8 Steps for Building an IT Security Career Path Program
A cybersecurity career-path program can help with talent retention and recruitment.
Cybersecurity professionals are in steep demand, given the projected shortfall of 1.8 million workers by 2022. But organizations can both retain their coveted cybersecurity team members so they don't get hired away, as well as attract new talent amid competing job offers - by creating a career path program.
A majority of companies don't provide such a program for their cybersecurity team, according to IT security career experts. But it's a key tool to keep in-house security talent fulfilled and challenged in their jobs, and to help recruit additional talent.
"The number one reason people leave their jobs today is their company doesn't take security seriously. What this means is that they don't have a plan, which includes a career path plan too," says Deidre Diamond, founder and CEO of Cyber Security Networks.
Career path programs show existing employees the role they currently hold within the organization and potential positions they may later ascend into through promotions or other moves, depending upon their interests, say cybersecurity career experts. It also gives prospective employees a view of their security career opportunities at an organization.
Here are eight steps for creating a cybersecurity career-path program.
Before a career path can be chartered for current or prospective employees, you first need to know where you currently stand with your cybersecurity workforce.
"Define the type of work you want done, so you can create a career path and path for learning," says Andrew Smallwood, cyber human capital specialist with Booz Allen Hamilton.
Jason Hite, founder of Daoine Centric and industry co-chair for the National Initiative on Cybersecurity Education (NICE) and a member of the NICE workforce sub-group, agrees.
He notes that the ISO/IEC 27001 is one resource organizations can use to develop their security posture. It's an international standard that government agencies and companies use to manage the security of their assets.
Teaming up with your organization's HR partner should be among the first steps taken when developing a career path program, says Simone Petrella, chief cyberstrategy officer for CyberVista.
Your HR partner will play a key role in the arduous task of mapping your current and future positions to a matrix of all cybersecurity positions at your organization, and may know of automation tools that can speed the process, cybersecurity career experts say.
Additionally, HR partners will play a role in creating cybersecurity jobs and training programs, Petrella says.
Align your current staff structure to the Cybersecurity Workforce Framework's seven categories developed by NICE - a government, private sector, and academia partnership led by the National Institute of Standards and Technology (NIST).
NICE's framework and specialty areas are designed to create a common language and taxonomy to describe the tasks performed by cybersecurity workers.
The seven categories include Securely Provision; Operate and Maintain; Protect and Defend; Investigate; Collect and Operate; Analyze; and Oversight and Development.
"Most companies will take the framework categories and use it as a base level, then adapt it to fit their particular job roles," says Smallwood.
Smallwood advices companies to drill down deeper into the framework and review the specialty areas that are listed for each of the seven categories, which provide a more granular description of job roles.
For example, NICE lists systems security analysis as one of seven specialties within its Operate and Maintain category. And within this systems security analysis specialty there are several job titles, tasks, and competencies, as well as knowledge, skills, and abilities (KSAs), that apply to this role.
Take the systems security analysis specialty, for example. A cybersecurity employee whose responsibilities include implementing system security measures to handle confidentiality, integrity, availability, authentication, and non-repudiation, and whose competency is in information assurance, would have a job title of information assurance security.
Cybersecurity career experts recommend you map your current and future cybersecurity roles to NICE framework specialties as much as possible because it can assist in serving as a ready-made template for creating cybersecurity career paths.
Of all the steps needed to develop a career path program, Petrella says developing a matrix of jobs takes the most time.
Smallwood warns that it can take anywhere from a couple of months for a simple career path program to years for a large government organization to create one. "It takes a significant amount of time the more diverse set of roles you have," he notes.
Once a jobs matrix is created for your organization - either through a specialties template or some other format - each role in the matrix should have differentiated experience levels, ranging from entry level to advanced, Smallwood says.
The matrix should also point to lateral roles cybersecurity and IT professionals could move into, based on overlapping skills between their current role and desired role, he adds. The overlapping skills serve as the means to connect the dots in the matrix, says Smallwood.
Jason Jury, who is responsible for Booz Allen's cybersecurity internal learning and development program, provides an example: "I may have a vulnerability analyst who wants to be a digital forensics analyst. They may check off five of the 10 boxes on the skills, but based on the boxes that they don't check off, we are able to identify the learning gap."
"Just to say there is a career path is not helpful. As a hiring manager, you have to say what resources you will provide, access to training, and people to make it happen," Petrella says. "To have just a matrix means nothing."
Cybersecurity professionals often do not have a clear idea of the next step in their career, Smallwood says.
"They know they want to do something different, but don't know what they want to do," says Smallwood. "Moving to another job within the same family of jobs [framework category] makes the transition easier, but to go to another family of jobs will require additional training which may not be as easy to do."
Dawn-Marie Hutchinson, executive director at Optiv, points to annual reviews as the prime time to explore where cybersecurity professionals want to take their careers. For example, an employee may say he or she is achievement-oriented and would like a job with more challenges, so discussions may focus more around roles with such a fit.
"An outcome-oriented discussion is always better," says Hutchinson. "IT security changes all the time, so to talk about skills is not worth it."
If your company has a career path program in place, it could be used as a recruiting tool for prospective job candidates, Hite says. The added edge can help, given cybersecurity professionals are in tight demand and the worker shortage is expected to reach 1.8 million by 2022.
Hiring managers can use the jobs matrix to show prospective job candidates future roles they may be eligible for if they are hired for the open position, Hite notes.
Millennials, in particular, say the ability to learn and grow on the job is extremely important, according to a Harvard Business Review report. However, Hite says, hiring managers only spend about 5% of the interview time discussing career-path opportunities with prospective job candidates.
Once a career path program is in place and operating for awhile, evaluate how it has actually assisted your retaining employees and attracting new cybersecurity professionals, Petrella says.
"You need to actually measure if it is working, she says.
Once a career path program is in place and operating for awhile, evaluate how it has actually assisted your retaining employees and attracting new cybersecurity professionals, Petrella says.
"You need to actually measure if it is working, she says.
Cybersecurity professionals are in steep demand, given the projected shortfall of 1.8 million workers by 2022. But organizations can both retain their coveted cybersecurity team members so they don't get hired away, as well as attract new talent amid competing job offers - by creating a career path program.
A majority of companies don't provide such a program for their cybersecurity team, according to IT security career experts. But it's a key tool to keep in-house security talent fulfilled and challenged in their jobs, and to help recruit additional talent.
"The number one reason people leave their jobs today is their company doesn't take security seriously. What this means is that they don't have a plan, which includes a career path plan too," says Deidre Diamond, founder and CEO of Cyber Security Networks.
Career path programs show existing employees the role they currently hold within the organization and potential positions they may later ascend into through promotions or other moves, depending upon their interests, say cybersecurity career experts. It also gives prospective employees a view of their security career opportunities at an organization.
Here are eight steps for creating a cybersecurity career-path program.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024