Alyssa Miller

Hacker, Researcher, and Security Advocate

Tag: skills gap

Three women at a table, possibly a job interview

A Promotions Gap

By

On February 9, 2020

In Community, Inclusion, Security Leadership

Are expectations in promotion helping fuel the “Skills Gap”

Search job postings and you’ll find there are plenty of companies bragging about how they invest in their people. Internally, organizations like to boast about having a culture of promoting from within. Indeed, there are no shortage of articles touting the value of internal promotions processes. Yet, I must wonder if these words translate into action. While I’m still gathering the data in my surveys, some respondents have also reached out to me directly to share their stories. Quite a few tell me about how difficult it is to transition internally into security-related roles.

Initially, this might seem anecdotal. Without analyzing objective data, it can be dangerous to draw conclusions. However, the stories I hear are numerous and I have also witnessed and experienced similar situations. How many of these companies that claim to prioritize developing and promoting their own people, actually walk that walk? I’m beginning to believe the percentages aren’t that good.

What it means to promote from within

Establishing a culture of promoting from within requires more than mere words. In fact, failing to credibly back up such claims with actions can be detrimental to employee engagement. It’s more than simply having a process for employees to internally search and apply for jobs. It requires a commitment to your people. This commitment requires a few things:

  • Truly investing in the skills development of your people
  • Changing the way you evaluate candidates for available opportunities
  • Shedding the idea of “critical” roles that lead to external hiring

Over my 25 years in professional roles, I’ve seen the good and the bad. I’ve watched companies provide training with no clearly defined path for career advancement. I’ve experienced hiring searches that failed to accurately assess the potential of internal candidates. I’ve even been witness to hiring practices that deemed a role too “critical” to take a chance on elevating an internal employee. These are mistakes and they lead to long timelines to fill crucial positions while also devaluing existing employees.

Quote by Richard Branson about taking chances on people and promoting from within.
Investing in employee development

I’ll start with the concept I believe is probably most easily understood. I also believe, again based only experience and hearsay, that it is the one that gets the most effort. Employee development is a concept that’s gotten increased attention in the last decade or so. More and more, organizations are coming to understand the business value of developing their employees.

Training seems to be one of the key areas that gets the focus when we talk employee development. Many organizations have formal training programs, invest in e-learning technologies, and some even set aside specific per-employee training budgets. This is great, however it only scratches the surface of what is necessary. To truly develop your employees means preparing them for their next role and providing a clear vision of what that next role can be and how they can get there.

This requires active leadership participation. It requires the organization first and foremost to have mature job descriptions and provide clear expectations. Human Resources professionals can often tell you stories of struggling to get support for this foundational element. Taking the next step of succession planning is also crucial. How will a role be filled when it becomes vacant? Leaders should constantly be working to identify “who’s next”. Ultimately, that succession planning then has to lead to action. Leaders need to be grooming those planned successors. Empowering employees through challenging assignments that provide visibility into key aspects of what that next role entails. Sadly these last two steps are often neglected or avoided all together.

So succession planning and development requires us to identify candidates by potential. That leads into the second point, we need to think about our people and how they fit open roles in a different way.

Evaluate talent differently

This is a concept that from my experience needs a lot of attention in most organizations. If an company is looking to fill a role, how they assess the internal candidates needs a unique approach. Far too the same experience and skills based lens is used for both internal and external candidates, but that just doesn’t work. When evaluating external candidates, a reasonable mix of experience that matches the job role is expected. For instance, the expectation that a candidate for a senior manager or director role has previous “managing managers” experience. However, the same bar cannot be used for internal candidates if you’re invested in developing your people.

Internal candidates are often direct reports of the role being filled or moving into that role from another area of the business. So it can’t be expected that they’ll have the experience of someone whose worked that role before. Organizations need to assess internal candidates based on potential. But how does the leadership team assess potential. The Harvard Business Review published a terrific article on this in 2017. The basic premise is leaders need to be constantly aware of those employees whose performance consistently elevates that of those around them. It’s a combination of ability, drive, and social skills that should be prioritized above past experience or demonstrated role-specific skills.

Unfortunately from the stories I’ve heard, my own experiences, and indeed the glut of open security-related leadership roles currently on job boards, companies are failing in this crucial aspect. And it also leads to the third point.

No role is THAT critical

I’ve watched numerous internal security candidates get rejected or ignored and jobs posted externally because the role was deemed “too crucial”. In particular within security, there seems to be a belief that certain roles are so important that the organization must find a “step-in” candidate (someone who’s done it before and can step in and run with things day one). The problem is this prolongs the candidate search in two ways. First, it eliminates the majority of high performing internal candidates who could be very successful in the role. Second, it shrinks the available pool of external candidates since, as studies show, the majority of job seekers are looking for new challenges. Few are going to be attracted to a job doing what they’ve already been doing already.

