Growing a Cybersecurity Career

Growing a Cybersecurity Career
Author: Philip Casesa, CISSP, CSSLP, PMP, ITIL, SAFe Agilist
Date Published: 10 November 2018

Those who have owned a house plant have probably noticed that no matter where the plant is placed, it grows toward the strongest source of light—a phenomenon called “phototropism.” Tropisms are defined as any growth in response to an environmental stimulus. They are found in nature in various forms, such as gravitropism (downward growth), hydrotropism (growth toward a water source) and aphototropism (growth away from a light source). Outside of the plant kingdom, the principles behind tropisms occur in places such as the economy, family life and the workplace.

Cybersecurity or IT professionals should seek out career opportunities that offer the right sorts of stimuli to enable their own growth. A positive corporate culture is one such stimulus. A well-rounded workforce development program is another. However, negative stimuli can be present as well trapping employees in situations that stifle growth, push coworkers away and drain the team of talent.

So, how do job candidates evaluate whether an organization has the right set of stimuli for their own development? There are a few critical questions to ask. How the employer answers should provide the insight needed to determine whether the job will support personal and professional goals or the organization has already put a ceiling on growth potential.

Those who lead a cybersecurity team may find these questions helpful in evaluating the opportunities their program provides their team members.

Question 1: What Is the Multiyear Growth Plan for Someone in the Position?

This is the answer candidates want to hear: Knowledge, skills and abilities (KSAs) are clearly defined for this role and there are expectations for growth. There is a clear plan for the professional development and career progression of someone in this position.

The term “KSAs” is most frequently used in the military, but the concept is universal. KSAs should serve as the baseline requirements for each position on the team. Organizations need defined KSAs to successfully map out how that role fits into the business and evolves over time.

Without KSAs, it is hard to set a structured plan for professional growth. KSAs can answer the questions, “What must candidates know and be able to do to be successful in this role?” and “What knowledge and skills must candidates learn to be ready for their next role?” Some see KSAs as restrictive or rigid, but they can be very empowering. Knowing exactly what must be delivered to move to the next level makes it much easier to seize the opportunity and move forward. In interviews, candidates should ask pointed questions about the specific skill sets and knowledge expected of the role and how they will evolve over time. If the interviewer can answer these questions, it shows that they have a plan for employees’ growth, goals to be achieved and opportunities for advancement.

To get started, the candidate should ask questions such as: What are the expectations for the growth of someone in this role? How will the skills of someone in this role evolve? How will career progression be measured? A careful examination of the job description may also be helpful. If only responsibilities or experience requirements are listed in the description, rather than the specific skills, it could be an indicator that KSAs are not in place for this position and the employee may be stuck carrying out the same tasks indefinitely, rather than advancing in his/her career.

Question 2: How Long Has the Interviewer Been With the Team? What Is Their Career Story?

This is the answer candidates want to hear: Team leadership is homegrown. Managers started their careers in the organization and worked their way up. Senior positions are rarely given to outside hires.

Panel interviews, in particular, provide a unique opportunity to quickly evaluate the amount of homegrown leadership on the team. A round-robin response from the interviewers can paint a picture of an organization that develops loyal, talented employees or it can describe a organization in which top talent flees at the first opportunity. Follow-up questions to learn more about the interviewers’ career journeys and experience at the organization can give additional insights into team structure and dynamics.

What is really important to uncover is if the team’s leaders and managers grew into their roles. If they have climbed a ladder into increasingly more skilled positions, that is a good indicator that there is a workforce development program in place. They are building a pipeline of skilled cybertalent, and new employees will be expected to develop new skills and advance within the enterprise. However, if it sounds like most of the team members are recent additions (especially those in leadership), the turnover rate for the team may be high, training may be limited and senior roles may be given to outside hires.

Listening to what the interviewers say about their experience at the organization can provide information that may not be available from their website, social media or Glassdoor. questions that may help elicit this information focus on how long the interviewers have been with this organization, their background and how they got to their current position, and what made them decide to join the organization.

Question 3: What Approach Is Used to Build a Diverse, Well-Rounded Team?

This is the answer candidates want to hear: This enterprise is actively working to build a diverse team, looking for people with a variety of backgrounds, educations, skill sets and experiences. Diversity is important to this team and at this organization.

Enterprises that embrace diversity seek out a variety of backgrounds, skill sets, perspectives, experiences and ideas—all things cybersecurity needs. As an industry, and largely out of necessity, cybersecurity scores good marks for diversity of professional background: Many cybersecurity professionals come from backgrounds outside of the expected fields of information systems, computer science, etc. Today’s cyber leaders are just as likely to come from accounting, IT or the military. But, in other ways, diversity is severely lacking in cybersecurity. For instance, women make up only 11 percent of the global cyberworkforce.1

Diversity is an interesting example of two types of tropisms. An organization that builds diverse teams is more likely to encourage the free collaboration and sharing of ideas, which puts employees in an ideal position to learn new skills from their peer group and bring new ideas to the team (horizontal knowledge sharing, as opposed to vertical knowledge sharing).2 This results in upward growth as a professional. And when an organization embraces diversity, it also inspires employees to grow roots and build their career there.

