Professional Documents
Culture Documents
SANS-GIAC - WFS - Report - 2024 r8.2
SANS-GIAC - WFS - Report - 2024 r8.2
Attract, Hire,
and Retain
Mid-Level
Cybersecurity
Roles
Discover how Human Resource
Managers and Cybersecurity
Managers can work together
to build and maintain a high-
performing cybersecurity team
Table of Contents The 20,000-Foot View
This research report is based on a first-of-its-kind
The 20,000-Foot View 3 survey that analyzed the cybersecurity workforce
with the goal of identifying the key factors to
Let’s Face the Facts 4
successfully build high-performing cybersecurity
About the Research & Respondents 6 teams, specifically focusing on efforts to hire and
retain mid-level cybersecurity professionals. The
Analyzing the Top 5 Work Roles 8
survey results analyzed in this report zero in on
Hypothesis9 five of the top cybersecurity work roles defined
within the National Initiative for Cybersecurity
Perceived Cybersecurity Team Effectiveness Is High 10
Education (NICE) Framework, selected based on
Combatting Hiring Challenges 11 supplementary data from CyberSeek, a knowledge
base that provides detailed reporting of supply
Use of NICE Framework 12
and demand in the cybersecurity job market.
Retaining Mid-Level Roles 17
Human resource managers and
The Value of Training 20 Cybersecurity managers – specifically,
Senior Management Investment Is Essential to Success 22 those who are responsible for
attracting, hiring, and retaining mid-
Diving Deeper into the Top 5 Mid-Level Work Roles 23
level cybersecurity practitioners – can
Key Takeaways 26 look to this report’s key takeaways
to tailor their hiring and talent
Appendix: Workforce Case Studies 28
management practices for overall
Case Study • Leveraging Apprenticeships and Emulating Teaching Hospital Concepts in Cyber Hiring • Sharifa Bernard 29
quality and strategic skills development
Case Study • Challenges and Solutions in Cybersecurity Management, Training, and Recruiting • Dr. Austin Cusak 30 for their cybersecurity teams.
Case Study • Strategies for Training and Hiring in the US Government • Matt Swenson 32
In this report, you will also find a variety of excerpts
Case Study • An HR Perspective on Cybersecurity Hiring Challenges and Solutions • Leidos 33
from case studies that were performed in parallel
Case Study • Developing Successful Cybersecurity Maturity Models • Jay Bhalodia 34 with the survey. We believe these case studies
Case Study • Lessons Learned on the Impact of Training on Hiring Success • Jon Brickey 36 help demonstrate what cybersecurity teams
look like when they are backed by successful
Acknowledgements37
hiring and development practices. Full case
studies can be found in the appendix.
The 2023 Cybersecurity Workforce survey, conducted by SANS and GIAC, with assistance from NICE and SHRM, provides the basis for all data and information
provided in this study unless otherwise specifically stated.
The views expressed in this paper are the personal views of each respondent and do not necessarily represent the views of their employers, past or present, or any other party.
3
2
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
High-Performing Teams
Are Built Through Training
Challenges Persist in
The most effective strategy for developing Education and Standardization
high-performing cybersecurity teams is to
hire mid-level staff with strong cybersecurity The industry faces education and standardization
fundamentals in a particular work role and then challenges, particularly regarding terminology in job
provide training to meet specific job requirements, postings, resumes, certifications, and career paths.
primarily through certification-based training.
There’s a Difference
Between a Cyber Skills
Gap and Headcount Gap
Successful companies tend to address skills gaps
directly through training, whereas addressing
headcount gaps remains an industry-level concern.
5
4
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Research Details
The survey behind this research report polled HR and Cybersecurity managers involved in the hiring and retaining of cybersecurity staff
across a wide range of industries and company sizes. In addition to quantitative research, the report references several qualitative case studies
4% 19%
produced from in-depth interviews with respondents. Interviews with respondents and full case studies can be found in the appendix. 5%
Respondent Details 5%
10%
57% of respondents were part of large organizations, defined as having 1,000+ employees. (see figure 1)
6%
57%
9%
60
7%
40 7%
P E R C E N TA G E
7%
20%
7%
20
8%
5% 6%
4%
Consulting Other
Financial Insurance
Manufacturing Transportation
Nearly half of all respondents (48%) Figure 2. Security Purpose: Internal Operations,
Government (Defense) Retail
indicated they provide cybersecurity Selling Products or Services
services (30%) or cybersecurity products Non-Profit Utilities
(18%). This means that the other half
Healthcare Entertainment/Hospitality
of respondents are from companies
that need cybersecurity to keep their 18% Government (State/Local)
company safe. (see figure 2)
Internal Cyber Operations
Provide Services
52%
Sell Products
30%
7
6
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Across our base of respondents, Figure 4 shows the distribution of respondents currently participating in the hiring of a candidate
for each defined work role explored in this study. The most in-demand position from a hiring perspective is currently a Systems
Information Security Analyst.
