The entire security industry knows we have a staffing problem. With demand for security talent far greater than supply, companies with the right resources are positioned to lure top talent from competitors while everyone else is scrambling to find anyone with adequate technical acumen to learn the craft. In today’s world, though, “adequate” doesn’t quite cut it, and there’s scant time in which to become an expert.

Well, not exactly. Some infosec folks default to negativity in the face of adversity (and, yes, staffing shortages with extra-long work hours spent fighting growing threats counts as adversity), but InfoSec World 2016 speaker and Director of Technical Alliances at PhishMe, Mike Saurbaugh, took a different approach. Instead of focusing on the negative, Saurbaugh got out of his office and conducted a survey of students in higher education programs to learn their thoughts about and perceptions of the security industry. Most surveys ask people already practicing security what they think is going on. How does that help, though, if we need new security practitioners? Security pros don’t grow on trees, but they can be nurtured in our colleges and universities.

Only the beginning

To begin his “Next-Generation Workforce” study, Saurbaugh asked students (interested in infosec) what type of job they think they’d like to hold upon graduation. More than a quarter of students said their number one choice was security analyst/incident responder. This isn’t surprising, since the idea of being a “security detective” sounds interesting, especially in a field where there’s not likely to be a dearth of activity. Another 16% said they’d like to be a penetration/vulnerability tester. Saurbaugh posited that interest in pen testing could be tied to the Hollywood-ification—the CSI Cybers and Mr. Robots—of hackers in today’s society. While he didn’t go down that line of questioning in this survey, it is curious to correlate students’ desires to be involved in the technical end of security. While consultants are needed as well, hands-on-keys staff are the people running the day-to-day operations and finding and fighting the security issues that stop our companies in their tracks and turn them into headlines.

 

We’re on each other’s teams

Saurbaugh also found that the next-gen workforce is a collaborative bunch. Unlike many tenured security professionals, those who may have grown up teaching themselves about computers and may have found themselves outside the mainstream, current college-aged students are pretty social and want to work as part of a team. They shared that they desire constant feedback which helps them learn and grow. This is a very attractive attribute for future security professionals. The threat landscape itself is ever-changing and growing; a technically proficient person who not only embraces this challenge but is also willing and open to feedback will be more successful than those that can’t or won’t accept change. That’s not to say individual contributors can’t be successful; some people just work better alone. The problem persists though: The bad guys are excellent collaborators and they’re awfully successful. It’s only good news that our up-and-coming security superstars want to take a page out of adversaries’ playbook and use it to their advantage.

Money for nothin’

The next question Saurbaugh asked was what students expect to get out of their job. What is important to them? A lot of people will automatically think: Money! Many articles have been written about how Millennials expect everything handed to them on a plate. They have no structure, no ambition. The group of students from this survey seems to paint a different picture. Fifty-eight percent of respondents said they are looking for a job opportunity that allows them to learn, grow, and make a difference, and another nearly 22% said salary isn’t all that important; it’s not a deciding factor in choice of career.

Ain’t no sunshine when she’s gone

Now that we know what the next-gen workforce is looking for in a career, what are the things that will make these future employees run in the other direction? It’s probably pretty similar to your own list:

  • A poor work environment
  • Poor management/lack of caring
  • Boredom at work
  • Excessive stress
  • No growth opportunities
  • Micromanagement

Although any good manager (and not just within security) is aware of the pitfalls, very few take time to really address how to keep employees happy. Employees want a work environment that’s engaging, is always improving, and promotes independent thinking. (Again, the attackers are putting on their creativity caps; shouldn’t employees be encouraged to as well?)

As many of you reading this article grow into more senior roles, you have the opportunity to change the game. Provide mentoring. Give your team leeway to work on projects that really get them excited about their work. Run contests. Saurbaugh offered some “retention triggers,” or ways to keep the best security practitioners from job-hopping:

  • Passion: Understand the employee’s purpose for doing his or her job.
  • Intellect: Let employees solve the problems they’re given. Don’t spoon feed answers.
  • Creativity: Let employees solve problems or complete tasks in their own way. One size does not fit all.
  • Recognition: When a coworker or employee does something well, let them—and others in the organization—know their efforts have been noticed.
  • Engaged & Empowered: Provide more opportunities for responsibility when an employee has proven capable.
  • Remove the noise: Decrease distractions. Automate simple or rote tasks when appropriate so employees can exercise their intellect and creativity.
  • Motivate: Security is an industry of “no.” Find the positives and provide inspiration.
  • Business is not personal: Except when it comes to taking a little time to acknowledge that a person isn’t the sum of her or his job responsibilities. Getting to know coworkers and employees goes a long way towards building good will and motivation for the job.

Let’s get it started

Security has an opportunity. More practitioners are needed and students have expressed desire to work in the field. There are many ways to nurture and attract security talent, but it all starts with understanding what your next best employee is looking for. Give back what you know, offers Saurbaugh. Participate in local security chapters and schools. Provide mentoring and look for talent in diverse places. Who knows where you will find your next hire? You might be surprised to find a stellar prospective employee by creative a positive culture and focusing on strengths, interests, and ambitions.