How to Upskill Cybersecurity Job Candidates to Transform Them Into High-Performers and Excellent Communicators

cybersecurity trainingThe cybersecurity workforce landscape is at a serious threat level. Millions of jobs are unfilled, and most companies state they can’t find qualified cybersecurity job candidates. If we continue on this trajectory, risks will rise and jeopardize the data and networks of thousands of businesses.

As an industry, we must change how we hire, recruit, and develop cybersecurity talent. Expanding how you consider someone qualified is a necessary step. Seeing the potential in someone who doesn’t necessarily check all the boxes is one way to address the shortage. For this to work long-term, upskilling must be a part of your employee development strategy.

This upskilling includes hard and soft skills because cyber job candidates need both to thrive. Let’s review the current cybersecurity workforce challenges, the facts about the skills gap, and how to upskill new hires.

Cybersecurity Workforce Challenges

Cybersecurity job growth is a bright spot in the tech industry, with many opportunities for someone to have a career that pays a good wage and is in demand. However, the field is currently experiencing significant shortages.

According to the (ISC)2 2022 Cybersecurity Workforce Study, the global cybersecurity workforce grew to over 4.6 million, which is an 11.1% year-over-year increase. Unfortunately, 3.4 million jobs remain empty. As a result, many companies and cyber firms are operating without enough people, which can directly impact risk.

So, why is the industry struggling with recruitment and retention? It’s a complicated ecosystem, so there’s no easy answer. The cybersecurity workforce shortage is the result of several trends and occurrences, including:

  • The cyber threat landscape is rapidly expanding, driving the demand for cyber professionals in all industries and businesses. In part, this is a supply and demand issue.
  • People leave the industry due to burnout. It’s a common problem in a high-stress environment, and most organizations aren’t doing enough to mitigate this. Without proper staffing, people have to do more work, which increases the feeling of burnout.
  • Younger generations aren’t choosing cybersecurity as a career. Only 12% of the cybersecurity workforce is 34 or younger. The industry needs to find ways to connect with students to attract new people into the field.
  • Many organizations place too much emphasis on degrees and certifications, which often don’t correlate to having the right abilities, aptitudes, and attitudes. As a result, companies reject those who could be a better fit but need some upskilling.

If the industry remains on this path, the shortages will only worsen. Intervention is necessary for the entire community. What you can do to ensure your data and networks remain under protection is to focus back on skills-based hiring.

The Cybersecurity Skills Gap

We can’t talk about the labor shortage without addressing the cybersecurity skills gap. It would be great if every cybersecurity job candidate had years of experience and an array of skills. However, cyber leaders agree that a skills gap exists. According to the same workforce study cited above, 55% of hiring managers say applicants don’t meet the criteria of being qualified. The deficit here includes:

  • Hands-on training and experience
  • Credentials
  • Degrees
  • Recommendations

These things don’t always indicate that the person can do the job. The same study also looked at specific skills with gaps, which are the ones that matter in terms of upskilling. The skills in demand and often lacking are:

  • Soft skills (e.g., communication, leadership, adaptability)
  • Cloud computing
  • Security controls (e.g., network, application, endpoint, implementation)
  • Coding skills
  • Software development-related topics (e.g., machine code, testing, languages, deployment)
  • Data-related topics (e.g., characteristics, collection, classification, processing, structure)
  • Network-related topics (e.g., architecture, networking components)
  • Pattern analysis
  • System hardening
  • Computing devices (e.g., software, hardware, file systems)

It’s a mix of soft and hard skills, but the latter was at the top of the list. It’s possible to develop both of these in an individual who has the desire to learn and evolve. Those abilities aren’t always apparent in technical folks. However, if they are willing and have a good foundation to start from, upskilling can be the key to keeping great people long-term and continuously improving.

So, what’s the upskilling plan?

Building an Upskilling Plan for Cybersecurity Job Candidates

The first part of the plan should start with a clean slate of qualifications. Define what is imperative and what someone can learn over time. Get to the root of what makes someone a good cyber professional and what attributes they should possess.