9
8
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Would You Rather Have Not Enough Staff or Not Enough Skill? especially when hire-and-train strategies are integral to the
too long balance
were asked to rate their level of concern on a scale from 1 to 10. On average, managers who were concerned with staffing shortage It’s worth noting that two of the lowest-ranking options
rate their concern at 6.9 on a scale of 10. Similarly, on average, managers who are concerned with staff not meeting skills requirements rate in this dataset challenge common misconceptions
their concern at 6.94. (see figure 6) about cybersecurity roles: high turnover and a
Figure 6. Level of Concern: Scale of 1-10 lack of loyalty. In reality, these aspects may not be
as significant a problem as widely believed.
11
10
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Use of the NICE Framework Working Better Together: HR and Cybersecurity Managers
Cybersecurity Managers
When respondents were asked if they use the Figure 8. Does Your Organization Use the NICE Framework for In the survey, Cybersecurity managers expressed a strong desire for a more seamless collaboration between with HR.
NICE Framework, 14% said that they use it and Cybersecurity Work Roles and Job Applications?
56% stated they do not use it. A surprising 30% 37% of Cybersecurity managers believe that HR could better support cybersecurity
were uncertain whether or not they used it. (see figure 8) recruiting efforts by developing a deeper understanding of cybersecurity roles.
Having a better understanding of cybersecurity roles would naturally foster better
This presents an impactful opportunity for improvement.
qualification of candidates, which 17% of Cybersecurity managers identified as a
Wider adoption of the NICE 14% way that HR could better support hiring efforts. Furthermore, 14% of Cybersecurity
managers emphasized the need for improved collaboration. (see figure 9)
Framework across an organization
could facilitate communication 30% It’s worth noting that there have been instances where Cybersecurity managers have opted to bypass the HR department to enhance their
and collaboration between HR hiring effectiveness or to avoid the frustrations and inefficiencies that sometimes accompany traditional processes. This underscores the
managers and cybersecurity urgency to bridge the gap and streamline communication and cooperation between these two essential facets of the hiring process.
Yes No Unsure
HR Managers
Similarly, 46% of HR managers emphasized the need for enhanced collaboration between HR and Cybersecurity managers. Notably, they
are also keen on maintaining standardization, as indicated by 31% of the responses, which makes the case for wider adoption of the NICE
Framework. As shown in the previous survey results, one can conclude that HR managers and Cybersecurity managers each have a desire to
Case Study Snapshot work together better to create a more efficient and effective hiring process. (see figure 10)
There is no common lexicon – especially across HR and Cybersecurity managers in terms of sourcing and recruiting and
accurately understanding staffing requirements, said Dr. Austin Cusak, a Technical Leadership Program Manager with the Figure 10. How Could HR Managers Better Support Cybersecurity Recruiting Efforts?
Department of Homeland Security.
Technical terms are often misused or confused, which promotes a suboptimal environment for effective matchmaking
between applicants and staffing requirements. Furthermore, Dr. Cusak, in his experience has seen HR management force
outdated best practices on the cyber workforce, which hampers recruiting, career planning, and systematic advancements. 31% 46% 15% 4% 4%
These inefficiencies generally exacerbate the cybersecurity staffing shortages by unnecessarily exaggerating the average
time-to-hire, typically measured in multiple months, for critically understaffed cybersecurity roles.
Standardization of work roles, Specific list of job
Better collaboration More flexibility Other
See the Appendix for Dr. Austin Clark's full Case Study, Challenges and Solutions job description, etc. requirements
in Cybersecurity Management, Training, and Recruiting
13
12
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
This is especially critical given that a Achieving such standardization is a pressing industry-wide need, requiring substantial education and time for widespread adoption. Until this
occurs, managing the continuous influx of potential candidates through third-party websites can demand a considerable amount of effort.
substantial 57% of cybersecurity hiring 43%
originates from internal sources. This includes
promotions or upskilling from within the 57%
Figure 13. HR’s Most Effective Recruiting Sources
organization (35%) and referrals from
current employees (22%). (see figure 11) LinkedIn 32%
Looking at recruitment sources broken out by work role, as shown in Figure External sources Internal sources
12, more patterns emerge. Information Systems Security Managers tend to be Staffing agencies 5%
nurtured and promoted from within the organization more frequently than
Hacking competitions 3%
other roles examined in this study. Security Architects are often sourced from
external channels. Nevertheless, it is noteworthy that the general pattern of
Other 3%
candidate sourcing remains relatively consistent across all five work roles.
