Don’t Hire Cybersecurity Pros, Grow Them
The need for information security analysts is exploding.
In the next 10 years, demand for IT security skills is expected to increase by 28 percent, which isn't surprising. With the string of recent high-profile attacks, coupled with increasingly aggressive legislation to protect customer data, businesses are seeing the writing on the wall. They've got to get serious about security — or suffer the consequences.
That leaves two options for building a secure operation: Hire security experts or train your existing staff in security and make sure they earn an advanced security certification. If you are like most companies, you will probably opt for the first option. You either hire an in-house security team or hire an outside firm for each and every incident that occurs. But this should not be the case.
Many companies have individuals who are looking to learn new skills and contribute positively to the organization, so hiring an external party seems like a missed opportunity.
This means that there is a good reason why you should train key members of your team to take up roles as cybersecurity experts — it could save your budget quite a lot of unnecessary consultation fees in the long run.
More than just money
Growing, rather than hiring, your cybersecurity workforce costs less. If you've ever been in the market for a security professional, you know that it's a hot skill set. Candidates have many open doors right now — and they're taking advantage of the seller's market.
Upskilling your current IT team members into cybersecurity professionals will cost considerably less than hiring from outside. Though, the upfront savings aspect is only one angle to growing your own security team. There are many other positives that come from having your own team of cybersecurity professionals hired from in-house.
Your incumbents intimately know your existing systems. With that knowledge, coupled with hands-on training, they'll be able to determine what improvements need to be made. We're not saying that a one-time consult is a bad investment, but you want an effective in-house team to keep up those recommendations.
With the proper training, your team can just as easily detect and address fundamental security issues. Your team can start chipping away at these configuration issues one piece at a time, and gradually bring your environment in line with their newfound skills and training.
Retaining the skills
Many IT departments struggle to retain people once they're certified in a rare (lucrative) skill. That's both a product of market effects and an unwillingness by some companies to pay for a skill set. Companies can help retain highly skilled individuals with non-monetary benefits — or at least a frank discussion about their future at the company. Instituting skills transfers, promotions, and internal training is a must if you are going to sponsor training for in-demand skills.
You might be surprised that your people may stick around for education and training as long as they have a clear career path laid out ahead of them — in your company. Studies show that people like structure and certainty. Absent that last part, it's likely they'll take their shiny new skills to (seemingly) greener pastures.
Headhunting and recruitment are always going to erode at your talent pool, but it doesn't mean that hanging on to your key information security staff is impossible.
The CBT Nuggets Learning Experience allows managers and teams to map learning paths to business objectives. Learn more about CBT Nuggets Business Solutions.
Engineer teaching opportunities into training
Cybersecurity is a team effort. That's why developing your own cybersecurity professionals is often the right choice. Not everybody in your department needs to be a security expert, but your security experts should be able to train everyone — from the IT team to end users — on basic security principles.
When your internal candidates are learning IT security, you can engineer training opportunities into their training plan. Bloom's taxonomy shows that teaching is one of the best ways to learn. It'll greatly benefit your cybersecurity-pro-in-training to start applying their newly found knowledge to company-wide initiatives as soon as possible.
Unfortunately, we've seen recently that it's the seemingly simple stuffthat leads to the big breaches — unknowingly showing a database to the outside world or a single click in a phishing attempt.
Security consciousness within your IT department needs to be everybody's business. Training opportunities are a key aspect to consider when enhancing your organization's attitude towards security.
The final word
There is never a clearly defined rule when it comes to IT departments and skills allocation, especially where cybersecurity skills are concerned. Even with in-house cybersecurity employees, you may still encounter situations where an outside consultant is needed, especially if the task is highly specialized. But when you have your own cybersecurity talent pool, you will need to call in external consultants less. And that's a good thing.
Online training is a great way to get your team certified. Although it can be tough to work and study at the same time, most security professionals end up getting certified by doing exactly that. It gives your team the opportunity to apply what they have learned to the work that they are currently doing and reinforces these principles so that they can be fully understood and ingested as knowledge.
Find out who on your team who would be interested in training in cybersecurity, the response might surprise you.