Build teams from within: Recruiting talent from within the business and training existing employees, even those traditional IT roles, is what helped another CISO, Chapman shares. “I always ask CISOs, ‘Have you looked internally first?’” he says.He explains how the CISO of an industrial organization needed OT security engineers but found them hard to source. Instead of hiring externally, he turned to his plant’s control engineers. “[He] asked, who knows the environment better than anyone? Who’s curious about security? And then offered those opportunities internally “¦ and found a couple of people that were interested in cybersecurity, but had no idea about a pathway into cybersecurity,” Chapman explains.”It wasn’t casual [training]; he built a training and development program that covered core security concepts, practical skills, and he paired them with mentors from the existing security team, ran workshops, and even brought in some guest instructors.”The approach led to stronger retention, a more resilient team, and deeper cross-functional understanding. “What really stood out was it was inclusive,” Chapman says. “There were engineers who never thought they could pivot into cybersecurity. What was really interesting about that story is that there’s a particular woman, formerly a control engineer, she’s now running vulnerability assessments across all the plants.””Where this team had traditional security engineers for OT environments, they also have OT engineers now doing cybersecurity, so both parts of the team are helping each other learn more about the systems.”Cassidy echoes this sentiment, emphasizing the importance of succession planning. She says programs such as internships and apprenticeships are critical, especially for identifying those eager to pivot into cybersecurity roles.”Maybe there’s someone in a help desk role that really wants that cyber role. Or there’s someone in software engineering, and they’re tired of code, and want to do something else. Whatever that may be, they need an opportunity,” Cassidy says. “It’s realising you’ve got these eager people that want to do that job. So how do you bridge that gap with those hungry and talented folks?”
Support growth with certification and autonomy: Another strategy the experts advise that can help both retention and professional development is offering support for industry certifications.”Certifications are worth their weight in gold,” Chapman says. “Covering the cost of credentials, which can run to $10,000 or more, can be a major factor in whether someone stays or goes”.Cassidy points out that in addition to certifications, there are other upskilling opportunities such as a cybersecurity bootcamp, or online, self-paced programs, signing up for a centre of excellence, while also giving individuals the opportunity to shadow someone already in cybersecurity.What’s important, they both argue, is to create an environment where professionals feel there’s room to grow, whether that’s building a new team, influencing tool selection, or developing custom solutions. “If you’re hiring for a mid-level manager, if they’re going to inherit a team, is that really a big sell? Whereas if you’re going to let them build a team from scratch, then that’s exciting,” says Chapman.Cassidy recommends tying development to incremental financial increases, a model that rewards commitment and progression. “If you’re training those folks and giving them incremental financial increases as they hit certain milestones, say every eight to 12 months or if they meet certain KPIs, it can make a difference. I’m not saying it has to be 10% each time, it could just be a bonus. People are financially motivated.”Ultimately, retention and growth aren’t about ticking boxes, it’s about building relationships and understanding what benefits can be gained by both the cyber professional and their managers.”It’s a joint process. It’s not one-size-fits-all, but that’s why it’s so important to talk to your staff and work out internally, ‘Okay, this employee’s motivations are X and Y. What am I doing to help them in that journey or aid that progression?’ And not enough people are asking themselves that question,” Chapman says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4004003/what-cisos-are-doing-to-lock-in-cyber-talent-before-they-bolt.html