0 5 10 15 20 25 30 40 50
P E R C E N TA G E
Figure 12. Recruiting Sources by Work Role
50
It’s also worth noting that HR managers predominantly focus on actively recruiting Information Systems Security Managers (47%), even
40 though this role is most often sourced from within the organization, a pattern that is also seen with Security Architects (18%). (see figure 14)
30
P E R C E N TA G E
10
15
14
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Despite these imbalances, the time-to-hire duration across the five mid-level work roles remains reasonably consistent, albeit somewhat In the context of staff retention, we surveyed Figure 16. Top 3 Retention Challenges (cybersecurity)
prolonged, whether it involves managers, architects, or analysts. (see figure 15) managers to identify the top three challenges they
face in retaining cybersecurity professionals. Salary
remains the primary challenge. Intriguingly, the
Figure 15. Time to Hire by Role second and third most frequently cited challenges 3%
relate to the absence of a defined career path 4%
98 97 and the inadequacy of progressive training. 6%
100
88 86
23%
81 Together, the lack of a defined 6%
80
career path and progressive
training account for a
D AY S
60 8%
significant 31% of retention
40
challenges.(see figure 16)
Because defined career paths and progressive 9% 17%
20 training options work hand in hand, any
meaningful progress that a company makes toward
0
providing progressive training will also contribute
10%
Information Systems Security Forensics Systems Information Vulnerability positively to efforts to define a career path.
Security Manager Architect Analyst Security Analyst Assessment Analyst 14%
ROLE
31%
Investing in new hires and developing home-grown experts should lead to the most sustainable results. Unfortunately, Lack of defined Benefits package Other
career path competitiveness
many organizations, especially private industry, disproportionally focus on identifying the “best athletes” that often
keep circulating to the highest bidder with little affinity and diminished value to the organization. As Jay puts it “If we Lack of progressive Wrong skill set
training upon hire
are buying talent all the time, we will run out of money.”
Lack of remote Lack of loyalty
work options within cyber staff
Below are several of Jay’s general recommendations for positioning for sustainable success:
• Know who you are, where to compete for talent, and composition of your current workforce to add balance
• Utilize best-of-breed training and focus on recruiting of those that bring diverse experiences
“sitting in the seat” of roles that will add to your workforce’s expertise or culture
• Look for passion over experience, including passion for the craft, community and industry, preferably more than one
• Don’t be afraid of training people because they might leave; ultimately investing in people will increase their desire to stay
• Recruit for passion, and critically review your requisitions to confirm requirements versus preferred
qualifications, where possible default to more inclusive language like “interest in” over “experience with”
See the Appendix for Jay Bhalodia's full Case Study, Developing
Successful Cybersecurity Maturity Models
17
16
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
39%
40
Meaningful work 6.57
31%
29%
Competitive salary 6.14 30
P E R C E N TA G E
25%
27%
Flexibility 5.01 20 25%
Other 0.21
0 1 2 3 4 5 6 7 8 9 10
See the Appendix for Sharifa Bernard's full Case Study, Leveraging Apprenticeships
and Emulating Teaching Hospital Concepts in Cyber Hiring
19
18
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
On-The-Job Training vs. Traditional Training Methods Hands-on and technical skills are readily quantifiable and demonstrable through certification-based training, which is preferred
over traditional degree-based education by a ratio of 2 to 1 across all work roles, as shown in figure 20.
When comparing the value of on-the-job Over 68% of respondents affirmed that they face Education, hands-on experience, and certifications all remain critical elements in the context of candidate selection and job
challenges related to providing essential training interview invitations. It’s worth noting that, on average, across the five mid-level work roles, higher levels of formal education become
training versus traditional training methods for their cybersecurity workforce. When asked what progressively less influential when compared to the weight carried by role-based courses and certifications (see figure 20). This shows
(technical, classroom, and lab-based training), hurdles they face when it comes to training mid- that someone new to the cyber industry can set themselves apart from the rest simply through training and certifications, regardless of
level cybersecurity professionals, 40% stated the their education or professional background.
survey respondents valued the two forms lack of cybersecurity training budget, followed by
38% stating the lack of time/staff to get training
of training almost equally, with on-the-job
(see figure 19). Nearly 14% indicated a lack of Figure 20. What Do You Value Most When Hiring Mid-Level Practitioners?
training scoring 8.6/10 and traditional training flexible training options, and only 4% reported that
70
there was no shortage of applicable training.
scoring 7.9/10. With these numbers being
60
nearly equal, this data supports the notion that These findings suggest that when it comes
to training, there are flexible opportunities 50
on-the-job training and traditional training
P E R C E N TA G E
and relevant training courses if time
40
go hand in hand as critical success factors. and budget can be prioritized.
