We spoke with Sam Rigelsford, Director of Global Cyber Defence & Security Operations within Willis Towers Watson. Sam has been recruiting heavily and given the usual issues that happen within the SOC burn out, quick turnover of staff etc, Sam has managed to build and maintain a great team and decided to share with us his thoughts on the cyber skills gap.
I’ve heard many of my peers discuss the skills gap, and I’ve noticed consistently that there are as many interpretations of the phrase as there are ideas to fix it. So let’s handle that first shall we?
Are there enough cyber practitioners to fill the open vacancies, to meet the market demand, whereby said practitioner has done this task or used this tool before and can ‘hit the ground running’? Absolutely not.
Are there enough people who are smart enough to do the job once they know how, and would really actually quite like to become the afore mentioned cyber practitioners? Absolutely!
So, the issue really isn’t that there aren’t the people, it’s that there aren’t the people who have the experience already. Less of a skills gap and more of an experience gap then, or dare I say a development gap. That to me seems a lot easier to fix, you give the people in the latter category some experience and voila.
So why don’t we do it? Well, it’s hard, or at least perceived to be. With limited budgets and headcount available, hiring managers can choose between a fully developed and ready-to-go practitioner, or someone they need to develop. So really this is a conversation about tactics versus strategy.
Tactically you have a position to fill so it makes sense to fill it with someone who can already do everything you need them to do; Strategically you have a security team which will certainly experience attrition, and may even experience growth. In this case you have a number of future roles to fill. Thinking many moves ahead, like the best chess players, will pay off in the longer term. So much of Information and Cyber Security is fire fighting though, and it takes courage to plan for the long term at the expense of the here and now.
But what if I spend all that time and effort on developing someone, for them to just leave? Well that is a risk of course, so is the risk that the experienced hire you brought in instead who knows how the network hangs together leaves and there’s no-one to readily take their place because they weren’t upskilling anyone to develop them into the role. It’s not a risk you have to just accept though, and this is where so many employers go badly wrong.
One question employees who are looking to learn and grow (these are the ones you want, for the avoidance of doubt) will ask in interviews is ‘What opportunities are there for me to develop?’ Do you have a formal training budget, more experienced hires that they can shadow, vendor training when you buy that new technological silver bullet? That’s all well and good, but what you as a hiring manager should be asking is ‘What’s the HR policy on promotions and progression?’
The most common issue I’ve personally run into when developing a security team is the dreaded annual cycle with a 10% pay-rise cap. When an analyst needs to wait for the magic month and can get a 10% raise, or alternatively move somewhere else and get a 30/50/100% raise, nine times out of ten they’ll do exactly that. Quite simply the security market does not move at the pace of a traditional business role. Progression is faster because the experience is in demand, and as long as that is the case salaries will remain high and competition for good practitioners fierce. Ultimately before you even think about embarking on developing a talent pipeline through the team you need the buy in of your HR Director (and probably the CFO too for that matter). They will need to understand the economics of the security market which are very different to other trades.
All the best things are hard work though, right?
Taking people with skills and developing them to gain experience is the right thing for individuals, companies, and the industry at large. Gradually this closes the experience gap (remember there wasn’t a skills gap in the first place).
InfoSec People is a boutique cyber security and IT recruitment consultancy, built by genuine experts. We were founded with one goal in mind: to inspire people to find the careers that inspire them. All our actions are underpinned by our core values:
- Always do the right thing
- Be the best we can be
- Add value
Working with exciting cyber and IT scale-ups and FTSE100 corporates, we find the cyber and tech leaders today who enable secure business tomorrow.