In upskilling, you’ll have two paths — technical and soft skill development.

Addressing Technical Upskilling

In looking back at the list of skills above, those in the technical category are pretty standard. That’s a good starting point, but you should also consider the future and add training around AI tools and use cases. The curriculum will evolve as the threat landscape does.

How will they learn these skills? You need to create a learning environment for employees. This can include hands-on training internally, certification classes that you determine as high-quality, and other resources. Making continuing skill development part of your recruitment and retention strategy can attract people to your company and ensure you keep high-performers.

The other part of this is soft skills, and the plan to develop these in technical folks can be more demanding and challenging.

Improving Soft Skills in Cybersecurity

Soft skill development is a path that requires commitment and consistency. It’s about behavior change, and there can be many growing pains. First and foremost, you want to find cybersecurity job candidates who are open to this. Sometimes that might not be obvious until you have a few conversations and try to understand what motivates them and if they can handle flexibility.

Transforming anyone into a better communicator and collaborator isn’t easy. With technical folks, it can be harder, as they often have fixed mindsets, see things as black-and-white, and believe they know all the answers. These people could have impressive technical prowess, but these attitudes won’t fit into a healthy culture where everyone is open and transparent. Are they lost causes? No, but again, they must want to change.

You can drive this change with guidance from the Secure Methodology™. It’s a seven-step process that I developed because of the soft skill deficiency and recognizing its value in creating and maintaining a strong cybersecurity posture.

The Secure Methodology: The Framework for Soft Upskilling

Here’s a preview of each step and how you can leverage it to improve the soft skills of technical people:


The guide starts with awareness, with the objective of being mindful of the self and others. When this is missing, people don’t see or understand how their behavior affects others. If this is rampant in a culture, conflict and resentment build. With exercises on reflection and perspective, people can get to a state of awareness that improves how they interact with others.


Mindset is crucial in soft skills, and every person on your team needs an open one. A person cannot change without it. Key to this is defining someone’s motivations and why they respond as they do. In this step, the 7 Levels Deep Exercise is a good foundation.


The third step is acknowledgment. There are several layers to this step. First, it encompasses feedback and its value to cyber professionals. Your staff wants to hear from you about accomplishments and how they are helping the organization. Not all feedback will be positive, and accountability matters, but you should do this in one-on-one conversations. Ensuring that your team feels appreciated and valued will prompt them to adapt with less friction.

Second is acknowledging that cybersecurity is difficult and filled with uncertainty. You set the tone of the culture, and if you do this well, your team will follow, enhancing their people skills.


Communication is the fourth step and the most essential soft skill for anyone. It’s never a bad investment to develop someone’s communication skills. Just be clear on what this means. Being a good communicator and articulate aren’t the same thing. Yes, what we say matters, but most communication isn’t verbal.

An excellent communicator is clear, concise, and transparent. They also recognize the needs of the audience and listen to them fully. Assessing candidates based on communication skills can involve prompting them to share real-life stories about how they used it to overcome challenges.

Listen for their use of geek speak or overly technical terms. This could be a red flag if they aren’t willing to drop the posturing.


Next is monotasking; it’s a soft skill you don’t hear much about. Most technical people have been doing the opposite — multitasking. Many believe this is a valuable trait. It is important to be able to juggle priorities, but blocking off specific time to concentrate on one task can make people more productive and eliminate feelings of being in fight-or-flight mode all the time. They will need to act quickly at times and move around priorities, but encouraging monotasking lets people think more critically and problem-solve more effectively.


In the Secure Methodology, cognitive empathy is the sixth step. This type of empathy is the ability to understand another’s feelings and perspectives. It’s crucial to a person’s ability to be a great communicator and collaborator. Much of this relates to stripping down egos and dynamics of “me vs. them.” You can’t have a successful cybersecurity strategy and team without empathy.

Human connection is vital in cybersecurity, and in this phase, you support people to become more empathetic.


The last step is kaizen. It’s a Japanese term meaning “continuous improvement.” It’s the step that never ends and focuses on adaptability and flexibility. When you reach this phase, your staff should be in a state where they want to continue to develop their soft skills and transfer them to others.

