Recent news and office conversation point to a talent pipeline shortage as the root cause of the growing number of unfilled cyber roles across the industry. However, I see a pipeline that’s overflowing with opportunities for organizations to build a bench of future cybersecurity leaders — here's how it can be accomplished.
Where the industry is focusing
There are countless organizations, both nonprofit and for-profit, focused on educating cybersecurity professionals at every stage of their careers. For those who have the financial resources, there are organizations who offer cybersecurity boot camps or provide degrees in cybersecurity — most of which did not widely exist 10 years ago. For professionals without the financial means to invest in their skills, there are a growing number of organizations that provide scholarships. There are also scholarships for underrepresented communities in technology, including those focused on women, people of color and veterans. Every year, these resources are educating more and more people to become potential cybersecurity professionals. Given this, why isn’t the number of unfilled cybersecurity jobs decreasing?
I believe the problem is the lack of entry-level cybersecurity programs at companies across industries beyond consulting, where there is already an established precedence for teaching entry-level associates the skills needed to transition from full-time students to full-time professionals, especially in hybrid and virtual work environments.
At MassMutual, we are addressing this issue on our enterprise security team. Since the pandemic, we have embraced the challenge of upskilling a virtual workforce, including welcoming interns to the team — many who are eventually offered full-time roles. In 2020, companies with cyber programs across industries discontinued their internship programs; we took this as an opportunity to create a unique experience and build a talent pipeline.
Where the industry should be focusing
While increasing diversity in the pipeline should continue to be a focus, we also need to create opportunities to convert newly educated talent into skilled professionals. People joke that every entry-level cybersecurity position requires two years of experience. That’s because most organizations, especially while under difficult economic conditions, are focused on the bare number of roles necessary to build and run an effective cybersecurity organization today, not necessarily the talent needed to run these programs in three, five or even 10 years from now.
Those roles require knowledge and skills not only built from classroom-based education but also hands-on experience. Organizations can train people from diverse backgrounds and educational experiences, but they won’t be successful in shrinking the cybersecurity job shortage unless they dedicate their time and resources to provide early-career professionals with real-world training. That means allocating front-line managers’ time to working alongside new analysts. That also means dedicating leaders to mentoring each new class of first-year associates.
For example, MassMutual ensures every intern has a “buddy,” most often from a different part of the cybersecurity organization, giving them broader exposure to different areas. We additionally curate a speaker series for interns to hear from various leaders across the organization. We make it easy for them to network with skilled colleagues, solicit advice and guidance, and leave the program feeling like their talent was invested in. While we have some expectations of the interns adding value to the team, we ultimately strive to create an environment where they can learn the hands-on skills needed to ultimately secure entry-level roles.
In 2022, MassMutual commenced our official Cyber Pathfinders program where our recent intern-converted new hires had the opportunity to enter a two-year rotational program gaining experience in multiple parts of the cybersecurity organization. This ultimately strengthens our talent pipeline: Our interns and Pathfinders are our future leaders and CISOs.
In the larger macroeconomic environment, it's easy to cut internships and early rotation programs when an organization is faced with impending layoffs and other difficult financial decisions. This is only widening the talent gap and making it harder to fill skilled cybersecurity roles. Organizations must commit to investing in early career programs to prime their cybersecurity talent pipeline. Much like the healthcare profession, where recent graduates aren’t expected to perform patient duties without oversight on day one of their jobs, cyber experts need to provide ongoing guidance and direction.
A call to action
Not every organization has the resources to create a full intern and rotational program. It’s still important to think creatively about how to give students critical learning opportunities without a significant financial investment. Think about what’s needed for them to grow into future leaders, ensuring a cycle of growth and success.
Promoting and developing existing talent from within is one of the most tangible ways to create space for entry-level positions when faced with limited headcount. No matter an individual organization’s circumstances, remember that it can’t expect a newly graduated student to automatically be a high-performing professional. While it’s the new hire’s responsibility to come with the intellectual curiosity and willingness to learn, it’s the organization’s responsibility to teach them.