2024 SANS | GIAC RESEARCH REPORT

Attract, Hire,
and Retain
Mid-Level
Cybersecurity
Roles
Discover how Human Resource
Managers and Cybersecurity
Managers can work together
to build and maintain a high-
performing cybersecurity team
Table of Contents The 20,000-Foot View
This research report is based on a first-of-its-kind
The 20,000-Foot View 3 survey that analyzed the cybersecurity workforce
with the goal of identifying the key factors to
Let’s Face the Facts 4
successfully build high-performing cybersecurity
About the Research & Respondents 6 teams, specifically focusing on efforts to hire and
retain mid-level cybersecurity professionals. The
Analyzing the Top 5 Work Roles 8
survey results analyzed in this report zero in on
Hypothesis9 five of the top cybersecurity work roles defined
within the National Initiative for Cybersecurity
Perceived Cybersecurity Team Effectiveness Is High 10
Education (NICE) Framework, selected based on
Combatting Hiring Challenges 11 supplementary data from CyberSeek, a knowledge
base that provides detailed reporting of supply
Use of NICE Framework 12
and demand in the cybersecurity job market.
Retaining Mid-Level Roles 17
Human resource managers and
The Value of Training 20 Cybersecurity managers – specifically,
Senior Management Investment Is Essential to Success 22 those who are responsible for
attracting, hiring, and retaining mid-
Diving Deeper into the Top 5 Mid-Level Work Roles 23
level cybersecurity practitioners – can
Key Takeaways 26 look to this report’s key takeaways
to tailor their hiring and talent
Appendix: Workforce Case Studies 28
management practices for overall
Case Study • Leveraging Apprenticeships and Emulating Teaching Hospital Concepts in Cyber Hiring • Sharifa Bernard 29
quality and strategic skills development
Case Study • Challenges and Solutions in Cybersecurity Management, Training, and Recruiting • Dr. Austin Cusak 30 for their cybersecurity teams.
Case Study • Strategies for Training and Hiring in the US Government • Matt Swenson 32
In this report, you will also find a variety of excerpts
Case Study • An HR Perspective on Cybersecurity Hiring Challenges and Solutions • Leidos 33
from case studies that were performed in parallel
Case Study • Developing Successful Cybersecurity Maturity Models • Jay Bhalodia 34 with the survey. We believe these case studies
Case Study • Lessons Learned on the Impact of Training on Hiring Success • Jon Brickey  36 help demonstrate what cybersecurity teams
look like when they are backed by successful
Acknowledgements37
hiring and development practices. Full case
studies can be found in the appendix.

The 2023 Cybersecurity Workforce survey, conducted by SANS and GIAC, with assistance from NICE and SHRM, provides the basis for all data and information
provided in this study unless otherwise specifically stated.

The views expressed in this paper are the personal views of each respondent and do not necessarily represent the views of their employers, past or present, or any other party.

3
2
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Let’s Face the Facts

We’ll delve into the results in depth in the pages ahead, but before we get too deep into the data,
here’s an at-a-glance view of the key takeaways you can find in this report:

Perceived Cybersecurity Certification-Based Training

Team Effectiveness Is High
Only 6% of survey respondents indicated their
team is not meeting their cybersecurity goals.
Is Preferred by Employers
Employers value hands-on training that leads
to certifications, as it helps ensure that potential
team members possess the necessary skills to
excel in their roles before they are hired.

High-Performing Teams
Are Built Through Training
Challenges Persist in
The most effective strategy for developing Education and Standardization
high-performing cybersecurity teams is to
hire mid-level staff with strong cybersecurity The industry faces education and standardization
fundamentals in a particular work role and then challenges, particularly regarding terminology in job
provide training to meet specific job requirements, postings, resumes, certifications, and career paths.
primarily through certification-based training.

Investment from Senior

A Blend of On-the-Job
Training and Certification
of Skills Is Needed
A balanced blend of on-the-job training and
certification-based training, with a preference for
immersive approaches, is found to be the most
efficient method for effective team building.
Management Is Essential
Senior management should consider allocating
more resources, both in terms of budget
and their own education and awareness, to
address current market inefficiencies.

There’s a Difference
Between a Cyber Skills
Gap and Headcount Gap
Successful companies tend to address skills gaps
directly through training, whereas addressing
headcount gaps remains an industry-level concern.

5
4
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Figure 3. Respondent Industry

About the Research & Respondents

The highest percentage of respondents work in the technology
industry (19%), with the remaining respondents distributed over a
wide variety of other industries. (see figure 3)
3% 3% 2%

Research Details
The survey behind this research report polled HR and Cybersecurity managers involved in the hiring and retaining of cybersecurity staff
across a wide range of industries and company sizes. In addition to quantitative research, the report references several qualitative case studies
4% 19%
produced from in-depth interviews with respondents. Interviews with respondents and full case studies can be found in the appendix. 5%

Respondent Details 5%

10%
57% of respondents were part of large organizations, defined as having 1,000+ employees. (see figure 1)
6%

Figure 1. Respondent Company Size 6%

57%
9%
60

7%
40 7%
P E R C E N TA G E

7%
20%
7%
20
8%
5% 6%
4%

0-10 11-50 51-100 101-500 501-1000 1001+

Technology Government (Civilian)
NUMBER OF EMPLOYEES

Consulting Other

Financial Insurance

Manufacturing Transportation
Nearly half of all respondents (48%) Figure 2. Security Purpose: Internal Operations,
Government (Defense) Retail
indicated they provide cybersecurity Selling Products or Services
services (30%) or cybersecurity products Non-Profit Utilities
(18%). This means that the other half
Healthcare Entertainment/Hospitality
of respondents are from companies
that need cybersecurity to keep their 18% Government (State/Local)
company safe. (see figure 2)
Internal Cyber Operations

Provide Services
52%
Sell Products
30%

7
6
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Analyzing the Top 5 Work Roles Hypothesis

Trends from the CyberSeek database, aligned with work role definitions from the NICE Framework, were used to identify the top five
cyber work roles that are most in demand right now.
The HR and Cybersecurity managers self-selected for this study were focused on attracting, hiring, and retaining professionals for one or
more of the mid-level work roles below.
The fact that there is a significant skills gap in today’s cybersecurity industry cannot be
contested. However, the majority of media attention focuses on the quantity of job openings
and the lack of people to fill them. The research conducted by SANS, GIAC, National Institute
for Cybersecurity Education (NICE), and Society of Human Resource Management (SHRM) -
shows that the issue the industry is facing is not simply a general shortage in cybersecurity
headcount, but rather a gap in hands-on skills and cyber manager expectations.

In other words, to keep up with changing threats

Aligned GIAC
Work Role NICE Framework Category
Focus Areas
and business demands, cybersecurity teams need
to be more productive and effective with their
skills, not just larger in terms of headcount.
Forensics analyst Investigate Digital Forensics & Incident Response
A blended approach of hiring and training practitioners to obtain the right
gap-filling skills for your team increases efficiency and productivity while
Systems Information Security Analyst Operate and Maintain Cyber Defense decreasing organizational cybersecurity risks. This supports the idea that having
a robust training program in place is a critical success factor for managing
an always-expanding and ever-evolving cybersecurity workforce.
Information Systems Security Manager Oversee and Govern Cybersecurity Leadership
Through this report, we will analyze
some of the underlying drivers of this
Security Architect Securely Provision Cloud Security & Cyber Defense cybersecurity workforce ecosystem.

