• Categories
  • In Episode 35 of the Alliance Podcast, Brandon Dunlap, Global CISO of Black and Veatch discuss the labor shortage in the information security space.

    • Are we looking in the wrong place for talent?
    • What are the barriers preventing more students from entering the field?
    • What are the biggest challenges Universities face with regards to Information Security?
    • What resources are available for security professionals to continue their ongoing education?

    Join Host Clayton Pummill, Executive Director of the Alliance along with along with an incredibly insightful CISO to learn more about this fascinating topic and some potential solutions that firms could implement to help their businesses.

    Are we looking in the wrong places for talent?

    Brandon: At every conference I go to, this is a topic of discussion.  If you search entry level infoSec jobs on LinkedIn, you’ll see “entry level positions” that require a four year degree with a focus on Information Security, and a preferred CISSP which takes five years of experience before you can even sit for the exam.  We are finding that the fresh college graduates are not excited about taking a graveyard shift in a SOC somewhere, it’s not what they got into this field for.  With the added attention around rising student loan debt, the company offering this position isn’t doing their new employee any favors.

    I’ve taken a slightly contrarian approach to finding people that may be looking for a career change, or at least from non traditional angles, and I’ve seen it bare some fruit.

    Clayton:  So in this difficult time where it’s hard to find people in the first place, we shouldn’t be excluding the majority of the people that would be interested in those positions.

    Finding Talent, Retain the Talent that We have, and How to grow the Talent that we have access to?

    Clayton:  So if we start at the top, where are we going to source it?  Every university in the entire world has a cyber security track, there are organizations popping up everywhere that offer 8-12 week courses on becoming a cyber security professional and other non traditional sources.  So where do you look?

    Brandon:  Within our organization, we have a management consulting group, and we sponsor a cyber patriot team.  So those consultants are bringing these students in for an internship their senior year of high School.  We’ll give them experience on both sides of the organization.  We brought in two kids this last year, made one an offer and he works full time during the summer and part time during the school year.  He’s able to get real world experience while he’s still in school.

    We are also able to give them some direction in their career progression and many organizations offer their employees tuition reimbursement.  We can develop loyalty in our people by getting to them earlier in the process.

    There is an organization that I’m involved in that’s looking for product management experience but also soc experience.  Those are two diverse skill sets.  Too many organizations are looking for unicorns when there are perfectly good horses.

    I recently met a kid working as a room service waiter who had a strong propensity for IT infrastructure.  I gave him the 1400 page ISC study guide out of curiosity and he read in over a weekend, took a practice exam and scored in the 65 percentile.  He’s now the top soc Analyst for a very well respected, interesting company.

    So what rocks are we not turning over to find great talent

    Brandon: I think junior colleges are a seriously untapped resource for some great talent.  It’s important to find them younger as I mentioned earlier.

    Many CISO’s out there are afraid to invest in an employees training because they fear that person will just take the new experience and go somewhere else.

    In my opinion, if you give someone a career path, and a pay raise for their increased knowledge or skills, you’ll find that person is incredibly loyal.

    In my organization, we have two mechanical engineers and one chemical engineer in our IT department.  They looked for a career change and had the critical thinking skills that are necessary for our space.

    How do we retain our talent?

    If they are curious employees, and they are constantly evolving in their position, you need to give them a path to work themselves out of their current positions.   My best people, will find a way to automate to much of what they do and move up in the organization.  You have to give your employees an opportunity to grow and a clear path up and out to keep them engaged.

    “A person is the least expensive computing power under 150 lbs that can be made with two unskilled laborers” – Nasa regarding their test pilots.

    We’ve taken that to heart in IT, we throw bodies at the problem.

    Clayton:  I believe strongly that if we treat our employees as humans, and ask them what they are looking for in their career, we can budget time to help them achieve those goals.  By helping them as a human, and not as an asset, you’d be amazed at what kind of loyalty you can create.

    Isn’t it critical to have a plan for the team and for each individual member on that team?

    Brandon: As a leader I’m always thinking about how am I making my employees more mature, how am I making myself more mature and how am I making our organization more mature?

    I’m at the top of our pyramid, and If I’m not backfilling all of the positions as people move up, guess what, I can’t move up.  If there isn’t someone educated enough and confident enough to take my role, I can’t take a bigger role.

    Good leaders always look for ways to allow their people to advance.

    How open are you to the idea of moving your people around to other organizations?

    Brandon:  In 2001-2003 I worked in an organization that was merging physical security and information security departments.  It wasn’t without it’s challenges.  We were able to cross train some of our people effectively and had some success.

    On the other hand, I’ve seen other organizations that think any functional manager can be a CISO.  There are some skill sets that are critical for that role.  If you can’t separate the signals from the noise in prioritizing what needed to be addressed, it’s going to be a long road ahead.

    What makes a good mentor?

    1. Be flexible
      1. Understand how your mentee likes to learn
    2. Introduce your mentee to new ways of learning and build on that success
    3. Focus on building a lifetime love of learning and self starting attitude
    4. View them like your kids and be as passionate in developing them as you would your actual children.