30
20
10
Figure 19. Challenges Faced When Providing Training for Practitioners
0
Some IT course work or Formal Education: BS in Computer Formal Education: MS degree in Formal Education: PhD in Computer
certification-based training Science or related field Computer Science or a related field Science or related field
4%
4% Vulnerability Assessment Analyst Security Architect Information Systems Security Manager
See the Appendix for Jon Brickey's full Case Study, Lessons Learned
on the Impact of Training on Hiring Success
21
20
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
The other senior position studied, the Architect role, calls for an average of 6 years of experience. In contrast, the three analyst roles,
which are considered more junior positions by comparison, demonstrate relatively consistent prior experience requirements,
Despite the growing need Diversity Is Top of Mind with an average ranging from 3 to 4 years.
for organizations to invest in Nearly 80% of respondents indicated that Diversity, Equity,
cybersecurity measures, only 50% and Inclusion (DEI) is becoming an integral part of their Figure 22. Previous Experience Requirements by Work Role
of respondents stated that upper organizational culture, painting an encouraging picture.
Additionally, 71% of respondents expressed a commitment
management provides them to prioritizing the recruitment of diverse candidates within
Information Systems
9
Security Manager
with the necessary resources and their cybersecurity workforce. Figure 21 shows the five most
common methods for DEI-focused recruiting. These findings
support for building and managing highlight a dedicated and proactive approach toward promoting
Security Architecture 6
a cybersecurity workforce. and enhancing diversity within the cybersecurity sector. Systems Information
4
Security Analyst
Forensics Analyst 3
Figure 21. The Five Most Common Methods for DEI-Focused Recruiting Vulnerability
3
Assessment Analyst
0 1 2 3 4 5 6 7 8 9 10
YEARS
See the Appendix for Matthew Swenson's full Case Study, Strategies
for Training and Hiring in the US Government
23
22
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Preferred Types of Experience by Work Role Figure 25. Preferred Type of Experience: Vulnerability Assessment Analysts
1%
Type of Experience
The next few figures convey what types of experience respondents are looking for when hiring for each of the top work roles. 7%
Note: Answer sets are specific to the work roles and may differ from role to role. For four of the five work roles examined, Comprehension of cybersecurity fundamentals
the highest-scoring factor in terms of preferred experience is the “comprehension of cybersecurity fundamentals.” 13% 24%
Applied system security issues based on the analysis of vulnerability and configuration data
18%
Managed cybersecurity of a program, system or enclave 17% 30% Prior maintenance of systems security
Determined how a security system should work and recommend how changes in conditions,
Previously a manager or team lead
38% 38% operations, or environment will affect these outcomes
Managed an organization’s policies and procedures Developed and applied security system access controls
General IT duties Conducted vulnerability scans and recognized vulnerabilities in security systems
38% Evaluated cybersecurity vendors and products 23% General cybersecurity duties
38% 24%
Other
Figure 24. Preferred Type of Experience: Security Analysts Figure 27. Preferred Type of Experience: Forensics Analysts
1% 4%
Type of Experience Type of Experience
8% 8%
20% Comprehension of cybersecurity fundamentals Comprehension of cybersecurity fundamentals
11% Applied network security architecture concepts including topology, protocols, components and
25%
General IT knowledge
principles (e.g. application or defense-in-depth)
Previously designed network infrastructure based on industry best practices
16% Skill in digital data collection and log analysis
Implemented network and data-centric controls to balance prevention, detection, and response Previous experience with computer-based or criminal investigations
12%
Performed vulnerability testing and provided risk-informed decision-making Understanding of law and how it applies to digital investigations
17%
General IT duties Other
25
24
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Key Takeaways
Based on the execution and analysis of this survey, along with the case studies featured throughout the report and in the Appendix,
the following findings can be applied and considered to attract, hire, and retain mid-level cybersecurity roles.
Training (technical, classroom, and inefficiencies in the cybersecurity job market, as well as for
the HR managers working to recruit talent. This can be improved
and lab-based training) through wider adoption of the NICE Framework, which if utilized
broadly, helps teams across industries speak the same language
There’s a consensus in both the study data and case studies around cybersecurity hiring, development, and retention.
that the most effective strategy to develop high-performing
cybersecurity teams is to hire mid-level staff with strong
cybersecurity fundamentals and then provide training to
meet specific job requirements. The most effective training
Senior Management
proved to be a blend of on-the-job training and more Investment is Essential
traditional training methods such as classroom, lab-based,
or certification-based training methods. This approach Senior management should consider allocating more
helps rapidly fill current cybersecurity job vacancies resources, both in terms of budget and upgrading their
while also retaining talent within the organization. own education and awareness, to address current market
inefficiencies. The rapidly expanding cybersecurity industry
often lacks senior management with impressive cybersecurity
Skills Gap vs. Headcount Gap credentials, which hinders mentorship and guidance for
cybersecurity staff aspiring to transition into management
Approximately one-third of respondents believe that the roles. Furthermore, if senior management does not understand
cybersecurity gap is skills-based, while two-thirds see it as the risks or is lacking in their knowledge of cybersecurity,
a headcount gap. This points to a healthy job market with that in turn puts the organization at even greater risk.
high annual turnover. Successful companies tend to address
skills gaps directly through training, whereas addressing
headcount gaps remains an industry-level concern.