Vulnerability Assessment Analyst Protect and Defend Offensive Operations

Across our base of respondents, Figure 4 shows the distribution of respondents currently participating in the hiring of a candidate
for each defined work role explored in this study. The most in-demand position from a hiring perspective is currently a Systems
Information Security Analyst.

Figure 4. Breakdown of Respondents Managing the Top Five Work Roles

27% 18% 16% 15% 11%

Systems Information Vulnerability Security Information Systems Forensics

Security Analyst Assessment Analyst Architect Security Manager Analyst

9
8
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Perceived Cybersecurity Team Combatting Hiring Challenges

Effectiveness Is High Cybersecurity managers were asked Figure 7. The Top 3 Challenges for Hiring
to select their top three challenges Cybersecurity Mid-Level Staff
When evaluating the effectiveness of an
organization’s cybersecurity team, it is often useful Figure 5. Cybersecurity Effectiveness
for hiring mid-level cybersecurity
to consider the perception of how the team is staff. Salary competitiveness was
meeting the stated cybersecurity objectives. the number one challenge identified 5%
Not meeting goals
among respondents. (see figure 7) 6%
When asked how effective they 6% 26%
perceived their team to be, 54% However, the process of hiring requires the manager and 6% Salary
Competitiveness
of respondents indicated that Exceeding goals
candidate to reach an agreement on terms, which involves
more than just salary competitiveness. Figure 7 shows
their teams were meeting or 12% secondary contributing challenges identified by managers in
7%
exceeding goals. Out of the 46% this study – such as a lack of defined career path, the wrong
remaining respondents, 40% of Partially
meeting goals
skillset upon being hired, and a lack of remote work options.
7%
As practitioners begin to expect more than just a competitive
them stated that their teams are
40% salary, these secondary benefits become more important 14%
partially meeting their goals. for organizations and managers to address and provide.
7%
Lack of Defined
Career Path
Meeting goals
While only 6% of respondents stated that their
42%
Establishing a clear and coordinated career path model for
teams are not meeting their goals, it is important employees is crucial in the realm of hiring cybersecurity 10% 12%
Wrong Skillset
to remember that this is a poll of perception. As professionals. Typically, this endeavor necessitates collaboration Upon Hire
we drill further into the responses, other data among the cybersecurity manager, the HR department, and
subsets present different findings, leaving room for some level of corporate approval. The challenge becomes even
meaningful improvement and optimization in mid- more pronounced in smaller organizations that grapple with
level hiring and retention practices. (see figure 5) limited resources. This survey data, while focused on mid- Lack of remote Low retention
work options of cyber staff
level work roles, underscores the increasing importance of a
well-defined career path, particularly for entry-level candidates, Interview process Lack of work/life

Would You Rather Have Not Enough Staff or Not Enough Skill? especially when hire-and-train strategies are integral to the
too long balance

Lack of loyalty within

organization’s growth plans. Practitioners want to know Other
cyber staff
Respondents were also asked to identify which was a bigger concern for them: Not having enough staff, or having the staff but those staff there is opportunity for growth within the organization. Benefits package
members not meeting the technical requirements of the job. Concerns over staffing level versus staffing skills are evenly divided. Respondents competitiveness

were asked to rate their level of concern on a scale from 1 to 10. On average, managers who were concerned with staffing shortage It’s worth noting that two of the lowest-ranking options
rate their concern at 6.9 on a scale of 10. Similarly, on average, managers who are concerned with staff not meeting skills requirements rate in this dataset challenge common misconceptions
their concern at 6.94. (see figure 6) about cybersecurity roles: high turnover and a
Figure 6. Level of Concern: Scale of 1-10 lack of loyalty. In reality, these aspects may not be
as significant a problem as widely believed.

Not Enough Staff 6.90

Overall, the ever-expanding scale and complexity of the
Staff Doesn’t Meet cybersecurity landscape over the past couple of decades
6.94
Job Requirements present numerous challenges for HR and Cybersecurity
0 1 2 3 4 5 6 7 8 9 10 managers. With the proliferation of the Internet of Things
and an almost infinite number of digitally connected
RANK
devices, the evolving landscape creates an increasing
and complex cybersecurity threat environment.
With the level of concern being nearly equal, this data supports the notion that, according to HR and Cybersecurity managers, the importance Fortunately, both HR and Cybersecurity managers
of filling the skills gaps and cybersecurity team headcounts go hand in hand as critical success factors. In terms of the scale of the cyber acknowledge the need to foster closer collaboration to
shortage, the number of open job openings for cybersecurity professionals across all industries, on average, is 11 per organization. gain a deeper understanding of cybersecurity roles.

11
10
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Use of the NICE Framework Working Better Together: HR and Cybersecurity Managers

When respondents were asked if they use the
NICE Framework, 14% said that they use it and
56% stated they do not use it. A surprising 30%
were uncertain whether or not they used it. (see figure 8)
This presents an impactful opportunity for improvement.
Wider adoption of the NICE
Framework across an organization
could facilitate communication
and collaboration between HR
managers and cybersecurity
Cybersecurity Managers
Figure 8. Does Your Organization Use the NICE Framework for In the survey, Cybersecurity managers expressed a strong desire for a more seamless collaboration between with HR.
Cybersecurity Work Roles and Job Applications?
37% of Cybersecurity managers believe that HR could better support cybersecurity
recruiting efforts by developing a deeper understanding of cybersecurity roles.
Having a better understanding of cybersecurity roles would naturally foster better
qualification of candidates, which 17% of Cybersecurity managers identified as a
14% way that HR could better support hiring efforts. Furthermore, 14% of Cybersecurity
managers emphasized the need for improved collaboration. (see figure 9)
30% It’s worth noting that there have been instances where Cybersecurity managers have opted to bypass the HR department to enhance their
hiring effectiveness or to avoid the frustrations and inefficiencies that sometimes accompany traditional processes. This underscores the
urgency to bridge the gap and streamline communication and cooperation between these two essential facets of the hiring process.

professionals, benefiting both

management cohorts and the Figure 9. How Could HR Better Support Cybersecurity Recruiting Efforts?
organization’s security as a whole.

56% 37% 17% 17% 14% 10% 5%

Deeper understanding Better qualification Use of standard

More flexibility Better collaboration Other
of cybersecurity roles of candidates candidate assessments

Yes No Unsure

HR Managers
Similarly, 46% of HR managers emphasized the need for enhanced collaboration between HR and Cybersecurity managers. Notably, they
are also keen on maintaining standardization, as indicated by 31% of the responses, which makes the case for wider adoption of the NICE
Framework. As shown in the previous survey results, one can conclude that HR managers and Cybersecurity managers each have a desire to
Case Study Snapshot work together better to create a more efficient and effective hiring process. (see figure 10)

There is no common lexicon – especially across HR and Cybersecurity managers in terms of sourcing and recruiting and
accurately understanding staffing requirements, said Dr. Austin Cusak, a Technical Leadership Program Manager with the Figure 10. How Could HR Managers Better Support Cybersecurity Recruiting Efforts?
Department of Homeland Security.

