Focal Point recently had the privilege of helping a large retailer assess the sustainability and effectiveness of its workforce development program. This program is, to date, one of the most advanced we have seen in the industry. Here’s a closer look at what they’re doing.
This company’s journey to becoming a cyber workforce paragon began – as is too often the case – with a breach. After this high-profile security lapse, the retailer centered its efforts on a simple goal: build the best threat detection and incident response team on the planet. To them, this meant having a capable workforce ready to combat any cyberattack technique and detect an invasion in any part of the network. The leadership team created a new approach, one designed to build a sustainable talent pool for years to come. This new approach would yield a cybersecurity strategy that would uphold the organization’s enterprise objectives and evolve as threats advanced in the future. This was their approach:
Step One: Change the Hiring Process
Previously, the retailer had relied on certifications, degrees, and years of experience when hiring for their security team. But following the breach, they realized these weren’t always the strongest indicators of skill and ability. So they revamped their job descriptions to be more focused on specific character traits and proven aptitudes. Roles were rewritten and levels were clearly defined, illustrating a clear career path to candidates and existing team members alike. This also gave business leaders the peace of mind that every skillset was accounted for.
Step Two: Establish a Workforce Development Program
The cybersecurity leaders at the company knew they couldn’t just hire new resources to fill our their team. They needed professionals that were trained in their specific tools, environment, and culture and were very familiar with their threat landscape. To accomplish this, they mapped out a detailed workforce development plan. This program was a unique combination of third-party trainings, internal trainings and exercises, regular skills assessments, and conference attendance.
Step Three: Test and Assess the Team
While the retailer decided to invest in high-quality internal and external training for their employees, they didn’t stop there. They recognized that assessing and testing the team were the most critical steps in the development plan. Throughout the year, the cybersecurity team was regularly tested on knowledge, skills, and abilities through a series of challenges that varied in difficulty by job level. These assessments had three objectives:
- Measure the employee’s abilities to defend and detect.
- Determine how the employee is progressing against their career path.
- Remind the employee of the KSAs needed to advance to the next level.
In addition to these more dynamic assessments, the team also rolled out smaller test scenarios to keep employees challenged and further the team’s learning culture.
For a while, this new approach seemed to be working perfectly. Employees were happy because they knew their roles, felt validated through testing, and understood where their career paths were headed. This meant lower turnover and a more productive team. But as time progressed, a couple of issues came to light that made leadership concerned for the sustainability of the program.
First, conference learning events and off-site trainings were not delivering the value leadership needed. These types of events were considered rewards for personal career advancement, but unfortunately, the training delivered through these platforms often didn’t tie into the formal development program. At $8-10k per student (plus expenses), these ad-hoc trainings were eating up precious budget and sacrificing three days of employee opportunity cost for little return.
The internal training component of the program had been designed to complement the external trainings, ensuring the skills learned at these conferences and events could be applied to the company’s specific tools, network, and technologies. On top of the responsibilities of their individual roles, experienced security team members were also expected to help develop and deliver internal trainings to build up new, productive members of the team. While this strategy had good intentions, it presented two problems. Either training would get pushed back when more urgent, timely security issues came up, or the expertise and leadership abilities of these team members would not be available during an important project.
Success and Continued Support
Recognizing these issues early on, business leadership began researching workforce development partners that could customize technical security trainings to the exact threat landscape the company faced, and the skills needed to address those threats. By building a relationship with one of these companies, they could free up their security leaders’ time, while still having the assurance that their resources were receiving tailored training. These trainings could be delivered on-site at the same price (or less) as conferences or ad-hoc trainings, while delivering much more value. In addition, employees would still receive trainings that challenged them and helped to advance their skills, making them feel valued and rewarded.
In the end, this combination of outsourced workforce development, with occasional specialized internal trainings, proved to be a perfect recipe. It allowed the company to continuously elevate the skills of their cybersecurity team without overtaxing their experienced professionals or compromising their day-to-day security responsiveness. As a result, the company now has a sustainable and effective cyber workforce development program that will keep their talent pipeline overflowing for years to come.