27
26
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Appendix: 2024 SANS | GIAC Research Report • Case Study 2023 • Sharifa Bernard
Leveraging Apprenticeships and Emulating Teaching Hospital Concepts in Cyber Hiring
Work Force Case Studies This case study presents insights from an interview with Sharifa Bernard, Learning & Development Program Manager
at Amazon Web Services (AWS), highlighting innovative strategies in cultivating Amazon’s cybersecurity workforce.
With the help of top cybersecurity leaders from leading organizations across the United
States, these case studies were conducted to help demonstrate what cybersecurity teams Approach to Assessments Cyber Teaching Hospital Concept
look like when they are backed by successful hiring and development practices.
Bernard advocates for the implementation of performance An extension of the apprenticeship program, Amazon’s adaptation
The views expressed in the case studies reflect the personal views of participants and do not necessarily reflect the views of and lab-based testing application assessments. Emphasizing of the teaching hospital concept mirrors an environment where
their organizations. Interviews were conducted with Amazon, CISA, Black Rainbow Group, Leidos, Microsoft and Mastercard. the importance of real-world and aptitude-based training, aspiring doctors are consistently trained to approximate their
she believes these assessments offer a more accurate eventual workplace. Similarly, early-career cybersecurity staff
gauge for predicting success or failure in high-pressure at Amazon are trained in an environment closely resembling
cybersecurity environments. Bernard spearheads pioneering real-world scenarios, mitigating risks while being primed for
initiatives at Amazon aimed at sustainable growth and “actual” work experiences. This fail-fast methodology fosters
development within the cybersecurity domain. rapid learning in a consequence-free environment, resembling
the pace and challenges of cybersecurity. By cultivating a
robust generalist cybersecurity foundation in early-career staff,
Amazon aims to facilitate smooth transitions to specialized
Apprenticeships roles within the dynamic cybersecurity landscape.
29
28
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
2024 SANS | GIAC Research Report • Case Study 2023 • Dr. Austin Cusak Solutions Cyber professionals hone their technical skills by engaging in
problem-based experiential learning, but most management/
Challenges and Solutions in Cybersecurity Management, Training, and Recruiting The maturity of the cybersecurity ecosystem is generally leadership training is taught only at the conceptual level. More
following the path of other new paradigms before it, including hands-on practice is thus necessary to turn management
accounting and information technology for two examples, soft skills into “power skills.” Through this shift, individuals will
This case study was produced from an extended interview engagement with Austin Cusak, Ph.D., a Technical so there is legitimate confidence that it will become more become better integrated into their organization’s management
Leadership Program Manager at the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security standardized and optimized over time. Additionally, Dr. structure, no matter if they are in government or industry. Dr.
Agency. The views expressed in this article are the personal views of Dr. Cusak and do not necessarily represent the Cusak pointed out the importance of reviewing what other Cusak also includes SANS Institute and a few other certification
views of CISA/DHS or of the United States. countries are doing, both friends and enemies – naming organizations as providing the right type of hands-on, immersive
Israel, Russia, China, Iran, North Korea – in terms of how training that can quickly turn concepts into actionable skills,
they are making advancements and mimicking appropriate verified through higher quality certifications that are meaningful
Challenges of which ultimately hamper efficient and effective identification best practices. Below we detail some of the suggestions for to hiring managers. With the profession currently flooded with
of need-conforming true talent. Dr. Cusak says, “there is truly improvement that came out of our discussion with Dr. Cusak. companies over-promising and under-delivering, giving greater
Cybersecurity stands as a paramount and rapidly expanding an over-reliance on junk certifications,” which typically measure awareness and an organizational commitment to those trainings
technical domain, both nationally and globally, owing to its knowledge versus aptitude while purporting to provide Recruiting that produce enduring results will lead to better hiring and
pivotal role in thwarting impending cyber threats. Safeguarding a technical and leadership training for career advancement. In the ever-evolving cybersecurity realm, adopting an retention as individuals feel they are cared for by their employer.
spectrum of information – from proprietary and confidential data unconventional and proactive approach that diverges from
to personally identifiable details, intellectual property, and diverse Management/Advancement to Leadership Roles traditional norms in employee recruitment often yields Management/Advancement to Leadership
datasets – has become an enduring digital imperative that’s critical Another critical concern, linked to the issues in recruitment superior results. Dr. Cusak, for instance, actively participates in Dr. Cusak points out that a truly effective cybersecurity manager
for businesses, governments, and societal well-being. Dr. Cusak and training lies in the lack of a well-defined pathway for career hacking competitions as a means of engaging with promising must often take on the role of a professional coach and mentor
highlights multiple challenges he is facing as he works toward progression from technical cybersecurity roles to leadership cybersecurity professionals, an approach he has found to be who guides through questions and setting up stretch tasks,
progressing and maturing cybersecurity within the United States. positions and ultimately low and middle management roles. notably successful for recruiting. He advocates for encouraging rather than acting as a traditional boss who only gives directions.