Technical terms are often misused or confused, which promotes a suboptimal environment for effective matchmaking
between applicants and staffing requirements. Furthermore, Dr. Cusak, in his experience has seen HR management force
outdated best practices on the cyber workforce, which hampers recruiting, career planning, and systematic advancements. 31% 46% 15% 4% 4%
These inefficiencies generally exacerbate the cybersecurity staffing shortages by unnecessarily exaggerating the average
time-to-hire, typically measured in multiple months, for critically understaffed cybersecurity roles.
Standardization of work roles, Specific list of job
Better collaboration More flexibility Other
See the Appendix for Dr. Austin Clark's full Case Study, Challenges and Solutions job description, etc. requirements
in Cybersecurity Management, Training, and Recruiting

13
12
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Recruiting Mid-Level Roles HR Managers

HR managers primarily rely on straightforward online postings, notably on platforms like LinkedIn and job posting websites as their most
Cybersecurity Managers Figure 11. Recruiting Sources effective source of recruitment, as shown in Figure 13. However, these platforms tend to be saturated with candidates, making it crucial
to employ specific keywords and filtering parameters effectively to sift through the vast pool of applicants in the highly competitive
The interdependent relationship between HR managers and landscape. Because of this, it is critically important to standardize nomenclature, cybersecurity certifications, and related keywords
Cybersecurity managers plays a pivotal role in ensuring a steady to facilitate the efficient and effective identification of qualified candidates. This, again, emphasizes the value that wider adoption of the
supply of qualified cybersecurity candidates for recruitment. NICE Framework could have on the overall recruitment process.

This is especially critical given that a Achieving such standardization is a pressing industry-wide need, requiring substantial education and time for widespread adoption. Until this
occurs, managing the continuous influx of potential candidates through third-party websites can demand a considerable amount of effort.
substantial 57% of cybersecurity hiring 43%
originates from internal sources. This includes
promotions or upskilling from within the 57%
Figure 13. HR’s Most Effective Recruiting Sources
organization (35%) and referrals from
current employees (22%). (see figure 11) LinkedIn 32%

Job posting sites 30%

The fact that external candidates account for only 35% of the overall recruitment
sources shows the importance of adopting a hiring and training-focused College/University 20%
paradigm within organizations, rather than a heavy reliance on external hires.
Job fairs 10%

Looking at recruitment sources broken out by work role, as shown in Figure External sources Internal sources
12, more patterns emerge. Information Systems Security Managers tend to be Staffing agencies 5%

nurtured and promoted from within the organization more frequently than
Hacking competitions 3%
other roles examined in this study. Security Architects are often sourced from
external channels. Nevertheless, it is noteworthy that the general pattern of
Other 3%
candidate sourcing remains relatively consistent across all five work roles.
0 5 10 15 20 25 30 40 50

P E R C E N TA G E
Figure 12. Recruiting Sources by Work Role

50

It’s also worth noting that HR managers predominantly focus on actively recruiting Information Systems Security Managers (47%), even
40 though this role is most often sourced from within the organization, a pattern that is also seen with Security Architects (18%). (see figure 14)

30
P E R C E N TA G E

Figure 14. Cybersecurity Roles Actively Recruited by HR

20

10

46.4% 17.9% 10.7% 10.7% 7.1% 7.1%

0

Forensics Systems Information Information Systems Security Vulnerability

Analyst Security Analyst Security Manager Architect Assessment Analyst

Information Systems Security Forensics Systems Information Vulnerability

Other
Security Manager Architect Analyst Security Analyst Assessment Analyst
An internal candidate to promote / skill up from within A consultant with a cybersecurity outsourcing firm

An external candidate hired from outside the organization Other

A referral from a current employee

15
14
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Retaining Mid-Level Roles

This may suggest that HR is more at ease with actively recruiting for the more senior positions, which may seem more analogous to managerial
and architectural roles within the IT field. Additionally, the fact that managers are spending time and resources to actively recruit information
systems security managers, despite the role being sourced from within the company in most cases, demonstrates another disconnect
and area for improvement for more efficient and effective hiring. In contrast, the more junior analyst roles often entail highly technical and
rapidly evolving skill requirements to address contemporary cyber threats, making them more challenging for HR to recruit effectively.

Despite these imbalances, the time-to-hire duration across the five mid-level work roles remains reasonably consistent, albeit somewhat In the context of staff retention, we surveyed Figure 16. Top 3 Retention Challenges (cybersecurity)
prolonged, whether it involves managers, architects, or analysts. (see figure 15) managers to identify the top three challenges they
face in retaining cybersecurity professionals. Salary
remains the primary challenge. Intriguingly, the
Figure 15. Time to Hire by Role second and third most frequently cited challenges 3%
relate to the absence of a defined career path 4%
98 97 and the inadequacy of progressive training. 6%
100

88 86
23%
81 Together, the lack of a defined 6%
80
career path and progressive
training account for a
D AY S

60 8%
significant 31% of retention
40
challenges.(see figure 16)
Because defined career paths and progressive 9% 17%
20 training options work hand in hand, any
meaningful progress that a company makes toward
0
providing progressive training will also contribute
10%
Information Systems Security Forensics Systems Information Vulnerability positively to efforts to define a career path.
Security Manager Architect Analyst Security Analyst Assessment Analyst 14%
ROLE
31%

Case Study Snapshot Salary competitiveness Lack of work/life balance Transportation

Investing in new hires and developing home-grown experts should lead to the most sustainable results. Unfortunately, Lack of defined Benefits package Other
career path competitiveness
many organizations, especially private industry, disproportionally focus on identifying the “best athletes” that often
keep circulating to the highest bidder with little affinity and diminished value to the organization. As Jay puts it “If we Lack of progressive Wrong skill set
training upon hire
are buying talent all the time, we will run out of money.”
Lack of remote Lack of loyalty
work options within cyber staff
Below are several of Jay’s general recommendations for positioning for sustainable success:

• Know who you are, where to compete for talent, and composition of your current workforce to add balance
• Utilize best-of-breed training and focus on recruiting of those that bring diverse experiences
“sitting in the seat” of roles that will add to your workforce’s expertise or culture
• Look for passion over experience, including passion for the craft, community and industry, preferably more than one
• Don’t be afraid of training people because they might leave; ultimately investing in people will increase their desire to stay
• Recruit for passion, and critically review your requisitions to confirm requirements versus preferred
qualifications, where possible default to more inclusive language like “interest in” over “experience with”

See the Appendix for Jay Bhalodia's full Case Study, Developing
Successful Cybersecurity Maturity Models

17
16
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Effective Retention Methods Addressing Mid-Level Staff Turnover

When survey respondents were asked about the most effective approaches to retain cybersecurity employees, it became
evident that non-salary factors, such as having meaningful work and access to training offerings, rank significantly high.
Meaningful work received a score of 6.57 out of 10, and career progression received a score of 4.27. Collectively, these factors
carry more weight than salary, amounting to 10.84 compared to the 6.14 score given to competitive salary. (see figure 17)
Overall, only 32% of respondents directly acknowledged that cybersecurity turnover poses a significant challenge.
When comparing staff turnover and company sizes, the respondents with a company size of 101-500 experience
a slightly higher than average turnover rate of 39%. This observation may suggest that companies experience
cybersecurity staff turnover challenges as they transition from small to mid-size organizations. (see figure 18)

These findings suggest that once cybersecurity professionals are part of an

organization, they increasingly value aspects beyond monetary compensation.
For HR and Cybersecurity managers, this emphasizes the growing importance of offering a comprehensive array
of both direct and indirect benefits as part of the overall strategy to retain mid-level cybersecurity staff.
Maintaining team cohesion and stability in the face of high turnover is particularly challenging. It involves dealing with
a continual loss of intellectual capital and potential impacts on team morale. Furthermore, it’s worth noting that some
level of attrition within this field may be indicative of the high demand for mid-level cybersecurity professionals.
Figure 18. Is Turnover a Problem at Your Company, by Company Size

Figure 17. Is Turnover a Problem at Your Company? (By Company Size) 50

39%
40
Meaningful work 6.57
31%
29%
Competitive salary 6.14 30

P E R C E N TA G E
25%
27%
Flexibility 5.01 20 25%

Career progression 4.27 10

Training offerings 4.26

0

0-10 11-50 51-100 101-500 501-1000 1001+

Company culture 3.62
C O M PA N Y S I Z E

Benefits / job perks 3.14

Shifting roles 2.76

Other 0.21

0 1 2 3 4 5 6 7 8 9 10

RANK Case Study Snapshot

Sharifa Bernard, Learning & Development Program Manager with Amazon Web Services (AWS), prefers the
performance and lab-based testing and assessments since they have demonstrated to be a more accurate
predictor than other certifications of cybersecurity worker potential aptitude and fitness for the job. This real
world and aptitude training is a better indicator to predict future success (or failure) in stressful, demanding
real-time cybersecurity environments. Ms. Bernard has worked to establish some truly groundbreaking
initiatives to achieve sustainable, successful growth and development of Amazon’s cybersecurity workforce.

