not find the right person for the job. So, what can you do? Many hiring managers will outsource to a recruiter to find top candidates, who are often in high demand and may not be looking for a new position.
Another option is to develop your own pool of cybersecurity talent. You may do this by hiring internal applicants who already know your company and industry but require some cybersecurity training. Developing your own applicant pool takes a bit of time and effort from your organization’s management team, which can be well worth it in the long run.
When organizations attempt to build a cybersecurity talent pool from within, one of the most common challenges they face is determining which employees are interested in making a career change into cybersecurity and have the motivation and desire to learn a new skill. Without clearly defined pathways for someone in your organization to transition into cybersecurity, it can be difficult to provide the guidance needed to help them make the transition. For those employees who want to change careers, you need to have a plan ready to help them with the transition from their existing roles.
This article will help you overcome some of these challenges by introducing ways to change your expectations of candidate qualifications, identify employees working in your organization who are interested in a career change into cybersecurity, and find the proper training for employees to move into a cybersecurity position with your organization.
The current state of the cybersecurity workforce
As you may already know, the cybersecurity workforce is currently in short supply and is only projected to get worse. ISC^2 reports that there are approximately three million open cybersecurity positions globally. Cyberseek reports there are nearly 600,000 open cybersecurity jobs in the United States alone. It’s time to reconsider our methods of identifying and reskilling internal experts for your crucial cybersecurity roles.
Change expectations of candidate qualifications
When considering internal employees to reskill for cybersecurity roles, you need to change your expectations of candidate qualifications. You can do this by focusing on finding employees who have strong knowledge of your business and industry and are also interested in a career change into cybersecurity.
You may have employees in your organization who have several years of experience in your business who are considering a complete career change. Rather than lose that knowledge to another business, work to identify who these individuals are and help them transition to a career on your cybersecurity team. These individuals have transferrable skills and excellent business acumen but may not meet your exact qualifications, such as a Bachelor’s in Computer Science or two years experience in Information Security.
Many employees working in other areas of your organization may have a wealth of organizational knowledge but just need to learn the cybersecurity skills to be successful in that position. So, it’s essential to look for these employees and consider providing training opportunities for them to be successful in a cybersecurity role in your organization.
There are many positions within IT, Decision Support Systems (DSS), Electronic Medical Records (EMR), and other technical areas where individuals in those roles likely have transferable skills that qualify them for your cybersecurity team. For example, you may have someone on your EMR team who is very well-versed in the application configuration of your EMR of choice. With some additional training in application security, that individual may be an excellent candidate for your open application security position.
Consider alternative requirements
You may have individuals in your company with a lot of expertise in your sector who are right in the middle of considering a career change. Over the past few years, I have spoken with many healthcare professionals who transitioned from a clinical role to a career in cybersecurity in a hospital or other healthcare setting with some additional training.
Healthcare professionals have excellent transferrable skills for analyst roles and are well-versed in how software applications are used in a clinical setting. These individuals probably won’t meet your requirements of a Bachelor’s in Information Security, but they certainly have some very necessary skills for your cybersecurity team and can undergo training to learn cybersecurity skills.
There are some simple ways to identify employees within your organization who are interested in a career change into cybersecurity.
Some strategies include:
Job postings: Consider adding “internal applicant” to the title of all open positions where you are looking for internal employees. Make it clear that you do not expect candidates to meet all the qualifications and that a robust training program will be provided.
Cross-training opportunities: Establishing cross-training opportunities, such as webinars, lunch and learns, and job shadowing to help individuals in other roles in your organization gain skills that may qualify them for cybersecurity positions. For example, providing access to courses on security topics or offering cross-training through other organizations are great ways to help your employees get the skills they need to qualify for cybersecurity positions. Oftentimes, those who have an interest in information security will naturally emerge and show interest in these types of opportunities.
Informational Sessions: Work with your Human Resources department to set up informational sessions about internal opportunities in your cybersecurity team. In order for these to work, you need to have an internal culture that promotes learning and internal job movement. Without that culture, it may be too risky for employees who do not want their current managers to know they’re considering a career change.
You can create career progression pathways for those who may not currently work in cybersecurity but want to transition to a cyber role. This takes some time and effort from you and your management teams, but this can be a fruitful long-term practice.