Upskill Cybersecurity Job Candidates with the Secure Methodology

The Secure Methodology provides a framework and tools to transform candidates lacking skills. It’s a proven way to change behavior, with benefits for the person and the organization.

Get more insights on each step by reading my book, The Smartest Person in the Room. You can also explore how to apply it in the Secure Methodology course.

How to Build a Cybersecurity Team from Scratch Using the Secure Methodology™

cybersecurity teamBuilding a cybersecurity team comes with many challenges. So many factors are impacting the ability to do this effectively and efficiently. The cybersecurity workforce shortage means more competition for talent, but you can’t be confident all those vying for positions have the hard and soft skills to succeed and thrive. On top of all this, the threat landscape keeps expanding as cybercriminals develop new tools and strategies to exploit weaknesses.

So, what can you do as a cybersecurity leader? As someone who’s been in the position, I have some insights to share on how to accomplish this. Keep reading for strategies, tips, and info about the Secure Methodology as a framework for constructing a cybersecurity team.

Steps to Take to Build a Sustainable Cybersecurity Team

Where should you start on this journey? Should you jump right into recruiting and hiring? I would urge you to first develop a strategy, define the tools you need, and create some principles for the culture you hope to cultivate.

To do this, follow these steps:

Acknowledge that cybersecurity is a people problem and let that guide your strategy.

It’s easy to blame the breaches and attacks in the cyber world on technology. Without it, there wouldn’t be an issue, but categorizing it only this way is a fallacy. Behind every attack is a person. Every defense also has human intelligence executing it, and most causes of cyber incidents relate to errors, mistakes, or intentions of someone.

It’s very much a people problem, and that fundamental principle should guide your team-building strategy. Yes, there are lots of great cyber tools out there that are leveraging AI and enabling automation. You need those, but the people charged with managing them need knowledge and skills to do so. Those skills must include soft ones, as the human issue in cybersecurity won’t find a resolution without staff that cannot communicate or collaborate.

There is a current soft skills gap in every industry, including cybersecurity. The people who are a good fit for your roles may not possess these. If they are curious to learn and motivated to evolve, they can be great additions to your team.

Ensure the bad guys are cybercriminals, not internal.

Another element of creating a cybersecurity team is to eliminate the “us vs. them” mentality that often happens between technical and business folks. You’re all on the same side, but much of that can get lost in translation. The business side may not take cybersecurity as seriously as they should, frustrating cyber professionals. There’s animosity on your side, too, as your team may resent others, especially when they have questions and challenges.

It’s critical to put the target back on the real enemy’s head. There must be balance and cooperation between business and technical groups. You don’t want to bring someone on who fails to understand the perspective of others. Employees like this will degrade the trust and credibility of your team and do anything to avoid being wrong. You can spot this in how they respond to queries about collaborating and if they do a lot of posturing.

Look for a wide range of skills.

You have to define the requirements you want in your team, which should include various abilities and aptitudes. In doing so, you have to shift your definition of qualified. The majority of cyber leaders believe applicants don’t have the right qualifications, according to the State of Cybersecurity 2022 report. What they say people lack includes hands-on experience and training along with credentials and degrees.

The hands-on part makes sense because you want people to have real-world interactions. One cannot get this without opportunity. It’s especially true for younger generations, who we need to join the field. These people could be bright and eager to learn, making them excellent hires.

Credentials and degrees can demonstrate skill sets but not always. Often, people look great on paper because of these achievements but lack the knowledge to apply what they learned in classes. The learning may also be insufficient, especially for courses that validate aptitude based on multiple-choice tests. You can only be confident in one thing for those passing these — they can memorize answers. Beware of these “paper tigers.”

Instead, use skills-based hiring models. This approach focuses on a candidate with specific competencies that directly relate to the work. It involves soft and hard skills.

Develop your recruitment strategy on skills-based hiring.

Building a strong, multi-dimensional team requires a mix of people. Not everyone has to be strong in everything. You can create a staff who can learn from each other and you.