See the Appendix for Sharifa Bernard's full Case Study, Leveraging Apprenticeships
and Emulating Teaching Hospital Concepts in Cyber Hiring

19
18
2024 SANS | GIAC RESEARCH REPORT
The Value of Training
On-The-Job Training vs. Traditional Training Methods
When comparing the value of on-the-job
training versus traditional training methods
(technical, classroom, and lab-based training),
survey respondents valued the two forms
of training almost equally, with on-the-job
training scoring 8.6/10 and traditional training
scoring 7.9/10. With these numbers being
nearly equal, this data supports the notion that
on-the-job training and traditional training
go hand in hand as critical success factors.
Figure 19. Challenges Faced When Providing Training for Practitioners
4%
4%
14%
40%
38%
20
Over 68% of respondents affirmed that they face
challenges related to providing essential training
for their cybersecurity workforce. When asked what
hurdles they face when it comes to training mid-
level cybersecurity professionals, 40% stated the
lack of cybersecurity training budget, followed by
38% stating the lack of time/staff to get training
(see figure 19). Nearly 14% indicated a lack of
flexible training options, and only 4% reported that
there was no shortage of applicable training.
These findings suggest that when it comes
to training, there are flexible opportunities
and relevant training courses if time
and budget can be prioritized.
Lack of cybersecurity training budget
Lack of time / staff are too busy to get training
Not enough flexible training options
No training applicable to our
organization is available
Other
AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Accurately Assessing Whether a Candidate Is Qualified
When respondents were prompted to select the single criterion they “value most highly” when assessing new hires, the data indicates a
significant preference for candidates with the right blend of general aptitude and technical proficiency.
Hands-on and technical skills are readily quantifiable and demonstrable through certification-based training, which is preferred
over traditional degree-based education by a ratio of 2 to 1 across all work roles, as shown in figure 20.
Education, hands-on experience, and certifications all remain critical elements in the context of candidate selection and job
interview invitations. It’s worth noting that, on average, across the five mid-level work roles, higher levels of formal education become
progressively less influential when compared to the weight carried by role-based courses and certifications (see figure 20). This shows
that someone new to the cyber industry can set themselves apart from the rest simply through training and certifications, regardless of
their education or professional background.
Figure 20. What Do You Value Most When Hiring Mid-Level Practitioners?
70
60
50
P E R C E N TA G E
40
30
20
10
0
Some IT course work or Formal Education: BS in Computer Formal Education: MS degree in Formal Education: PhD in Computer
certification-based training Science or related field Computer Science or a related field Science or related field
Vulnerability Assessment Analyst Security Architect Information Systems Security Manager
Systems Information Security Analyst Forensics Analyst
Case Study Snapshot
Jon Brickey, Sr. VP and Cybersecurity Evangelist at Mastercard, feels as an industry, cybersecurity should be hiring more
for aptitude (along with core knowledge). Some cybersecurity hires that worked well for him include people from a
wide assortment of backgrounds including: a music teacher, a language teacher (an excellent Red Teamer now), and law
enforcement (good at investigation regardless of limitations in technical background). Mr. Brickey prefers to build direct
relationships with his hires, and in terms of what he seeks in potential cybersecurity hires, they are, in order: Character,
Experience, Certifications, and Education.
See the Appendix for Jon Brickey's full Case Study, Lessons Learned
on the Impact of Training on Hiring Success
21
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Senior Management Investment Diving Deeper into the Top 5

Is Essential to Success Mid-Level Work Roles
The Growing Need for Investment in Cybersecurity Years of Experience by Work Role
Tension between middle and upper management is generally seen as a healthy aspect of organizational As anticipated, the prerequisites for prior work experience, measured in years, vary significantly across the different work roles examined
dynamics. Some of this tension can be constructive, fostering operational excellence. Other forms may hinder in this report. Manager roles, one of the most senior positions in this study, require a substantial average of 9 years of prior experience.
the efficient and effective growth of cybersecurity teams in alignment with the escalating demand. (see Figure 22)

The other senior position studied, the Architect role, calls for an average of 6 years of experience. In contrast, the three analyst roles,
which are considered more junior positions by comparison, demonstrate relatively consistent prior experience requirements,
Despite the growing need Diversity Is Top of Mind with an average ranging from 3 to 4 years.

for organizations to invest in Nearly 80% of respondents indicated that Diversity, Equity,
cybersecurity measures, only 50% and Inclusion (DEI) is becoming an integral part of their Figure 22. Previous Experience Requirements by Work Role
of respondents stated that upper organizational culture, painting an encouraging picture.
Additionally, 71% of respondents expressed a commitment
management provides them to prioritizing the recruitment of diverse candidates within
Information Systems
9
Security Manager
with the necessary resources and their cybersecurity workforce. Figure 21 shows the five most
common methods for DEI-focused recruiting. These findings
support for building and managing highlight a dedicated and proactive approach toward promoting
Security Architecture 6

a cybersecurity workforce. and enhancing diversity within the cybersecurity sector. Systems Information
4
Security Analyst

Forensics Analyst 3

Figure 21. The Five Most Common Methods for DEI-Focused Recruiting Vulnerability
3
Assessment Analyst

0 1 2 3 4 5 6 7 8 9 10

YEARS

24% 22% 19% 18% 14% 3%

Connecting with Through employee

colleges and universities
Partnering with
diversity coalition
Hiring more diverse
management and HR Utilizing job fairs Other
Case Study Snapshot
referrals
and groups professionals
This aligns with insights gathered from a case study interview with Black Rainbow Group’s Matt
Swensen, who noted a prevalent issue, particularly within the U.S. Federal Government. He
highlighted that upper management frequently lacks a cybersecurity background, which may
result in a disconnect in understanding the requirements conveyed by lower-level management
to fulfill the mission effectively. These managers did not understand (and sometimes just did
not want to understand) that you must pay cyber talent commensurately with the industry,
which can mean that sometimes that is even more than the executive leadership.