This poses challenges in effectively managing the cybersecurity younger individuals in the United States to experiment with The core benefit of this approach is building the self-awareness
Recruiting workforce, which can lead to employee dissatisfaction and available cyber tools like Kali Linux, Wire Shark, and Snort muscles of the technical follower, which is the foundation for
Dr. Cusak emphasizes the lack of a shared vocabulary that is increased turnover – both at the staff and managerial levels. within controlled environments to cultivate their “technical them gaining their own personal method for self-reflecting
particularly evident between HR and Cybersecurity managers confidence.” This grassroots initiative aims to cultivate a on their behaviors, habits, and leadership tactics. Doing this
around sourcing, recruiting, and accurately defining staffing “Career advancement from cybersecurity technical staff continuous influx of cyber-curious talent for future generations. with a mentor will fast-track the transition into management,
needs. Confusion of technical terms or the misuse of terms into technical leadership and eventually low and middle which often requires the individual to trade technical skills for
across teams can make it more challenging to align appropriately management roles is not a well-defined track or path. This To achieve this, an emphasis on enhancing professional conceptual management/leadership skills, while also growing
qualified applicants with the requirements of the job. In creates challenges in terms of suitable management of the communication within the cybersecurity domain is imperative, their interpersonal abilities. This is how leaders are grown.
addition, the recruiting process often involves HR imposing cyber workforce, challenges that can help lead to increased beginning with the standardization of a unified cyber lexicon. The critical role of having and being a mentor/role-model
outdated practices upon the cybersecurity workforce, which turnover and employee dissatisfaction, both at the staff and This standardized terminology should be embraced not should be evangelized throughout the cybersecurity industry
can impede recruitment, career planning, and overall progress. managerial levels. The heroic desire to be the best of the only by cyber hiring managers but also by HR professionals. as a current practice that dramatically helps junior technical
The way these inefficiencies are observed within cybersecurity best at something, or even everything (except management)" This first step toward professionalization will inevitably lead staff grow into cybersecurity leaders. Dr. Cusak believes it is
recruitment include a prolongment of the average time-to- is another challenge Dr. Cusak pointed out clearly. to better recruitment and retention, but it also demands important to keep on working to accelerate the growth of
hire, often by several months, which can negatively impact consensus among all stakeholders involved in the talent experiential cybersecurity learning at all job levels, constantly
already understaffed cybersecurity teams. In such a scenario, Dr. “Also, without role models and mentors in the managerial management process. Adopting the NIST NICE Framework pushing toward professionalization for all practitioners,
Cusak points to the use of the NICE Framework at the HR level ranks with bona fide cybersecurity street cred, well- comprehensively would serve as a fundamental basis for this regardless of what type of organization in which they work.
to introduce a more standardized process for recruitment. compensated technical staff seem generally content in communication strategy, potentially requiring training initiatives
their current roles,” Dr. Cusak says. “Combined, these factors rather than solely relying on an individual’s due diligence.
Training and conditions help fuel a perception that the supply of
Due to dynamically changing cybersecurity staffing needs, cybersecurity professionals is well short of demand, however Training
including the perpetual emergence of new technical skills and it may be more of a case of the staff not being optimally Dr. Cusak enthusiastically recommends the use of experiential-
requirements, a supportive cybersecurity training ecosystem aligned to the nuanced variety of cybersecurity roles.” based leadership courses for all government Cybersecurity
has developed organically over the past decade. A wide leaders, such as those provided by the U.S. Office of Personnel
variety of training options have emerged, including private Management (OPM) that require the use of on-the-spot
industry, traditional and online colleges/universities, the military mentor feedback during training as well as challenging
and non-profits, together offering everything from simple skill practice activities. For both government and industry,
training to certificate-based training, immersion training, and sending current/future managers to soft skills training using
advanced degrees for cybersecurity professionals. However, a experiential learning groups (such as a coaching institute)
lack of standardization of training creates confusion between will best prepare cybersecurity technical staff for new roles in
cybersecurity hiring managers, HR, and the job candidates, all leadership, and eventually low and middle management roles.
31
30
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
2024 SANS | GIAC Research Report • Case Study 2023 • Matt Swenson 2024 SANS | GIAC Research Report • Case Study 2023 • Leidos
Strategies for Training and Hiring in the U.S. Government An HR Perspective on Cybersecurity Hiring Challenges and Solutions
This case study shares insights from an interview with Matthew Swenson, Chief Executive Officer - North America at Black This case study offers insights into cybersecurity challenges and solutions from an HR perspective based on an
Rainbow group, delving into his tenure and experiences, notably from his time with Department of Homeland Security Investigations. interview with Leidos, an information technology engineering firm.
