Sticking with this topic of hiring entry level candidates, let’s talk about training. Companies will use entry level as a way to hire lower-cost resources to help them stretch their resource dollars. But that could backfire if they don’t provide the environment for entry-level talent to succeed. Fact is, talent development demands a thoughtful training program no matter what size organization you hail from.
It is the job of the executive to ensure that when people come into an organization, that they have a good idea of how things work there. The executive needs to spell out what the different groups are, what the tech stack is, how different technologies are connected to each other, what applications are used, and how they are used and by whom. Those things have to be laid out so employees are well onboarded and not in the dark when they start.
If you’re bringing in entry-level talent, there also needs to be a pre-designed training discipline, and I would tie it to compensation for performance. There are good resources out there that provide technology and security training. It’s important to set up a training discipline and make that part of the job.
I recommend compensating people for staying on top of their training because the idea should be to develop them into a fully functional security engineer or senior analyst, or whatever role you need that person to fill that aligns with their personal goals.
If your security department is good, not a lot is going on, so there needs to be a lab environment for stimulation and sharpening an entry-level employee’s skills. There are great resources out there to build one. Take the time to develop that in the regimen for training your entry-level personnel. There also have to be metrics and shadowing.
Your program should have everything in it for entry level personnel to grow with the company. That’s how you’ll keep them. The average security person doesn’t stick around in a job for more than two or three years. There’s dysfunction in the industry, and companies have to start changing that by being more serious about cybersecurity as a discipline.
In my view, entry level roles in an organization that is tight on resources simply doesn’t make sense. If you can’t train them properly, the risk is that you end up with people who are not game-time ready. And when something happens, those cracks in the façade turn an incident that could be easily managed into an event that requires recovery.
It’s the job of security leaders to fight fires and prevent the destruction of the structure. They have to minimize damage. It’s essential to have trained and ready people in place in order to do that. If you’ve got a team of five or six people in your organization, you probably don’t have any entry level roles.
Larger organizations that do have space to develop a training regimen must also ensure there are opportunities for those workers to attend conferences, be involved in peer groups, and network with other senior professionals, both inside the company and outside. That helps to build the overall discipline and is essential to the community.
Unlike other industries, cybersecurity thrives on the community approach, and one of the reasons for that is there are lots of things that people don’t get to see every day. Having folks in the discipline that you can talk to and can explain things that they’ve seen and how they handled it, is essential to ensuring you can continue to build your repertoire.
I feel that’s a step that often gets missed. But in my view, ensuring your entry level people are engaged is extremely important. We’re a community that has so much to give.