See the Appendix for Matthew Swenson's full Case Study, Strategies
for Training and Hiring in the US Government

23
22
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Preferred Types of Experience by Work Role Figure 25. Preferred Type of Experience: Vulnerability Assessment Analysts

1%
Type of Experience
The next few figures convey what types of experience respondents are looking for when hiring for each of the top work roles. 7%
Note: Answer sets are specific to the work roles and may differ from role to role. For four of the five work roles examined, Comprehension of cybersecurity fundamentals
the highest-scoring factor in terms of preferred experience is the “comprehension of cybersecurity fundamentals.” 13% 24%
Applied system security issues based on the analysis of vulnerability and configuration data

This correlation suggests that there is a strong inclination among

Evaluated an organization’s threat environment to improve its risk management posture

Applied cybersecurity and privacy principles to organizational requirements

cybersecurity and hiring managers to seek out candidates who are General IT duties
16%
strong in cybersecurity fundamentals, with the intention of providing Applied programming language structures (e.g. source code review) and logic

specialized training and guidance on role-specific skills post-hire. 21% Other

18%

Figure 23. Preferred Type of Experience: Information Systems Security Managers

Figure 26. Preferred Type of Experience: Systems Information Security Analysts

2%
Type of Experience 2%
4% 40% Type of Experience
Comprehension of cybersecurity fundamentals 4%
14%
Managed the risk posture, cybersecurity strategy and/or cybersecurity initiatives of organization General IT duties

Managed cybersecurity of a program, system or enclave 17% 30% Prior maintenance of systems security
Determined how a security system should work and recommend how changes in conditions,
Previously a manager or team lead
38% 38% operations, or environment will affect these outcomes

Managed an organization’s policies and procedures Developed and applied security system access controls

General IT duties Conducted vulnerability scans and recognized vulnerabilities in security systems

14% Previously in a senior or principal cybersecurity or technically-oriented role Other

38% Evaluated cybersecurity vendors and products 23% General cybersecurity duties
38% 24%
Other

Figure 24. Preferred Type of Experience: Security Analysts Figure 27. Preferred Type of Experience: Forensics Analysts

1% 4%
Type of Experience Type of Experience
8% 8%
20% Comprehension of cybersecurity fundamentals Comprehension of cybersecurity fundamentals
11% Applied network security architecture concepts including topology, protocols, components and
25%
General IT knowledge
principles (e.g. application or defense-in-depth)
Previously designed network infrastructure based on industry best practices
16% Skill in digital data collection and log analysis

Implemented network and data-centric controls to balance prevention, detection, and response Previous experience with computer-based or criminal investigations
12%
Performed vulnerability testing and provided risk-informed decision-making Understanding of law and how it applies to digital investigations
17%
General IT duties Other

General networking duties

22% 25%
15% Other
16%

25
24
2024 SANS | GIAC RESEARCH REPORT
Key Takeaways
Based on the execution and analysis of this survey, along with the case studies featured throughout the report and in the Appendix,
the following findings can be applied and considered to attract, hire, and retain mid-level cybersecurity roles.
Cybersecurity Teams Are
Perceived as Effective While Still
Having Room for Improvement
Over half (54%) of respondents reported that their
cybersecurity teams are meeting or exceeding their
goals, underscoring the impressive performance of
these teams. However, that means that nearly half don’t
see themselves as meeting or exceeding cybersecurity
goals, which shows there is still work to be done.
High-Performing Teams Are
Built by a Blend of On-the-
Job Training and Traditional
Training (technical, classroom,
and lab-based training)
There’s a consensus in both the study data and case studies
that the most effective strategy to develop high-performing
cybersecurity teams is to hire mid-level staff with strong
cybersecurity fundamentals and then provide training to
meet specific job requirements. The most effective training
proved to be a blend of on-the-job training and more
traditional training methods such as classroom, lab-based,
or certification-based training methods. This approach
helps rapidly fill current cybersecurity job vacancies
while also retaining talent within the organization.
Skills Gap vs. Headcount Gap
Approximately one-third of respondents believe that the
cybersecurity gap is skills-based, while two-thirds see it as
a headcount gap. This points to a healthy job market with
high annual turnover. Successful companies tend to address
skills gaps directly through training, whereas addressing
headcount gaps remains an industry-level concern.
26
AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
There is a Strong Preference for
Certification-Based Training
Respondents strongly prefer certification-based training over
traditional degree-based education by a 2:1 ratio. Employers
value hands-on training that leads to certifications, as it
helps ensure that potential team members can perform the
necessary skills to excel in their roles before they are hired.
Challenges in Standardization
Are Hindering Hiring Processes
The industry faces standardization challenges, particularly
regarding terminology in job postings, resumes, certifications,
and career paths. This lack of standardization leads to confusion
and inefficiencies in the cybersecurity job market, as well as for
the HR managers working to recruit talent. This can be improved
through wider adoption of the NICE Framework, which if utilized
broadly, helps teams across industries speak the same language
around cybersecurity hiring, development, and retention.
Senior Management
Investment is Essential
Senior management should consider allocating more
resources, both in terms of budget and upgrading their
own education and awareness, to address current market
inefficiencies. The rapidly expanding cybersecurity industry
often lacks senior management with impressive cybersecurity
credentials, which hinders mentorship and guidance for
cybersecurity staff aspiring to transition into management
roles. Furthermore, if senior management does not understand
the risks or is lacking in their knowledge of cybersecurity,
that in turn puts the organization at even greater risk.
27
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

Appendix: 2024 SANS | GIAC Research Report • Case Study 2023 • Sharifa Bernard
Leveraging Apprenticeships and Emulating Teaching Hospital Concepts in Cyber Hiring
Work Force Case Studies This case study presents insights from an interview with Sharifa Bernard, Learning & Development Program Manager
at Amazon Web Services (AWS), highlighting innovative strategies in cultivating Amazon’s cybersecurity workforce.

With the help of top cybersecurity leaders from leading organizations across the United
States, these case studies were conducted to help demonstrate what cybersecurity teams Approach to Assessments
look like when they are backed by successful hiring and development practices.
Bernard advocates for the implementation of performance
The views expressed in the case studies reflect the personal views of participants and do not necessarily reflect the views of and lab-based testing application assessments. Emphasizing
their organizations. Interviews were conducted with Amazon, CISA, Black Rainbow Group, Leidos, Microsoft and Mastercard. the importance of real-world and aptitude-based training,
she believes these assessments offer a more accurate
gauge for predicting success or failure in high-pressure
cybersecurity environments. Bernard spearheads pioneering
initiatives at Amazon aimed at sustainable growth and
development within the cybersecurity domain.
Apprenticeships
Cyber Teaching Hospital Concept
An extension of the apprenticeship program, Amazon’s adaptation
of the teaching hospital concept mirrors an environment where
aspiring doctors are consistently trained to approximate their
eventual workplace. Similarly, early-career cybersecurity staff
at Amazon are trained in an environment closely resembling
real-world scenarios, mitigating risks while being primed for
“actual” work experiences. This fail-fast methodology fosters
rapid learning in a consequence-free environment, resembling
the pace and challenges of cybersecurity. By cultivating a
robust generalist cybersecurity foundation in early-career staff,
Amazon aims to facilitate smooth transitions to specialized
roles within the dynamic cybersecurity landscape.

In response to the cybersecurity workforce shortage, Amazon

initiated pilot apprenticeships in cybersecurity. Though
cybersecurity and training management recognized the urgency
of overcoming this shortage, gaining upper management
buy-in posed challenges due to the substantial investment in
mentoring senior employees and the necessity of cultural shifts.
The apprenticeship model – blending on-the-job experience
with external training from organizations like SANS – provides
early-career employees a practical view of navigating a dynamic
corporate cybersecurity environment, whether supporting
internal systems or catering to client needs. This approach
allows novices to learn critical job skills from seasoned
mentors, grasp human behavior nuances, and comprehend
the intricate landscape of cybersecurity's high-risk business.