Successful cybersecurity teams require unparalleled problem solving, lots of creativity and seamless teamwork. Diversity should be the engine that drives these outcomes. An organization that recognizes diversity as both the right thing to do and a way to improve security outcomes is also likely to be an organization with a robust program for developing diverse talent internally.

Candidates should ask questions about the composition of the team, the team members’ backgrounds and what key team members bring to the table. Candidates should also ask pointed questions about the diversity programs at the organization. What initiatives does the organization have that encourage diverse hiring? Are there groups or programs that support diversity in the workplace? The types of programs the organization has in place are obvious indicators that it seeks out and supports diversity.

Question 4: What Is the Strategy for Filling Openings on the Team? Is It to Train Up Existing Team Members or Look for an Outside Hire?

This is the answer candidates want to hear: Existing team members are offered new opportunities first. The plan for filling skills gaps on the team is to train up existing team members to equip them with these skills.

The global cybersecurity talent shortage has been well documented, and regulations, threats and technologies are constantly evolving. Most organizations have a few skills gaps on their cybersecurity team. How an organization handles this challenge can reveal a lot about its workforce development program.

Despite the shortage, some organization still look for outside hires to fill gaps on their teams. Finding the right person can take months, if it happens at all, leaving the team with a significant gap in skills and the organization vulnerable. On the other hand, other organizations see a skills gap as a growth opportunity for an existing team member. These organizations have programs in place for ongoing and targeted skills development, constantly elevating employees to fill gaps and training up less experienced hires to fill open positions. This creates upward momentum for the whole team and a culture of shared goals, success and loyalty.

Finding out how the organization addresses these issues takes a little sleuthing. The job description for the open position should have some indicators of whether the organization is recruiting to fill a very specific gap. While the opportunity may be great now, it could mean the person hired will be stuck in that position for a while. During the interview, candidates should ask questions about how the organization tackles regulatory changes, new technologies, and new threats or risk. Does it rush to find someone new or will it start training team members on how to address these?

Question 5: What Is the Training Program for the Team?

This is the answer candidates want to hear: There is an established training program for team members at every level. Employees are given training opportunities, and there is an expectation that they will develop new skill sets.

This is a direct, obvious question, but it is one the candidate should save for last. The problem with a simple question about training is that every interviewer is ready for it. Interviewers know that training is important to most professionals, so they have a canned response ready—a response that may or may not be an accurate reflection of the training program in place.

So, candidates should ask questions that require specific answers. Ask the interviewers how the training is facilitated. Is it done in-house? Do employees attend external trainings? Is it online or in-person? How is training selected? Do employees have to find and choose the training they want? Are employees given a budget to self-select training or does the organization provide guidance? Is there a certain training provider the organization uses? Is training individual or team-based? Diving deep into how the organization’s training program works will provide a more realistic picture of what it is actually doing when it comes to professional development. Candidates should want to see that the organization is making an investment in training and sees value in training the team as a whole. A budget is allotted to training and time is set aside for employees to develop new skills. The key is to go beyond the usual “Are there training opportunities?” questions and get into specifics.

Taking the Next Step

Many prepare for interviews by trying to anticipate the questions they might get asked. While this is important, preparing questions for the interviewer is equally important, especially regarding opportunities for professional development. The answers to these questions will help job seekers determine if a team is the right fit and potentially help them take a step forward in their career path. These questions will help job seekers find an organization that:

  • Has a plan in mind for employees. They have set goals, a defined career path and clear opportunities for growth.
  • Wants employees to succeed. Their team members have been able to grow successful careers and new hires are given opportunities to do the same.
  • Welcomes diversity. They are open to new ideas and different perspectives and realize that new and different solutions can be the answer to longstanding challenges.
  • Helps employees grow their skills. Instead of looking to outside help for new challenges, opportunities are given to existing employees to learn by doing.
  • Guides employees in their career. They see the importance of a good training program and help employees choose the courses they need to grow the career they want.

Look for an organization that provides the stimuli that helps employees grow, encourages them to put down roots, and expands their skill sets and knowledge. Then, new hires will experience what it is like to be a part of an organization and a team that wants to see team members succeed because they know that professional growth is critical to the success of the organization. Not only will employees find their work more fulfilling, but they will be excited about their future and the opportunities it holds.

Endnotes

1 Frost & Sullivan, The 2017 Global Information Security Workforce Study: Women in Cybersecurity, 2017, http://iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf
2 Rock, D.; H. Grant; “Why Diverse Teams Are Smarter,” Harvard Business Review, 4 November 2016, http://hbr.org/2016/11/why-diverse-teams-are-smarter?

Philip Casesa
Is the director of product development at Focal Point Data Risk, bringing years of insights from roles in cybersecurity, software development and consulting. Prior to Focal Point, he spent 11 years as the director of IT/service operations for (ISC)2, leading and growing a team of enterprise architecture, applications, operations, security and web staff. At Focal Point, Casesa is focused on translating his experience into new offerings from Focal Point Academy, a leading provider of hands-on cybersecurity training, working with its elite team of educators to pioneer new models for building world-class enterprise cybersecurity organizations.