With skills-based hiring, you can:

  • Identify people with abundant soft skills and a desire to improve their technical skills.
  • Find candidates who have familiarity in all areas of cybersecurity but don’t have real-world experience yet and develop them.
  • Attract people newly entering the workforce and those starting over, which can help you build that right mix.
  • Assess people holistically instead of only looking at their technical aptitude.
  • Reduce barriers for people getting a shot at a cyber career who didn’t attend college.

Putting together a team of cyber professionals in this manner can lead to a strong and healthy culture. It can also decrease risk and ensure that cybersecurity has a seat at the table to influence business decisions. You simply won’t be able to do that if you hire with bias found in the old ideals of “qualified.”

All these ideas and opportunities align directly with the Secure Methodology, which is a seven-step process of transforming people with purely technical and closed mindsets into great communicators and partners.

The Secure Methodology and Building Your Cybersecurity Team

The Secure Methodology is the foundation for creating and maintaining a team that thrives and is adaptable. I based it on my own experiences and observations of what was going wrong in cybersecurity, which is a people problem.

Here’s a glimpse of each step and how it can support your hiring strategy:


The process kicks off with awareness. It pertains to both self and others. Without it, people don’t understand the impact of their behavior on relationships and communication. It’s about opening up people’s blind spots.

Will every candidate already have awareness? And how do you evaluate this? Most people lack awareness to some extent, so it often requires development. You can assess someone’s state of awareness or willingness to get there by asking them to reflect and tell you about a challenging time and how they handled their interactions with others.


Mindset is critical for anyone’s ability to grow and evolve. Those with a fixed mindset will resist any type of change. It’s a problem for technical people because they desire absolutes, but cybersecurity is a dynamic and volatile field! It’s kind of a paradox, so be observant of how people communicate about themselves and their experiences. This can give you a good idea of how open their mindset is and if they’ll be a good fit for your team.


Next is acknowledgment, which you’ll want to make a pillar of your culture. Technical employees crave feedback and understanding of their place in the business. Of course, they must also be receptive to it because it won’t always be positive. You also want to know if someone can acknowledge the work and contributions of others within the group or outside of it.


The fourth step is communication, and it’s the most important concept when creating a team. We can’t do anything well without honest, transparent, and consistent communication.

Being a good communicator doesn’t just mean being articulate. In the world of cybersecurity, your team must be clear about what they need, the challenges they face, and what’s really happening in the threat landscape. They also have to be active listeners to be good collaborators.

You can likely assess someone’s communication skills within the context of your conversations. Look for those who can clearly express big ideas and don’t use geek speak. If they show signs of this and seem to be listening to you, it’s a good sign, and you can continue to help them master this skill.


Monotasking is the fifth step, and it means concentrating on one task or project at a time without disruptions. It’s hard to find anyone who monotasks much in the workforce, where we seem always to be doing five things at once.

You can talk about monotasking in interviews to see someone’s reaction to it. Do they think it’s bad for productivity or impossible? Emphasize that you believe it to be a critical component of the workday because it enables critical thinking and problem solving, which are two huge assets in cybersecurity.


Empathy is the sixth step, and in this connotation, it means the ability to understand someone’s perspective and feelings. It’s one of the hardest things for anyone to build, and yes, we must learn it. We are not innately empathetic. Achieving this can help with stress, burnout, and frustration toward others.

In speaking with prospective hires, ask them about a time when empathy would have been a good response to a problem. The answers they give can reveal a lot about their inner workings.


The last step is Kaizen. It’s a Japanese term that means “change for the better.” It never ends because continuous improvement is forever. When hiring, you want to put people on your team who believes in this approach to work.

Ready to learn more about the Secure Methodology? Start by reading The Smartest Person in the Room and explore the Secure Methodology course.

Does Your Cyber Team Truly Understand Your Threat Landscape?

cybersecurity threat landscapeCyber professionals often lack the full knowledge of the threat landscape because of their own fears, lack of perspective, and hubris. As a result of these blind spots, poor decision-making and more risk become a problem. This internal misalignment and struggle put your cybersecurity strategy and resilience in jeopardy.