29
28
2024 SANS | GIAC RESEARCH REPORT
2024 SANS | GIAC Research Report • Case Study 2023 • Dr. Austin Cusak
Challenges and Solutions in Cybersecurity Management, Training, and Recruiting
This case study was produced from an extended interview engagement with Austin Cusak, Ph.D., a Technical
Leadership Program Manager at the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security
Agency. The views expressed in this article are the personal views of Dr. Cusak and do not necessarily represent the
views of CISA/DHS or of the United States.
Challenges
Cybersecurity stands as a paramount and rapidly expanding
technical domain, both nationally and globally, owing to its
pivotal role in thwarting impending cyber threats. Safeguarding a
spectrum of information – from proprietary and confidential data
to personally identifiable details, intellectual property, and diverse
datasets – has become an enduring digital imperative that’s critical
for businesses, governments, and societal well-being. Dr. Cusak
highlights multiple challenges he is facing as he works toward
progressing and maturing cybersecurity within the United States.
Recruiting
Dr. Cusak emphasizes the lack of a shared vocabulary that is
particularly evident between HR and Cybersecurity managers
around sourcing, recruiting, and accurately defining staffing
needs. Confusion of technical terms or the misuse of terms
across teams can make it more challenging to align appropriately
qualified applicants with the requirements of the job. In
addition, the recruiting process often involves HR imposing
outdated practices upon the cybersecurity workforce, which
can impede recruitment, career planning, and overall progress.
The way these inefficiencies are observed within cybersecurity
recruitment include a prolongment of the average time-to-
hire, often by several months, which can negatively impact
already understaffed cybersecurity teams. In such a scenario, Dr.
Cusak points to the use of the NICE Framework at the HR level
to introduce a more standardized process for recruitment.
Training
Due to dynamically changing cybersecurity staffing needs,
including the perpetual emergence of new technical skills and
requirements, a supportive cybersecurity training ecosystem
has developed organically over the past decade. A wide
variety of training options have emerged, including private
industry, traditional and online colleges/universities, the military
and non-profits, together offering everything from simple
training to certificate-based training, immersion training, and
advanced degrees for cybersecurity professionals. However, a
lack of standardization of training creates confusion between
cybersecurity hiring managers, HR, and the job candidates, all
30
of which ultimately hamper efficient and effective identification
of need-conforming true talent. Dr. Cusak says, “there is truly
an over-reliance on junk certifications,” which typically measure
knowledge versus aptitude while purporting to provide
technical and leadership training for career advancement.
Management/Advancement to Leadership Roles
Another critical concern, linked to the issues in recruitment
and training lies in the lack of a well-defined pathway for career
progression from technical cybersecurity roles to leadership
positions and ultimately low and middle management roles.
This poses challenges in effectively managing the cybersecurity
workforce, which can lead to employee dissatisfaction and
increased turnover – both at the staff and managerial levels.
“Career advancement from cybersecurity technical staff
into technical leadership and eventually low and middle
management roles is not a well-defined track or path. This
creates challenges in terms of suitable management of the
cyber workforce, challenges that can help lead to increased
turnover and employee dissatisfaction, both at the staff and
managerial levels. The heroic desire to be the best of the
best at something, or even everything (except management)"
is another challenge Dr. Cusak pointed out clearly.
“Also, without role models and mentors in the managerial
ranks with bona fide cybersecurity street cred, well-
compensated technical staff seem generally content in
their current roles,” Dr. Cusak says. “Combined, these factors
and conditions help fuel a perception that the supply of
cybersecurity professionals is well short of demand, however
it may be more of a case of the staff not being optimally
aligned to the nuanced variety of cybersecurity roles.”
AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Solutions
The maturity of the cybersecurity ecosystem is generally
following the path of other new paradigms before it, including
accounting and information technology for two examples,
so there is legitimate confidence that it will become more
standardized and optimized over time. Additionally, Dr.
Cusak pointed out the importance of reviewing what other
countries are doing, both friends and enemies – naming
Israel, Russia, China, Iran, North Korea – in terms of how
they are making advancements and mimicking appropriate
best practices. Below we detail some of the suggestions for
improvement that came out of our discussion with Dr. Cusak.
Recruiting
In the ever-evolving cybersecurity realm, adopting an
unconventional and proactive approach that diverges from
traditional norms in employee recruitment often yields
superior results. Dr. Cusak, for instance, actively participates in
hacking competitions as a means of engaging with promising
cybersecurity professionals, an approach he has found to be
notably successful for recruiting. He advocates for encouraging
younger individuals in the United States to experiment with
available cyber tools like Kali Linux, Wire Shark, and Snort
within controlled environments to cultivate their “technical
confidence.” This grassroots initiative aims to cultivate a
continuous influx of cyber-curious talent for future generations.
To achieve this, an emphasis on enhancing professional
communication within the cybersecurity domain is imperative,
beginning with the standardization of a unified cyber lexicon.
This standardized terminology should be embraced not
only by cyber hiring managers but also by HR professionals.
This first step toward professionalization will inevitably lead
to better recruitment and retention, but it also demands
consensus among all stakeholders involved in the talent
management process. Adopting the NIST NICE Framework
comprehensively would serve as a fundamental basis for this
communication strategy, potentially requiring training initiatives
rather than solely relying on an individual’s due diligence.
Training
Dr. Cusak enthusiastically recommends the use of experiential-
based leadership courses for all government Cybersecurity
leaders, such as those provided by the U.S. Office of Personnel
Management (OPM) that require the use of on-the-spot
mentor feedback during training as well as challenging
skill practice activities. For both government and industry,
sending current/future managers to soft skills training using
experiential learning groups (such as a coaching institute)
will best prepare cybersecurity technical staff for new roles in
leadership, and eventually low and middle management roles.
Cyber professionals hone their technical skills by engaging in
problem-based experiential learning, but most management/
leadership training is taught only at the conceptual level. More
hands-on practice is thus necessary to turn management
soft skills into “power skills.” Through this shift, individuals will
become better integrated into their organization’s management
structure, no matter if they are in government or industry. Dr.
Cusak also includes SANS Institute and a few other certification
organizations as providing the right type of hands-on, immersive
training that can quickly turn concepts into actionable skills,
verified through higher quality certifications that are meaningful
to hiring managers. With the profession currently flooded with
companies over-promising and under-delivering, giving greater
awareness and an organizational commitment to those trainings
that produce enduring results will lead to better hiring and
retention as individuals feel they are cared for by their employer.
Management/Advancement to Leadership
Dr. Cusak points out that a truly effective cybersecurity manager
must often take on the role of a professional coach and mentor
who guides through questions and setting up stretch tasks,
rather than acting as a traditional boss who only gives directions.
The core benefit of this approach is building the self-awareness
muscles of the technical follower, which is the foundation for
them gaining their own personal method for self-reflecting
on their behaviors, habits, and leadership tactics. Doing this
with a mentor will fast-track the transition into management,
which often requires the individual to trade technical skills for
conceptual management/leadership skills, while also growing
their interpersonal abilities. This is how leaders are grown.
The critical role of having and being a mentor/role-model
should be evangelized throughout the cybersecurity industry
as a current practice that dramatically helps junior technical
staff grow into cybersecurity leaders. Dr. Cusak believes it is
important to keep on working to accelerate the growth of
experiential cybersecurity learning at all job levels, constantly
pushing toward professionalization for all practitioners,
regardless of what type of organization in which they work.
31
2024 SANS | GIAC RESEARCH REPORT
2024 SANS | GIAC Research Report • Case Study 2023 • Matt Swenson
Strategies for Training and Hiring in the U.S. Government
This case study shares insights from an interview with Matthew Swenson, Chief Executive Officer - North America at Black
Rainbow group, delving into his tenure and experiences, notably from his time with Department of Homeland Security Investigations.
Training Insights
Swenson highlighted that while the DHS ranks possess
proficient investigative skills, there's a recognized need for
specialized training in cyber-specific investigations, typically
sought externally. Acknowledging the limitations of in-house
training at DHS for network intrusion, Swenson emphasized
the reliance on external resources like SANS to bridge
these knowledge gaps. SANS courses were instrumental in
providing comprehensive cybersecurity training, addressing
technical intricacies, and fostering deep cyber expertise.
During Swenson’s tenure at DHS Investigations, one strategy
involved training capable investigators in cyber techniques
using SANS courses coupled with an internal 2-week immersive
program. Courses like SANS SEC401, SEC504, FOR508, and
occasionally SEC511 were prioritized, as these covered core
competencies. However, the curriculum was often tailored based
on the challenges and relevance encountered. Notably, FOR508
proved significantly more challenging than SEC511, and FOR610
was important for covering malware work, leading to adaptive
course sequencing according to the individuals in question.
In the realm of cyber investigations, DHS witnessed 150 staff
members undergo specialized agency training over seven years,
with many transitioning back to field roles due to the non-full-
time nature of their cyber investigator roles. Meanwhile, 370 staff
received comprehensive training in digital forensics through a 6–8
week full digital academy, complemented by fine-tuning skills with
SANS courses. To bolster cyber operations, efforts were made to
recruit industry professionals in addition to the investigator pool.
32
Challenges in Hiring
Swenson identified a notable challenge within DHS and the
broader U.S. Federal government: cybersecurity management
primarily comprised individuals with extensive government
tenure, often lacking direct cyber expertise, except within
DHS CISA. This managerial gap resulted in decision-makers
sometimes failing to grasp or acknowledge the necessity of
remunerating cyber talent commensurately with industry
standards. Stringent hiring requirements coupled with relatively
low salaries hindered the recruitment of top-tier cybersecurity
talent. Vacancy announcements yielded limited eligible candidates,
with only half meeting the stringent hiring prerequisites.
Swenson highlighted the scarcity of experienced cybersecurity
subject-matter experts (SMEs) as the core shortage within
the cybersecurity industry. He emphasized that while there's
significant interest in entering the cybersecurity realm, the
shortage mainly lies in experienced SMEs. Over the past
decade, U.S. colleges and universities have swiftly introduced
Cybersecurity Bachelor’s and Master’s degrees to meet the
growing demand from both industry and aspiring students.
AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
2024 SANS | GIAC Research Report • Case Study 2023 • Leidos
An HR Perspective on Cybersecurity Hiring Challenges and Solutions
This case study offers insights into cybersecurity challenges and solutions from an HR perspective based on an
interview with Leidos, an information technology engineering firm.
Challenges
In the ever-evolving cybersecurity landscape, Leidos has
observed a sharp surge in demand for cyber talent. While
entry-level cybersecurity talent acquisition remains consistent
for major Federal contractors like Leidos, securing appropriate
government clearances for cybersecurity contract work remains
a persistent challenge and requires a significant investment.
The demand intensifies for mid-to-high-level cybersecurity
experts who are already security-cleared, presenting a
scarcity of talent across Federal and private sectors.
Adding to the challenge is the observation that lengthy job
descriptions often lack clear, essential requirements, which can
deter potential candidates. This discrepancy also dissuades
individuals with aptitude and skills from applying due to the
perception of needing to fulfill all listed requirements.
To address the competitive talent pool, Leidos actively seeks
innovative recruitment approaches and emphasizes the
importance of training new hires. Their strategy involves a
balanced approach, bridging the gap by equipping recruits
with minimum requirements and upskilling/reskilling them.
Leidos recognizes that organizations navigating these
challenges effectively gain a distinctive competitive edge.
Solutions
To mitigate these challenges, Leidos collaborates with
business leaders, providing insights into cybersecurity role
fillings, sharing industry forum workforce best practices,
labor data, and successful hiring models. They also engage
with customers to encourage support for industry best
practices in addressing hiring constraints. Flexibility in
recruiting and placing trust in the technological competence
of young professionals are emphasized as key elements.
Leidos advocates for more robust job descriptions that
emphasize cybersecurity and technical managers' must-have
requirements while promoting inclusivity in job descriptions.
Leveraging NIST’s NICE Framework as a common language
for cyber skills is a core aspect. The integration of NICE
Framework skills into standardized job descriptions and profiles
is underway to establish a more standardized approach.
Additionally, Leidos is drafting a degree equivalency matrix
to substitute certifications, skills, training, or experience
for a four-year college degree. This initiative aims to widen
the job candidate pool by adjusting for realistic position
requirements, a step towards opening cybersecurity roles
to more individuals possessing the right potential and skills,
even if they did not follow a more traditional education path.
The company also adopts a skills-based hiring approach,
focusing on candidates who meet 80% of basic requirements
and offering learning and development opportunities to fill
the remaining skills gap. Internships, training, mentoring,
and intentional career development conversations are
highlighted as crucial for nurturing junior cybersecurity
staff, emphasizing the need for cybersecurity managers to
invest in their employees' growth and career planning.
33
2024 SANS | GIAC RESEARCH REPORT
2024 SANS | GIAC Research Report • Case Study 2023 • Jay Bhalodia
Developing Successful Cybersecurity Maturity Models
This case study was produced from an interview conducted with Jay Bhalodia, Managing Director, Security Customer
Success at Microsoft Federal. Prior to Microsoft, Jay previously worked at Booz Allen Hamilton (BAH), small business
8(a) government contractor Emagine IT. This case study highlights his successes in developing cybersecurity
maturity models at Emagine IT and Microsoft, in particular for cybersecurity delivery and services staff.
Before delving into the specific models, Jay addresses some
general aspects of the cybersecurity industry that are especially
relevant in this context. While acknowledging the pervasive
shortage in the cybersecurity workforce, he also highlights
structural challenges in talent acquisition versus talent
development that contribute to this scarcity. By instituting
robust training programs, organizations can cultivate their
own cybersecurity talent pool, ultimately augmenting
their workforce internally over time. The most impactful
training approach tends to be a tailored mix of in-house and
outsourced sessions, emphasizing aptitude assessment and
culminating in certification achievement. This training paradigm
should establish integral feedback mechanisms to ensure
continual improvement in overall effectiveness over time.
Jay identifies another contributing factor to the cybersecurity
workforce shortage: the abundance of certifications,
specialized jargon, and acronyms within the cyber field.
Many job requirements mistakenly cite specific certifications
or omit crucial qualifications. This certification complexity
is compounded by outdated degree prerequisites for
cybersecurity roles, which often stem from unconventional
backgrounds, erecting artificial entry barriers, particularly for
numerous cybersecurity positions. Fostering the growth of
new hires and nurturing in-house expertise typically yields the
most sustainable outcomes. Regrettably, many organizations,
particularly in the private sector, tend to disproportionately
prioritize recruiting “top-tier” individuals who frequently
switch employers for better offers, resulting in diminished
commitment and value for the organization. Jay aptly remarks,
“If we are buying talent all the time, we will run out of money.”
34
Jay made several general recommendations
for positioning for sustainable success:
• Know who you are, where to compete for talent,
and the composition of your current workforce
in order to add balance with your strategy
• Utilize best-of-breed training and focus on recruiting of
those who bring diverse experiences “sitting in the seat” of
roles that will add to your workforce’s expertise or culture
• Look for passion over experience, including passion for the
craft, community, and industry – preferably more than one
• Don’t be afraid of training people because they might leave;
ultimately investing in people will increase their desire to stay
• Recruit for passion, and critically review your requisitions
to confirm requirements versus preferred qualifications;
where possible, default to more inclusive language in your
job postings like “interest in” over “experience with”
AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S
Small Business Success
From 2013 to 2015, Jay was a line-of-business (LOB) director
(Director of Security) for Emagine IT. In his previous work
at Booz Allen Hamilton, it was easy to recruit cybersecurity
talent, with resumes always flying in the door based on the
firm’s name recognition. It was more challenging at Emagine
IT due to the lack of name recognition, along with having
fewer budgetary resources. In this environment, Jay had
to really hunt for potential cybersecurity talent to get top
resumes and expertise to consider his new firm. Referrals
from existing staff worked out well. In addition, they found
strong success with augmenting their cybersecurity staff
with contract work sourced through recruiting firms.
It was essential to build a high-quality team in a low-cost
environment (the federal small business competitive landscape)
for clients to trust Emagine IT with critical future cybersecurity
throughout the highly competitive government procurement
process. Over time, Jay learned that individuals looking for
their opportunity to break into security ultimately had a
better growth mindset and grew faster than individuals who
were focused on relying on their past experiences. The team
quickly pivoted to hiring less experienced candidates and
building an accelerated on-boarding models that included
shadow, reverse-shadow, and eventually autonomy.
As for staff retention, it was critical to compete on intangibles.
They worked to build loyalty for the organization through training,
benefits, and culture. Bhalodia pointed out that they needed
people that did (or would) live and breathe cybersecurity. Like
nearly any other organization, they had some staff who were
always looking for a better deal, but they learned how to minimize
the impact of intellectual capital leaving the firm over time, as they
built enduring relationships with their eventual replacements.
Large Business Success
At Jay’s current employer, Microsoft, he has witnessed them
go from not being recognized by the industry as a security
company to being “the place to be” in security right now relative
to the customer-facing fields such as consultancy, support, etc.
Microsoft took a deliberate approach to build their customer
facing cybersecurity consultancy, beginning with aggressive sales
and recruiting. By doing this, they were able to grow a security
portfolio quickly, if unsustainably, and then were able transition
into more of a customer success model to support their clients.
Jay founded the Microsoft Federal customer success organization
from scratch. In just three months, it grew from ten initial
strategic hires to 150 people. After the initial strategic hires,
the vast majority were legacy system administration and
technologists that Microsoft then trained and up-skilled for a
variety of cybersecurity roles. The key to those individuals is
that they have direct experience within the security industry.
Given the composition of his team, Jay led future hiring efforts
to focus on adding staff with operational security experience
in order to build out his team’s culture and expertise.
Important staff retention tools at Microsoft include perks
such as free academic benefits. It is also their philosophy that
cybersecurity staff experience industry. For example, in the first
year, they took 40 people from Microsoft to industry conferences
DEFCON and Black Hat to immerse them in the leading edge
of the cybersecurity. This gesture helped to accelerate passion
among the cybersecurity team. The following year, this investment
resulted in 10 different Microsoft Cybersecurity staff self-funding
to attend DEFCON. Additionally, at a Microsoft internal hackathon,
Jay’s team delivered a project to add voice-based capabilities to
Microsoft Security tools. Passionate about increasing diversity
within the cyber workforce, the team partnered with a University
of Alabama pilot for vision-impaired students to open a career path
into cyber. Microsoft continues to source emerging and diverse
talent to build the cybersecurity customer success program.
35
2024 SANS | GIAC RESEARCH REPORT AT T R A C T, H I R E , A N D R E TA I N M I D - L E V E L C Y B E R S E C U R I T Y R O L E S