Create a cybersecurity career pathway that includes training and certification opportunities
Start with identifying specific roles within your organization and the security positions that individuals may be able to move into with some additional training. As I shared above in a previous example, you may have an EMR system administrator who would do very well in your open application security position with some additional training in secure coding practices.
Next, you’ll need to create the training opportunities to help these individuals reskill into a career on your cybersecurity team.
Some strategies include:
- Offer online cybersecurity education opportunities so employees can take courses online at their own pace, reducing pressure on anyone balancing work, family, and school obligations. Offensive Security offers online cybersecurity education programs that can be completed anytime, anywhere.
- Consider providing tuition reimbursement so employees can earn degrees and certifications and build their resumes with relevant experience and credentials at little or no cost to themselves. Provide opportunities for individuals to work on their degree or certifications while working on your security team.
Making sure that your employees have the proper training is essential for them to move into a cybersecurity position with your organization. By providing your employees with the necessary training, you can help them gain the skills they need to succeed in their new role. Additionally, offering training opportunities can also help keep employees engaged and interested in their work, which can lead to better productivity and performance within your company.
Consider partnering with a leading cybersecurity training company such as Offensive Security who can help you develop a cybersecurity talent pool within your organization.
There are a few different types of training that can benefit your team:
Instructor-led training (virtual or face to face)
There are many cybersecurity training courses available online and in-person. Instructors can hold virtual or face-to-face training sessions that teach the cybersecurity skills needed for each position within your organization. Instructor-led training courses are an excellent method to enhance the abilities of your team members, regardless of their level of expertise.
Self-paced online learning
There are also cybersecurity training courses available online that allow employees to study at their own pace and on their own schedule. This is beneficial for those who may need more flexibility when completing coursework and studying materials. Self-paced online learning offers employees the necessary flexibility they need to complete training courses on their own time, without sacrificing quality or missing out on valuable information.
Peer learning opportunities
You can also collaborate with your team members to create peer learning opportunities, which are beneficial for employees getting started with cybersecurity. This is an excellent way to share knowledge and information about topics that are specific to your organization. Additionally, you can use peer learning opportunities to help support each other within the workplace too, which creates a more inclusive work culture.
Peer learning can be conducted through:
- employee-lead webinars
- mentor programs
- job shadowing / job sharing
You can also offer webinars for employees new to cybersecurity or those looking to learn more about specific topics. These webinars are beneficial for bringing in guest speakers who can talk on a particular topic, and they give employees the chance to ask questions. Employees may also want to view these sessions on their own time, which will help them retain information better on days they don’t have work meetings scheduled.
In addition to internally-sponsored webinars, you can also provide opportunities for employees to participate in webinars and other live online events conducted by Offensive Security. Webinars on a wide variety of topics are offered monthly and can greatly benefit your team members.
Another way to create a cybersecurity talent pool from within your organization is through mentoring programs. Mentor programs allow experienced employees to share what they know about specific topics with less-experienced team members. Mentors programs also create an inclusive workplace for everyone who wants to learn more about cybersecurity.
Job Shadowing / Job Sharing
Similarly, you can create a talent pool by allowing employees interested in transitioning into a cyber role the chance to job shadow or job share with those already working within your organization. This allows them to experience the day-to-day responsibilities of a cybersecurity role and learn more about what they’re expected to know and do within their job.
You can use all of these different types of training to help your organization develop a robust cybersecurity talent pool from within.
Connect with us
For more information on creating a cybersecurity talent pool from within your organization, contact firstname.lastname@example.org.
Connect with others who are already OffSec certified, or on their journey in the OffSec community Discord.
You can also keep up to date with us by signing up to be an OffSec Insider. Follow us on social media:
About the Author
Dr. Heather Monthie is a leader in Cybersecurity and IT education dedicated to developing workforce-ready professionals for the future. With a diverse background in education, leadership, and technology, she has worked with various businesses and educational institutions to develop successful cybersecurity education programs. She has served in various leadership roles within organizations that are committed to cybersecurity and STEM workforce development. She currently serves as the Head of Cybersecurity Training, Education, and Innovation at Offensive Security.