The problem isn’t usually that they don’t have robust technical skills and aptitude regarding threats. It’s much more than that. To ensure your team understands the threat landscape, they must be more aware. Achieving this requires a commitment to change and adapt, which may seem like a goal that’s impossible to reach. However, there are ways to develop soft skills in cyber professionals with the Secure Methodology™.

In this post, we’ll discuss the current state of threat landscapes, the challenges that cyber teams face, and how the Secure Methodology can help evolve technical folks.

The State of Threat Landscapes

The threat landscape describes the complete ecosystem of cyber threats, both potential and known, for an organization. It’s a volatile, ever-changing environment, which means those in charge of cybersecurity must be adaptable and agile. There’s a lot of uncertainty, which can be difficult for technical professionals who crave the certain. This clash of mindsets is a hurdle you must overcome to succeed.

Additionally, some major trends are shifting and changing the threat landscape.

Cybercrime-as-a-Service Expands the Threat Landscape

A big trend in cybersecurity is the cybercrime marketplace, where hacking is now a managed service. Because of this trend, cybercriminals no longer have to be technical experts. It’s now a billion-dollar business, and the barrier to entry for hacking just got lower.

The threat landscape is now much greater, with hackers for hire that can lead to malware attacks, ransomware, more phishing emails, and cyber extortion schemes.

You may be surprised to know that cybercrime-as-a-service is very sophisticated. It delivers templates that are usable for content encryption, inspection blocking, and hidden URLs in attachments. So, the threats aren’t different; they are just more voluminous.

Cybercrime-as-a-service is a challenging concept to combat, and it requires technical people to look beyond the black-and-white of the cyber war. To defend against the increasing number of attacks, cyber professionals have to communicate with many parties effectively, understand the hacker perspective, adapt their mindsets, and be better collaborators.

AI Complicates the Threat Landscape

There is a good and bad side to AI in cybersecurity. It can be a valuable tool in identifying threats and responding to them. It enables automation around monitoring to augment human intelligence. Its capabilities as a mechanism to thwart attacks include:

  • Detecting fraud and anomalies
  • Filtering spam emails to reduce phishing attacks ending up in inboxes
  • Identifying botnets
  • Managing vulnerabilities
  • Allowing for better usage of anti-malware
  • Preventing data leaks
  • Boosting data automation and intelligence gathering

There’s also the downside, as hackers can apply the technology to expand the threat landscape. They can use it to gather data to better profile victims for social engineering. It’s also a means to launch ransomware attacks, which are becoming increasingly prolific. In fact, 89% of organizations relayed they were a target of ransomware in 2022. Hackers can use it to develop realistic phishing scams, create deep fakes for voice phishing, hide malware, and break passwords and CAPTCHAs.

Understanding the two sides of AI’s capabilities is critical for your cyber team to understand the entire threat landscape and what’s possible. Again, it will require some mindset shifts for them to include innovations in cyberattacks.

Identity Risk Becomes Even More Urgent

According to the 2023 Identity Security Threat Landscape Report, credential compromise was the top area of risk for respondents. Several factors are influencing this risk growth. Access for employees can have loopholes and not be adequately secured, something 63% of organizations said was the case.

Strategies to combat this beyond the foundational aspects of IAM (identity and access management) involve moving to a zero trust architecture. It’s the strategic approach of mitigating identity risk by eliminating implicit trust and transitioning to continuous validation. Applying this framework to this risk area will be a change for cyber professionals, but it gets them back to the core questions of: what are you trying to protect, and from whom? It simplifies a complicated landscape and can assist technical folks in evolving their perspectives and mindsets.

Next, let’s look at more challenges your cyber team may face regarding awareness of the threat landscape.

Why Are Technical Folks Blind to Many Areas of Threat?

As noted earlier, the blind spots often have little to do with technological knowledge. However, it can still be a problem. It’s a consequence of the paper tiger syndrome in cybersecurity. Paper tigers are people who appear very qualified on paper with lists of certifications. In reality, they don’t often have strong skill sets and are really just good at memorizing information for a multiple-choice quiz.