2024 SANS | GIAC Research Report • Case Study 2023 • Jon Brickey
Lessons Learned on the Impact of Training on Hiring Success
Acknowledgements
The insights shared here are the result of an engaging conversation with Jon Brickey, Senior Vice President and
Cybersecurity Evangelist at Mastercard. Leading a dedicated team focused on Security Awareness, Cyber Range, and
Strategy & Partnerships, Jon's mission centers on charting career and educational pathways for approximately 800
cybersecurity and IT professionals at Mastercard. Notably, his team's responsibilities encompass training for vulnerability
management and the Red Team — an internal group simulating hacker activities, such as penetration testing. Founded in 1989, SANS Institute is the leading authority in accurately validated. The SANS Technology Institute, an accredited
cybersecurity research, education, and certification, serving college subsidiary, provides advanced cybersecurity degrees and
professionals across government and commercial sectors worldwide. certificates. Additionally, SANS contributes free resources to the
Jon Brickey champions a diverse array of training initiatives Engaging with the complete cybersecurity spectrum, Brickey cybersecurity community, including original research, webcasts,
to fortify his cybersecurity squad. These initiatives include: and his team delve into sourcing, recruiting, coding, defensive Known for their real-world expertise, our instructors deliver more and the Internet Storm Center for cyber threat monitoring.
cybersecurity, risk assessment, controls, event validation, and than 85 courses through live, virtual, and OnDemand formats. Central to SANS is our commitment to fostering a collaborative
Cyber Ranges: Immersive adversarial training environments collaboration with investigators and legal experts, among GIAC Certifications, a SANS affiliate, offers over 50 technical environment for security professionals globally to carry out the
that enable hands-on practice in both defending other facets. In the quest for talent, Brickey prioritizes aptitude certifications in cybersecurity, ensuring practitioners' skills are mission of making the world a safer place. Visit us at www.sans.org.
against and launching cyberattacks, often involving alongside fundamental knowledge, having successfully
competitive scenarios with other companies. integrated diverse professionals into his team. Noteworthy
hires include a former music teacher, now excelling in the Red
• Phishing Simulations and Response Training: Preparing teams Thank you to the following groups for assistance:
to identify and respond effectively to phishing attacks Team, a language instructor displaying exceptional Red Team
skills, and law enforcement personnel demonstrating excellent
• Compliance Training: Ensuring adherence to
industry regulations and standards investigative capabilities despite limited technical backgrounds.
Brickey places immense value on direct relationships with hires.
• Education with Expert Insight: Engaging guest speakers and
subject-matter experts to provide in-depth knowledge When scouting potential cybersecurity talent, his priorities lie in
character, experience, certifications, and education, in that order.
• Individual Risk Scores: Assessing and
addressing individual risk factors