Promoting from within requires the understanding that high-performing candidates thrive in critical roles that stretch their skills or demand them to develop new skills. Pushing back on or ignoring internal candidates because a role is “too critical” to fill internally tells your teams a lot about how much you value their skills and abilities. It says you don’t trust them, you don’t believe in them, and that the only jobs they’re qualified to fill are somehow less crucial. This is not how you create a culture of committed high performance.

About that skills gap…

When I see security roles open for long periods of time, it causes me to question the organization. Sure many jobs need to be filled externally, especially with growing companies that are seeking to add resources. But when there’s a role that sits open for 6 months, a year, or longer, especially if it’s a senior or leadership role, one has to ask “are there no internal high-performers who could step into that role?” The broader question becomes once again, are we experiencing a skills gap, or are we just looking for the wrong skills or in the wrong places?

** Footnote: Some may take issue with certain aspects above in the context of equal employment opportunity requirements and such. Nothing I’m suggesting above is in conflict with those requirements, I simply didn’t go the extra mile of explaining how as that a lengthy discussion on its own.

Red sign with white lettering that reads "for hire"

It Shouldn’t Be This Hard

By

On January 30, 2020

In Uncategorized

Why is a career in cyber security so difficult to build?

There it is again. Another headline about the cyber security skills shortage. It’s getting worse, says the author. A different article puts the number at 4 Million open jobs with no relief in sight. Training platforms market their programs in an effort address the problem. Conferences host career fairs and villages. We have volunteers doing resume reviews and interview coaching. Yet despite all this effort, studies tell us the problem is growing.

This pattern would suggest that more jobs are being created than there are people to fill them. But if that were the case, who are all the people attending these career building events? Why are there people who’ve been searching for over 12 months to find a security role? If there are 4 Million unfilled jobs, shouldn’t it impossible to locate a job seeker who hasn’t been able to get called back on their applications? Truly these people exist and look at any Mentoring Monday Twitter thread and you’ll see they exist in large numbers.

The Blame Game

When you ask these questions of people around the security community you’ll get some interesting results. Employers point their fingers at academia for not offering relevant instruction. Hiring managers blame candidates for applying to positions they’re not qualified for. Aspiring security professionals often point out that entry-level jobs are hard to come by. Seasoned professionals, like myself, point to the myriad of unrealistic job listings that discourage candidates from even applying.

With all the postulating about who and/or what is to blame, it’s hard to know if there even is really a skill shortage. I previously wrote about my belief that this shortage is overblown if not an aberration all together. Two things are certain here. One, entry-level and experienced candidates searching for jobs often spend months to a year looking for work. Two, many cyber security roles sit open for months to a year or longer.

The real costs of this problem

Businesses pay dearly as a result of this situation. There is a concept in the recruiting world known as Cost-of-Vacancy (COV). Most people understand that actively recruiting for a position costs money. However, what many fail to account for are the other costs of having an open position. These include:

Two women sitting across from a third that they appear to be interviewing.
  • Increased attrition
  • Lower productivity
  • Lost sales or renewals
  • Increased travel and other expenses

Business are not the only ones bearing the costs of the problem. Obviously, the job seekers themselves take on much of the cost. Searching for jobs costs money as well as time. Mental and physical health suffer as a result of staying in a bad situation or just the job search process itself. Even family life can suffer as a result of this increased stress and demand for time.

Finding the solution

OK, so everyone pays a price as a result of this seemingly disconnected situation between hiring organizations and job seekers. Why then don’t we have a solution? It’s time for the industry to do better and be better. Predictably, that begins with building a better understanding of the reality we face. To that end, I recently announced via social media that I teamed up with Manning Publications to write a book. The focus of this book will be building a career in cyber security. Unlike the precious few other books of its type on the market, I don’t intend to focus heavily on training strategies and technical skills. Instead, my work will take a long hard look at the human factor. I’ll address the unseen challenges and provide ways to overcome them.

With that said, my first step is research. I want to find practical answers to the problems I’ve detailed above. This is where you can help me help others. I’ve created two data gathering surveys. The first targets experienced security professionals. I want to gather insight into the journeys others have taken in their careers. The second is for aspiring professionals. In other words, those who never worked in cyber security but want to. I want to understand the problems from their perspectives. I want to learn about their experiences and the skills they bring to the table. Both surveys are quite short, only 3-5 minutes to complete, and both are completely anonymous. I’ve included the links below and would appreciate if you could spread the word. Additionally, of course, if you fit either description above, I’d love if you could complete the appropriate survey.

Improving our situation

Thank you in advance for your assistance with this. I truly believe there is much to be gained from this work. I’m teaming up with others in the industry to understand their research as well. My goal is to finally bridge the real gap that I see here. The gap between expectations of job seekers and hiring organizations. That is how I think we’ll improve our community and the digital world as a whole.

Experienced Professionals Survey: https://s.surveyplanet.com/LupYIHiV

Aspiring Security Professionals Survey: https://s.surveyplanet.com/lmI4b4fB

Powered by WordPress & Theme by Anders Norén