Investing in the Human Side of Cybersecurity

The IT talent shortage is old news, but companies are still facing struggles finding and retaining talent. Paul Farley, an Atlanta-based CISO with more than 30 years of experience, gave his take on the perennial struggle at Adapture’s Quarterly Power Lunch on August 27. The problem at the heart of the talent shortage, Farley suggested, isn’t finding new talent, it’s being able to train and retain that talent. The shortage isn’t at the entry level or the high level—it’s at the middle level of IT teams.

Much has been made of the cybersecurity shortage, so it’s surprising to recent graduates when they have difficulty finding jobs upon entering the job market. But this makes sense according to Farley. The problem isn’t finding entry-level hires, says Farley, it’s with retaining them five or ten years into their careers. Over his 30 years in the industry, Farley has seen the talent shortage firsthand, and has hired and trained teams to address it. The problem isn’t a lack of talent on the front end, it’s maturing the talent.

IT teams struggle with burnout. A survey of more than 11,000 tech workers found that 58% claimed to be suffering from burnout. Common causes of burnout across all fields include an overwhelming workload, lack of support and constant pressure. Facing a future of being stuck in the cyberthreat trenches with no end in sight, many IT professionals choose to pursue other careers.

Though the attitude surrounding cybersecurity incidents has shifted over the past decade from being an utter failure of the team to a real possibility that every team faces, that doesn’t mean workers enjoy the constant pressure. And these fresh faces coming in out of college are burning out before they can fill the badly-needed experienced roles.

Burnout has become a self-fulfilling cycle—it has a ripple effect. Burnt out workers miss issues that become incidents. They leave and increase the workload on their former teammates. Burnt out team members do not make good trainers or mentors.

These fresh, entry-level workers are coming in, Farley emphasizes, and when incidents occur, they see the lack of middle leadership. They see the higher-level IT leaders picking up slack in crises, and they realize that it is crisis after crisis forever, and they don’t want that. So what’s the answer? What will solve the mid-level IT talent crisis? Farley says it’s personal connection.

It’s in every entry level IT course: People, Process and Tools. But Farley claims it’s in order of importance. If you start with the people, it realigns your whole strategy and straightens out a lot of problems along the way. And he doesn’t mean certifications. Personal connection is a significant factor in stopping and preventing turnover. A 2022 McKinsey study found that more than half of employees who left their job during a six-month period did not feel valued by their organization (54 percent) or manager (52 percent), or they lacked a sense of belonging (51 percent). And it’s up to IT leaders to build these connections.

A good leader should always be willing to coach, train and encourage, Farley emphasizes. It’s about helping your team level up. And that means being with them and letting them behind the scenes. It’s about explaining the reason behind the processes; it’s about sharing early failures as well as recent failures. It’s about encouragement and connection and finding passions within cybersecurity. And it’s about encouraging these passions.

If we want IT professionals to stick around—if we want to end the talent shortage—we have to take it personally as IT leaders, Farley continues. We have to connect personally, work closely, mentor and support our teams. We have to commit to our teams. Only then will they commit to the team and to the organization.

Personal connections have to be built on both sides, and Farley had words of advice for entry-level cybersecurity professionals as well.

Farley’s advice:

Diversify

Training is often too narrow for entry level cybersecurity professionals. Students and entry-level professionals try to become experts in one aspect, which creates bottlenecks in the talent pipeline and may not be useful in environments where IT team members need diverse knowledge of many systems, environments and processes. Every IT professional should always be learning. Learn cloud, Linux or another aspect of IT that has only a limited connection to cybersecurity. Learning outside of your knowledge base will help you understand more about what you’re doing. The pieces will fall into place, and you will stand apart as a well-rounded IT professional.

Find your Passions

Personal connections are no less important for lower-level IT professionals than they are for high-level ones. Finding your passion will help you build and strengthen personal connections within the industry as well as outside of it. People who are working with their passions are happier, more fulfilled and engage the people around them.

Paul Farley is an Atlanta-based cybersecurity expert with more than 30 years of experience. Over the years he has worked for names recognized in the Atlanta area, including Cox Communications and NCR, and he is now Field CISO at TrustedSec. His passions lie with helping people both on and off the clock. In addition to his work in cybersecurity, he is involved with City of Refuge, an Atlanta based nonprofit that helps the people of Atlanta find stability, learn new skills and thrive.