Strategic Partnerships for Business Enablement: Thank you to the following individuals who contributed to the report:
Collaborating with internal cybersecurity teams to assess cyber
risks and conduct reconnaissance for risk management.
Sharifa Bernard Dr. Austin Cuzak Rodney Petersen
Mastercard collaborates with SANS on cybersecurity Amazon CISA NICE
training and degree programs. Brickey staunchly asserts, Jay Bhalodia Deidre Diamond Danielle Santos
"If you are worried about training and losing people, Microsoft CyberSN NICE
you should worry about not training them.”
Jon Brickey Dom Glavach Davina Pruitt-Mentle
Despite facing challenges, such as top-performing individuals Mastercard CyberSN NICE
departing for rival companies, Brickey stands by the value of Naomi Buckwalter Brian Fraze Marian Merritt
training. He acknowledges the struggle in motivating staff to Cybersecurity Gate Breakers Trusted Advisor Group NICE
use their allocated $11,000 per year for accredited colleges
with the most success in NYU’s Tandon program and in the Lynsey Caldwell Liz Lazey Matt Swenson
Washington University in St. Louis program. Brickey’s motto of Leidos SHRM Black Rainbow Group
"Mission first, people always," with a focus on comprehensive Josiah Cushing Raman Malhotra
training, aids in maintaining an attrition rate below 5%. Trusted Advisor Group Leidos

Case study put together by:

37
36
www.sans.org
www.giac.org