33
32
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
2024 SANS | GIAC Research Report • Case Study 2023 • Jay Bhalodia Small Business Success Large Business Success
Developing Successful Cybersecurity Maturity Models From 2013 to 2015, Jay was a line-of-business (LOB) director At Jay’s current employer, Microsoft, he has witnessed them
(Director of Security) for Emagine IT. In his previous work go from not being recognized by the industry as a security
at Booz Allen Hamilton, it was easy to recruit cybersecurity company to being “the place to be” in security right now relative
This case study was produced from an interview conducted with Jay Bhalodia, Managing Director, Security Customer talent, with resumes always flying in the door based on the to the customer-facing fields such as consultancy, support, etc.
Success at Microsoft Federal. Prior to Microsoft, Jay previously worked at Booz Allen Hamilton (BAH), small business firm’s name recognition. It was more challenging at Emagine Microsoft took a deliberate approach to build their customer
8(a) government contractor Emagine IT. This case study highlights his successes in developing cybersecurity IT due to the lack of name recognition, along with having facing cybersecurity consultancy, beginning with aggressive sales
maturity models at Emagine IT and Microsoft, in particular for cybersecurity delivery and services staff. fewer budgetary resources. In this environment, Jay had and recruiting. By doing this, they were able to grow a security
to really hunt for potential cybersecurity talent to get top portfolio quickly, if unsustainably, and then were able transition
resumes and expertise to consider his new firm. Referrals into more of a customer success model to support their clients.
Before delving into the specific models, Jay addresses some Jay made several general recommendations from existing staff worked out well. In addition, they found
general aspects of the cybersecurity industry that are especially for positioning for sustainable success: strong success with augmenting their cybersecurity staff Jay founded the Microsoft Federal customer success organization
relevant in this context. While acknowledging the pervasive with contract work sourced through recruiting firms. from scratch. In just three months, it grew from ten initial
shortage in the cybersecurity workforce, he also highlights • Know who you are, where to compete for talent, strategic hires to 150 people. After the initial strategic hires,
structural challenges in talent acquisition versus talent and the composition of your current workforce It was essential to build a high-quality team in a low-cost the vast majority were legacy system administration and
development that contribute to this scarcity. By instituting in order to add balance with your strategy environment (the federal small business competitive landscape) technologists that Microsoft then trained and up-skilled for a
robust training programs, organizations can cultivate their for clients to trust Emagine IT with critical future cybersecurity variety of cybersecurity roles. The key to those individuals is
own cybersecurity talent pool, ultimately augmenting • Utilize best-of-breed training and focus on recruiting of throughout the highly competitive government procurement that they have direct experience within the security industry.
their workforce internally over time. The most impactful those who bring diverse experiences “sitting in the seat” of process. Over time, Jay learned that individuals looking for Given the composition of his team, Jay led future hiring efforts
training approach tends to be a tailored mix of in-house and roles that will add to your workforce’s expertise or culture their opportunity to break into security ultimately had a to focus on adding staff with operational security experience
outsourced sessions, emphasizing aptitude assessment and better growth mindset and grew faster than individuals who in order to build out his team’s culture and expertise.
culminating in certification achievement. This training paradigm • Look for passion over experience, including passion for the were focused on relying on their past experiences. The team
should establish integral feedback mechanisms to ensure craft, community, and industry – preferably more than one quickly pivoted to hiring less experienced candidates and Important staff retention tools at Microsoft include perks
continual improvement in overall effectiveness over time. building an accelerated on-boarding models that included such as free academic benefits. It is also their philosophy that
• Don’t be afraid of training people because they might leave; shadow, reverse-shadow, and eventually autonomy. cybersecurity staff experience industry. For example, in the first
Jay identifies another contributing factor to the cybersecurity ultimately investing in people will increase their desire to stay year, they took 40 people from Microsoft to industry conferences
workforce shortage: the abundance of certifications, As for staff retention, it was critical to compete on intangibles. DEFCON and Black Hat to immerse them in the leading edge
specialized jargon, and acronyms within the cyber field. • Recruit for passion, and critically review your requisitions They worked to build loyalty for the organization through training, of the cybersecurity. This gesture helped to accelerate passion
Many job requirements mistakenly cite specific certifications to confirm requirements versus preferred qualifications; benefits, and culture. Bhalodia pointed out that they needed among the cybersecurity team. The following year, this investment
or omit crucial qualifications. This certification complexity where possible, default to more inclusive language in your people that did (or would) live and breathe cybersecurity. Like resulted in 10 different Microsoft Cybersecurity staff self-funding
is compounded by outdated degree prerequisites for job postings like “interest in” over “experience with” nearly any other organization, they had some staff who were to attend DEFCON. Additionally, at a Microsoft internal hackathon,
cybersecurity roles, which often stem from unconventional always looking for a better deal, but they learned how to minimize Jay’s team delivered a project to add voice-based capabilities to
backgrounds, erecting artificial entry barriers, particularly for the impact of intellectual capital leaving the firm over time, as they Microsoft Security tools. Passionate about increasing diversity
numerous cybersecurity positions. Fostering the growth of built enduring relationships with their eventual replacements. within the cyber workforce, the team partnered with a University
new hires and nurturing in-house expertise typically yields the of Alabama pilot for vision-impaired students to open a career path
most sustainable outcomes. Regrettably, many organizations, into cyber. Microsoft continues to source emerging and diverse
particularly in the private sector, tend to disproportionately talent to build the cybersecurity customer success program.
prioritize recruiting “top-tier” individuals who frequently
switch employers for better offers, resulting in diminished
commitment and value for the organization. Jay aptly remarks,
“If we are buying talent all the time, we will run out of money.”
