This is part two of a two-part blog. See part one here. This is a continuation of my interview with Scott Scheppers, chief experience officer for AT&T Cybersecurity, on the cybersecurity talent shortage.
Scheppers points out that organizations have to pay attention to compensation when it comes to talent retention. “Good pay - don’t discount that. You need to be competitive and compensate people well, but that’s not the only thing that matters.”
To expand on this, he points to other key factors that help retain good workers. “Having said that, it’s not just about the pay. People really care about the culture and work environment. There’s often a lot of pressure in the cybersecurity world, but if people enjoy working with their peers and feel supported, they are much more likely to stick around. Cutthroat cultures with ‘zero sum’ mentalities can only go so far. A culture of teamwork is very important.”
Scheppers continues, “Everything starts with leadership. As a leader, you must be able to set an example. You can’t just promise things- you must deliver as well.”
Alongside a supportive and consistent culture, Scheppers emphasizes the importance of providing workers with a path for growth, “If you don’t have an internal path of growth for people, they’re eventually going to go elsewhere. As a leader, you need to take the time to understand where people want to go and help them get there. Of course, you can’t retain everyone. Sometimes you may not have the job opening someone is looking for, but that is okay. Growth for anyone often means seeing and doing different things in different companies or organizations.”
According to Scheppers, the key to building a strong team in cyber is not different than in other industries. Leaders need to focus on the career aspirations of their people and finding a path to help them achieve their goals. “Give your team the tools and training needed to excel at the job—and then hold them accountable! No one understands the dynamics of a team better than the team itself. Sometimes the leader, especially those higher in the chain of command, don’t understand all the group dynamics at play. But, if you as a leader have someone that’s not pulling their weight and holding everyone back, know that other team members will see it and it will pull the team down. When people on the team understand that they must keep to a certain standard, it propels them. They know that they will be recognized for good and bad work. This is one key aspect of a strong culture.”
How can we increase diversity in the field?
According to the 2021 Aspen Digital Tech Policy report, only 9% of cybersecurity professionals were black, 9% were Asian, and 4% were Hispanic. CREST, the global not-for-profit membership body that ‘helps represent the global cyber security industry’, commented that inclusion and diversity need to be a priority in 2023.
“Diversity is very important but note that it goes deeper than just race or gender,” Scheppers begins. “You can find two white males, one from a farm in Alabama and one from the big city of Seattle. Both people can bring unique experiences and different viewpoints to the table. But if I looked around the room and saw that everyone on my team was a white male, I might start to ask what’s going on. Of course, race and gender can play a large part of your world perspective, but it is a disservice to think this is the true litmus test of diversity. We strive to gain a deeper understanding of the story of each person. This is a challenge.”
With the diversity issues in the cybersecurity field today, Scheppers finds that one solution is for companies to start catching a wide range of excellent people at entry-level positions and train them up. He says, “If companies want to increase diversity, they will have to make it accessible at an entry-level. Then, they can move these competent people to the upper levels. We’ve been successful with this model in our organization. Most of my supervisors have been women,” Scott concludes.
What are some steps to break into the industry?
Scheppers provides this advice for those interested in cybersecurity, “If I was trying to break into any new industry, I would start with figuring out the fundamentals. That includes finding people in the industry to talk with. If you don’t know anyone personally, join public forums and start growing your network. People who are already in the field are the best ones to seek insight from. They might give you tips and suggest places where you can get more information. As they become a part of your network, they may even help by recommending you jobs in the future.”
He continues, “I would also look into some courseware to get a basic understanding. This is where your network and research can come in handy for suggestions. There are also great community college classes out there that can help point you in a helpful direction as well. Don’t underestimate the vast amount of information on-line. I’m almost certain you can find fundamentals for any certification or issue for free online.”
Some of the organizations that are at the top of most cyber professionals list today include: Cloud Security Alliance (CSA), SANS Institute, ISACA, and Women in Cybersecurity (WiCys). In addition, the two major cybersecurity conferences, RSA (held annually each spring in San Francisco) and Black Hat (held every August) have traditionally provided free conference passes to students and recent graduates who want to attend. Both shows highlight the industry’s latest innovations, offer presentations and classes for learning about cybersecurity, and provide networking with industry professionals.
From a hiring perspective, Scott says he looks for people who simply show initiative to learn. “At the core, I want to see someone who has a hunger. They may have demonstrated that hunger by taking courseware and getting a certificate. But that’s not the only way. I’ve seen a resume of someone who was a server in the food industry and demonstrated amazing customer care. At the end of the day, the key is to show initiative at some level. How badly do you want it?”