Most of the disconnect has to do with failings in soft skills. While many technical folks do a great job in communicating and collaborating, it’s also a gap for many. Here’s why it’s a problem:

  • Cyber professionals tend to think in black and white. Yet, most everything is gray. They have a fixed mindset that there is one correct answer and approach to threats without opening their minds to the changing landscape. It causes them to lose perspective on how hackers are planning attacks. It goes back to the idea of technical people being most comfortable with certainty, and they’ll need to shift to accepting the uncertainty.
  • Cyber professionals can have fears and insecurities about their abilities and don’t want that to be apparent to anyone. They have a misconception in their thinking that not knowing the answer is a sign of weakness. Except, the threat landscape is something no one could possibly know every corner of. To avoid this discomfort, they’ll posture in how they speak and be unable to listen to others.
  • Communication can be difficult for your team. They rely a lot on jargon and geek speak, which is alienating and condescending. Communication is the most critical skill your team needs, and its ongoing development is crucial to better understanding the threat landscape.
  • Communication isn’t easy for them, especially if they posture and use jargon. When they do, they alienate others quickly and live up to their reputation. Communication is the single most crucial skill a cyber professional can possess.
  • Technical people also often lack awareness of themselves and others. Many don’t even realize this, and it clouds their perspective regarding where threats are and how they’re changing. They may also be unable to comprehend the business side of things and how the threat landscape correlates to this. They believe themselves to be outsiders when they need to be collaborators.

All these things make it a challenging journey for cyber leaders and managing the threat landscape. You can find some support for developing the people skills of your team with the Secure Methodology.

Using the Secure Methodology to Address Threat Landscape Gaps

For your team to be in the best position to defend against threats, they need to work on their people skills. The Secure Methodology is a seven-step process for doing this. Here’s a preview of each step and how it can help address threat landscape gaps:

  • Awareness: Being aware of themselves and others is the first phase of the framework. It’s about opening them up to new perspectives — those of their peers, the business, and even hackers. Coaching and understanding motivations are key to turning the light on in technical folks.
  • Mindset: From awareness, you move to mindset. The idea is to move from a fixed one to a growth one. Cyber professionals have to free themselves from black-and-white thinking and embrace the gray. Reflection and accountability are essential in this step.
  • Acknowledgment: In this step, you play a big role. Being able to acknowledge team members for their efforts and work creates a more positive culture instead of one of blame. Positive reinforcement builds trust and rapport, which your team needs to be effective against threats.
  • Communication: Having these skills is essential in every part of a cyber professional’s job. When it’s absent or poor, risk and threats increase. Developing communication aptitude involves simplifying language, losing the geek speak, and learning how to listen.
  • Monotasking: Most people think multitasking is the key to productivity. It’s actually a concept that can lead to errors and mistakes. Encouraging your team to focus on one task at a time blocks out distractions and allows them to think deeper about threats.
  • Empathy: In this step, you want to help people be able to put themselves in the shoes of others. It builds on what they learn in awareness, mindset, and communication. A technical professional who has empathy translates to an excellent collaborator.
  • Kaizen: This is a Japanese term that translates to “continuous improvement.” By using this approach, you align with cybersecurity fundamentals to constantly improve defenses and strategies. It’s a continuous state of evolving and adapting, just like the threat landscape.

With these seven steps, you can build a team that’s more in tune with the threats of today and tomorrow. Learn more about how to apply it to your organization by checking out the Secure Methodology course.

Is Your Cybersecurity Budget Limited? How to Do More with Less

Cybersecurity - more with lessHaving to do more with less is a common quandary for any industry or department. When cuts have to be made, companies look for any opportunities, and sometimes limited funding can significantly impact operations and performance. Cybersecurity budgets are not immune from this. Even though organizations understand the gravity of investing in cybersecurity, they often have no choice but to curb spending.