35
34
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
2024 SANS | GIAC Research Report • Case Study 2023 • Jon Brickey
Lessons Learned on the Impact of Training on Hiring Success
Acknowledgements
The insights shared here are the result of an engaging conversation with Jon Brickey, Senior Vice President and
Cybersecurity Evangelist at Mastercard. Leading a dedicated team focused on Security Awareness, Cyber Range, and
Strategy & Partnerships, Jon's mission centers on charting career and educational pathways for approximately 800
cybersecurity and IT professionals at Mastercard. Notably, his team's responsibilities encompass training for vulnerability
management and the Red Team — an internal group simulating hacker activities, such as penetration testing. Founded in 1989, SANS Institute is the leading authority in accurately validated. The SANS Technology Institute, an accredited
cybersecurity research, education, and certification, serving college subsidiary, provides advanced cybersecurity degrees and
professionals across government and commercial sectors worldwide. certificates. Additionally, SANS contributes free resources to the
Jon Brickey champions a diverse array of training initiatives Engaging with the complete cybersecurity spectrum, Brickey cybersecurity community, including original research, webcasts,
to fortify his cybersecurity squad. These initiatives include: and his team delve into sourcing, recruiting, coding, defensive Known for their real-world expertise, our instructors deliver more and the Internet Storm Center for cyber threat monitoring.
cybersecurity, risk assessment, controls, event validation, and than 85 courses through live, virtual, and OnDemand formats. Central to SANS is our commitment to fostering a collaborative
Cyber Ranges: Immersive adversarial training environments collaboration with investigators and legal experts, among GIAC Certifications, a SANS affiliate, offers over 50 technical environment for security professionals globally to carry out the
that enable hands-on practice in both defending other facets. In the quest for talent, Brickey prioritizes aptitude certifications in cybersecurity, ensuring practitioners' skills are mission of making the world a safer place. Visit us at www.sans.org.
against and launching cyberattacks, often involving alongside fundamental knowledge, having successfully
competitive scenarios with other companies. integrated diverse professionals into his team. Noteworthy
hires include a former music teacher, now excelling in the Red
• Phishing Simulations and Response Training: Preparing teams Thank you to the following groups for assistance:
to identify and respond effectively to phishing attacks Team, a language instructor displaying exceptional Red Team
skills, and law enforcement personnel demonstrating excellent
• Compliance Training: Ensuring adherence to
industry regulations and standards investigative capabilities despite limited technical backgrounds.
Brickey places immense value on direct relationships with hires.
• Education with Expert Insight: Engaging guest speakers and
subject-matter experts to provide in-depth knowledge When scouting potential cybersecurity talent, his priorities lie in
character, experience, certifications, and education, in that order.
• Individual Risk Scores: Assessing and
addressing individual risk factors
Strategic Partnerships for Business Enablement: Thank you to the following individuals who contributed to the report:
Collaborating with internal cybersecurity teams to assess cyber
risks and conduct reconnaissance for risk management.
Sharifa Bernard Dr. Austin Cuzak Rodney Petersen
Mastercard collaborates with SANS on cybersecurity Amazon CISA NICE
training and degree programs. Brickey staunchly asserts, Jay Bhalodia Deidre Diamond Danielle Santos
"If you are worried about training and losing people, Microsoft CyberSN NICE
you should worry about not training them.”
Jon Brickey Dom Glavach Davina Pruitt-Mentle
Despite facing challenges, such as top-performing individuals Mastercard CyberSN NICE
departing for rival companies, Brickey stands by the value of Naomi Buckwalter Brian Fraze Marian Merritt
training. He acknowledges the struggle in motivating staff to Cybersecurity Gate Breakers Trusted Advisor Group NICE
use their allocated $11,000 per year for accredited colleges
with the most success in NYU’s Tandon program and in the Lynsey Caldwell Liz Lazey Matt Swenson
Washington University in St. Louis program. Brickey’s motto of Leidos SHRM Black Rainbow Group
"Mission first, people always," with a focus on comprehensive Josiah Cushing Raman Malhotra
training, aids in maintaining an attrition rate below 5%. Trusted Advisor Group Leidos
37
36
www.sans.org
www.giac.org