There is a 4.7-million-person workforce in the cybersecurity community; you would think that would be enough. According to a cyber workforce study conducted by ISC2, evidence shows a gap of about 3.4 million people that are needed to compete with current cyber adversaries. This is one of many obstacles that need to be overcome by companies that hope to grow their cyber teams and keep their business alive.
Many companies are facing cybersecurity and compliance requirements that exceed the general capacity and knowledge of their IT teams. If you bring in a specialist to bolster your cyber posture, you may pay more than it would cost to hire a virtual CISO, and the quality of contracted work can vary. You can bring in new graduates and anticipate 6 months of training before they are fully activated.
What makes the most sense for your business? What do you need to do to determine your capacity vs. your requirements? Let us lay out the options and examine some strategies.
Examine.
Whether you are hiring a seasoned cyber veteran or an intern you plan to train, you should weigh the pros and cons of your organization’s circumstances. Not everyone’s situation is the exact same, nor are all the same resources available. Ask yourself some of these questions to get started:
- How much can your business afford to spend to mature cybersecurity?
- Who will help train them and make sure they have everything they need to accomplish the tasks?
- What can you expect to accomplish by having an FTE cyber person? Contract-specific? Customer request?
- When is the right time to bring them in? Do you have the capacity to train them now? Do they need to be trained prior?
If you are just beginning your journey towards cybersecurity maturity and compliance, it makes sense to speak with a consultant you trust rather than bringing in a new employee. We are large advocates for paid internships and mentoring from all occupations into cybersecurity. In our experience the investment in training new employees was quickly returned by their unique perspectives, transferrable skills, and passion. Let them know your current stance and some of the above questions you have answered. Bring any additional questions you have, and it might surprise you what information you can get at no cost.
If you have a technically savvy IT team that is already working on cybersecurity-related items, you can complement their work with regular consultations from a virtual CISO or a contractor such as IntelliGRC. You can hire them for independent audits, incident response tabletop exercises, and much more. Find someone that comes recommended by your industry peers and make sure they are a good fit for your business.
Hire.
You can get acquainted with some of the best cyber professionals by engaging with them on smaller projects and then making them an offer to join the team. If you know you want a CISO that is ready to take your posture to the next level, make sure they come with good references as well. You will spend more money, but you can expect faster integration into the team and advancement of your goals.
Some of our best workers are new to cybersecurity, but they have the passion and drive that produces excellent work. We strongly recommend investing the time to train and certify good people at any point in their careers. You face the risk of that employee being able to go work somewhere else for more money once you have spent resources getting them qualified. That risk is outweighed by having a good employee who is now well-versed in your tools.
Hiring an intern can be mutually beneficial to the company and the intern. Cybersecurity workers need experience to get a decent job and companies need to make sure the employee is a good fit. Find ways to regularly ensure your employees are doing what best suits their skillset and challenge them appropriately. Interview them, rotate interviewers, and change the questions being asked. A CEO might not get the same answer as a direct supervisor, a colleague, or someone from HR (Human Resources).
At the end of the day, people will come and go and change for many reasons. We are subject to our environments and industries. The remote workforce model has changed the hiring and cultural landscapes for many of us. There are many benefits to remote work, for instance, you no longer must pay the high dollar premium for hiring in a big city. The employees that moved to metro cities for jobs can head back out to the country for a hybrid/remote workforce. Each company handles this a bit differently, but by offering remote positions you vastly increase the candidates you can bring onto the team.
Maintain and see results.
As your team grows, the culture should organically nurture upward mobility and initiative across all roles. This starts from leadership and is most apparent at the customer-facing level (Helpdesk, sales, services & support). Do not forget to show them appreciation; this can mean adding or increasing benefits such as healthcare, employer contribution to 401k, PTO, and more. It can also mean celebrating the wins of each employee in front of the company or just one-on-one. I believe your clients will have a similar experience with your employees as they have with their employer. Treat them right and be sure to regularly check in on their well-being. Most people enjoy a new challenge; verify their output and offer a challenge that suits their desires and curiosity.
Make sure you can justify the hires by matching them to how they contribute to your roadmap, and what potential deals they can bring in. Treat them well and make sure to regularly check in on their well-being as well as their outputs, presenting challenges in a meaningful way. Train every employee in every skill they are interested in that can advance their career and your company’s viability. Invest in your employees now so they stay with you, and in turn, your customers will too.
IntelliGRC has had a lot of success with our partners in State and Local Education (SLED) to influence the education criteria and hire cyber graduates to prepare them for the world of cybersecurity and compliance. We hoped to help them overcome the hiring gap and then send them out to work for our partners and industry peers, however, most of the program graduates have been so great that we do not want to let them go. If you want to hire a consultant or CISO, we are happy to put ours to your test!
