Business
Mags22,
Jan 18
2024
The need for cybersecurity workers is more pressing than ever, with the global cyber workforce gap reaching an alarming 3.4 million professionals, according to ISC2 Cyber Workforce Study 2023.
So what can federal leaders do to attract, retain, and develop their cybersecurity teams?
We gathered a panel of senior leaders to share their insights on the subject in a recent webinar about federal workforce development. The panel included:
Dan Magnotta, Federal Business Development Manager at Hack The Box.
Lieutenant Commander (LCDR) Kenny Miltenberger, who currently serves as the first Commanding Officer of the 2003 Cyber Protection Team (CPT).
Clayton Jones, Chief Technology Officer at Aperio Global, LLC.
Ryan Whicher, Vice President, Intelligence Analysis and Senior Pentester.
Continue reading for the insights they shared on attracting and retaining cyber talent, and the challenges the industry faces.
When faced with a cybersecurity skills gap, federal teams need to develop strategies and unique ways of tapping into talent. The challenge begins with the lack of general knowledge of the cybersecurity industry as a whole among juniors.
“A lot of people don’t even know what they don’t know. They don’t know a lot of the jobs that are out there, what we’re doing, what the opportunities are because they just don’t get the exposure.” Miltenberger shared.
However, Miltenberger has found more junior talent showing an interest in the industry: “One interesting fact was a lot of students want to engage in federal service. The war in Ukraine actually has started conversations about younger people wanting to be involved.”
Despite this, cybersecurity remains a mystery to many entry-level applicants, and federal leaders shoulder some of the responsibility:
“The challenge is that we aren’t very transparent about the jobs we have, the requirements for those jobs, and then advertising those to fresh talent.” Miltenberger explained.
Ryan Whicher shared the same sentiment, calling for more clearly defined roles and job descriptions when hiring junior cyber professionals in federal teams. Sharing that: “Even if you want to have training before you get in, you don’t even know where to start.”
The consensus is that the public sector isn’t doing enough to attract cyber talent and that leaders must pave the way.
Clayton Jones suggests that “hiring managers need to do a better job articulating exactly what they’re looking for.” This can be facilitated by “teaching our HR/recruitment staff what we are looking for.”
This is important because “HR doesn’t know cyber, they don’t know the security certifications.” As a result, they may not put experienced people forward to the hiring manager if they don’t tick a certain box
If federal employees work harder to talk about their roles, engage with juniors, and make the industry more accessible with transparent job descriptions, more talent will emerge.
When it comes to degrees and certifications, there’s no easy answer to the best route into cybersecurity. Some certifications may be seen as just “checking a box”, while they can also prove to be a testament to someone’s knowledge.
On the other hand, the federal government requires a four-year degree or a certain number of years of experience and certifications. Making it a prerequisite for entry for many juniors.
Miltenberger stated that “not all certifications are created equal” and that “showing interest and curiosity is really important”.
This is especially true in federal cybersecurity roles, as Miltenberger went on to say that “the military is a great way to enter the cybersecurity workforce. We’ll take you from a high school degree through to strong cybersecurity training before sending you to more schools for specialized operations.”
Whicher agreed that “hands-on experience is so much more valuable than theory”. This offers candidates more opportunities to share their knowledge and worth. It’s also an efficient way for hiring managers to assess practical skills. For example, Ryan also went on to say, “if someone told me they were ranked three on Hack The Box, I’d be really impressed.”
This leads us to question the way federal organizations hire junior cybersecurity candidates. As Clayton Jones challenges the status quo: “as leaders we need to identify more ways to evaluate people”.
Federal leaders are required to adjust their expectations, as Jones fairly states that “I don’t need an entry-level person with a four-year degree and five different certifications.”
Retaining cybersecurity employees is another challenge in itself.
The stakes are incredibly high in federal roles, with overwork and burnout a by-product of the relentless pressure. We discussed how federal leaders can retain their talent when pay raises aren’t always an option.
Ryan Miltenberger understands that “the easiest way to retain talent is to keep people interested.”
Often, with federal positions, a distinct sense of purpose trumps working for large conglomerates that could offer better compensation.
Jones shares that people have a “sense of pride, dedication to an organization and mission.”
However, as leaders, federal managers must be responsible for retaining their cyber talent.
Clayton Jones went on to say how important it is to “know your people” as “knowing what drives them on a day-to-day basis” keeps talent engaged. For example, if you know work-life balance is important, offering remote work options can keep people committed to your team.
Miltenberger highlighted that “creating the environment where it’s easy for people to continue their training” is highly effective. When people stagnate and aren’t offered opportunities to learn something new, they are worse at their jobs and likely to search elsewhere.
Speaking to potential hires, he said, “we owe it to you to buy you that Hack The Box subscription, and do that training certification to keep you interested”.
By offering fun and engaging ways to continuously upskill, cybersecurity teams will invest their commitment to your organization as you’re taking the time to invest in them.
Ryan Whicher also had a unique idea to offer sabbaticals, allowing employees to explore other companies and realize that “the grass isn’t actually greener”.
With the increasing expectations on cybersecurity teams, many federal organizations are adapting their internal training strategy to adopt a purple team approach.
By blurring the lines between red and blue teams, professionals can collaborate and develop skills. This could also change how we hire and train cyber talent in the future.
Clayton Jones shared that “in order to defend, you need to understand the attack process.”
In his role, he’s offered blue and red teams the opportunity to work together in the same environment to “understand the full kill chain of what a hacker actually goes through.”
He sympathized that “blue guys always have the hardest job, they have to be right 99% of the time, hackers only have to be right 1% of the time.” Training blue teams on red tactics, techniques, and procedures (TTP) will make them better prepared to defend, dramatically reducing mission risk.
Miltenberger warned that it's “easy to get pigeonholed into a red teamer or a blue teamer.” He stated transitioning and broadening yourself is difficult if you only stick to one role.
For example, suppose someone’s an analyst who never has been exposed to red backgrounds. In that case, they may not even know how to look for a certain activity and can overlook vulnerabilities.
Ryan Whicher stressed that you simply “can’t be stagnant” regarding cybersecurity skills development, and purple team training is necessary for modern cyber talent.
Federal cybersecurity leaders need to pave the way for the future of security. From engaging more with juniors who may not understand the opportunities available to adjusting expectations and having a more creative approach to hiring, there’s a whole pool of talent waiting to be tapped into.
Offering more opportunities to upskill and explore new ways of training will not only improve your probability of operational success but will also retain the talent you’ve invested in.
By addressing these key issues, we can begin to close the federal cyber skills gap and improve our team's abilities as a whole.
Learn more from our expert panel on how they recruit, retain, and develop their cybersecurity teams by watching the full webinar below.
Dan Magnotta (Mags22), HTB Federal Business Development & Capture Manager, Hack The Box Dan Magnotta is an accomplished professional in cybersecurity and intelligence operations with more than a decade of experience in the military and private sectors. His career began with dedicated service to the U.S Department of Defense, where he played critical roles in the U.S. European Command and U.S. Special Operations Command Europe, contributing significantly to cutting-edge cyber strategies. In addition to his civilian role, he serves as an LCDR in the U.S. Navy Reserve, showcasing his leadership and dedication as an Executive Officer for a Navy Reserve Unit. His expertise in cybersecurity, operational analysis, and strategic planning is extensive. At Hack The Box, he tailors solutions to meet the unique requirements of government agencies and organizations worldwide, leveraging his deep understanding of both military and civilian cybersecurity needs. |