CSO Online - A bold approach to fix the cybersecurity staffing deficit
Last month in The Time for a National Cyber Skunk Works is NOW!, I cited the wide and prevailing talent supply-demand gap as one of two major obstacles mitigating a much needed big push forward in furthering and enhancing our collective cybersecurity ecosystem.
To address this imperative I called for, “ . . . A deep national bench strength of existing and next generation cybersecurity leaders and operators, spanning startups to large corporations and across the public-sector space, who possess the requisite skill set to compete and consistently win on the cyber battlefields of today and tomorrow.”
How can we get there “the fastest with the most-est”? One perhaps out-of-left field approach . . .
Execute a 10-year national priority recruiting campaign that will flow new cyberist recruits across the US Armed Services . . . the majority of whom will eventually vector to mid and large companies across the private sector.
Each of the five US service branches—Army, Navy, Air Force, Marine Corps, Coast Guard—has its own domiciled Cyber Command element, all with dual reporting linkage to US Cyber Command. Additionally, there are the principal national security cyber echelons, NSA, DHS, etc. I envision, following respective initial enlisted recruit boot camp, or as the case dictates officer candidate school, training and subsequent follow on cyber formal schooling, that these specially designated national priority cyberist recruits will spend the next two to five years fully engaged in their cyber work. No ceremonial duty interruptions. No assigned secondary specialties. Just 100% focus on cyber battlefield skills and leadership development.
Following this intense period of real world front lines cyber battlefield foundation building, roughly two-thirds of each annual cyber recruitment class will redirect to transitional cross-pollination (private sector) enhanced training with National Center for Cybersecurity Coordination & Excellence (NaCCCEx; see last month’s blog referenced above); the remaining one-third will carry on in the uniformed services. Following an 18 to 30 month run here, approximately two-thirds of each class will vector to a multitude of mid and large corporate platforms for permanent long-term employment; with the remaining one-third routing to NSA, DHS or staying on at NaCCCEx.
To be clear, there is no suggestion of a mandatory targeted cyber draft here. Nothing of the sort. Rather an exceptional three-tranche monetary bonus scheme will, once institutionalized, draw and attract (highly) qualified and committed potential recruits. Upon completion of boot camp or OCS, the first tranche will be paid in full; upon transition to NaCCCEx, tranche two will be allocated; the last tranche will be distributed upon initial enhanced NaCCCEx training. Private sector hiring companies may of course offer their own sign-on bonus scheme above and beyond what’s outlined above.
What tangible results will the aforementioned plan yield? Arguably, nothing short of a deep national bench of cybersecurity operational leaders—with emphasis on leader—who are equally conversant and adept across the public and private sector communities.
As for the focus on broad cyber leadership education training . . . While we now and likely for generations will need cybersecurity technicians, the force multiplier effect of any formidable comprehensive national cyber strategy, which we as a nation forge, will be founded on our collectively deploying cyber organizational leaders. Multi-functional cyber operators for whom risk management, relationship building, communication (verbal and written), strategic networking and outreach, business unit management and EQ are second nature. This holds true not just for CISO candidates; but also for their deputies. To win it’s going to take an inside-out + outside-in approach . . . and only strong cyberist-leaders can accomplish this.
Perhaps there is no better way to illustrate the meaningful benefits of going the extra mile and hiring a cyber-leader than citing a recruitment we recently completed on behalf of one of our strategic clients. A Tier 1 global industrials holding company engaged ZRG Partners to recruit its first ever head of cybersecurity; the position specification essentially reads as a multi-dimensional CISO function. Our client heretofore had been faring quite well outsourcing its CISO requirements to one of its strategic enterprise partners.
For a variety of converging reasons, it was now time to bring the function in-house. Our client preliminarily met a number of prospective candidates via its own direct outreach. All were generally very capable; but in the end all were deemed lacking that “certain intangible something”.
Subsequently, ZRG launched a comprehensive outreach campaign; one that yielded a substantive, diverse and high quality candidate slate. Following an intensive due diligence period, the slate was whittled down to a highly competitive 3x candidate short list. Ultimately, the successful candidate possessed the sought after qualities combination of extensive real world cyber battlefield experience, vis a vis his veteran cyber military work, tempered by more recent commercial success consulting to client company C-suites and board rooms as a digital forensic incident response leader.
Front line experience fighting cyber bad guys plus cyber ecosystem connectivity plus risk management plus tactical and strategic communication plus organizational leadership plus EQ. It was this combination that proved to be the right stuff. And it is this that we must strive for in building our national talent bench of exceptional cyber leaders.