As a result, you may not have the resources to hire more team members, adopt new tools, or complete major projects like migrations. It’s not a comfortable place for any cybersecurity leaders, but it’s also not something that has to paralyze your strategies and development of employees.

Let’s look at the state of cybersecurity budgets and how changes in the way you manage your team can help you do more with less.

The State of Cybersecurity Budgets

Overall, Gartner predicts that spending on security will increase by 11% through 2026. However, that’s a macro-level perspective. What’s happening inside your organization may not reflect this. You could actually see slight increases in your spending capacity, but that doesn’t mean you have “enough” budget. Factors like inflation and the need to be more competitive with compensation can quickly eat up any new dollars.

Additionally, more cyber spending doesn’t make threats or risks disappear. Strategically using your budget may, however. There aren’t enough dollars in the world to curtail the bombardment of cyberattacks companies face every day. That’s especially true for SMBs with smaller budgets and less human capital. They are often the target of hackers, as illustrated in the Verizon 2023 Data Breach Investigations Report. It documented 699 incidents in the year prior that occurred for companies with less than 1,000 employees.

SMBs are more likely to face limited budgets. Rising costs all around operations can impact spending more significantly than larger companies. No matter the size of the company or its capital, tightening budgets is a growing concern. So, how can you focus your spending on the areas that matter?

Where to Focus Your Company’s Limited Cyber Budget

There are several categories worth investing in to ensure systems stay secure. Those can include both human and machine intelligence. These are my recommendations for any SMB that needs to make the best decisions regarding cybersecurity spending.

Controls That Can Successfully Defend Against Threats

In order to know what controls will deliver the best ROI, you have to assess your threats and vulnerabilities. A risk assessment is a good first step in deciding on budget allocation. Once you have a picture of your position and the threat landscape, you can make data-driven decisions about controls.

Knowing more precisely how a hacker might try to infiltrate can guide you to controls that work best for those scenarios. A risk assessment is a good starting point or place to restart cybersecurity efforts. Then you have to make comparisons in the categories of controls you want to employ, looking at their features, costs, and other factors.

When building your tech stack, you’ll also have to consider the people you need to lead the efforts around controls and do further analysis based on data. When choosing those team members, assess their soft skills in the same way you do the hard skills. Leading such a project requires great communication, collaboration, perspective, and flexibility. Technical people often struggle with these things. So much so that it can increase your risk.

Next, you’ll finalize recommendations and move forward with procurement.

Protecting Public-Facing Applications

Whatever is in the public domain can be risky in cybersecurity. Vulnerabilities in these assets are the most common initial access technique hackers take. This part of your digital footprint is what the business side depends on for awareness, lead generation, and revenue. It’s a tricky situation that can often have different departments on two different sides of the argument. There are some ways to resolve this and another place to spend budget money—web application penetration testing.

Web application penetration testing is a method of simulating cyberattacks to access sensitive data. This test assesses all elements of your web applications—the architecture, design, and configuration. It’s inclusive of anything delivered over the internet through a browser interface. Hiring a firm to perform these tests should be on your budget list. Depending on your industry and compliance requirements, you may do these twice a year or more.

There are different options for web application penetrating testing: Black Box, Gray Box, and White Box. The differences are the levels of access the ethical hackers have. Most start with Black Box because testers know nothing about the company, so they’re just like hackers looking for public-facing information to exploit.

The more exposed your company is in the media and digitally, the more you could be at risk. So, earmark the budget for these exercises. Make sure they deliver the best value by remediating what the testers find and having conversations about how to avoid these things in the future. Conversations like these are essential for people to become better at their job and more connected to it.

Building More Redundancy to Deepen Your Defenses

The next area that should be on your budget is redundancy and contingencies. Ransomware is a bigger threat than ever, and SMBs have had their share of situations. The best defense will be prevention, which you’re investing in with controls and pen testing. These dollars are all about the “what-if” scenarios.

These redundant capabilities won’t have a connection to your main network. Keeping them separate is the best way to avoid malware spreading. Most attacks spread throughout the entire enterprise. Hackers are using command and scripting activity, which are also things you can monitor for and then be able to detect and respond to the threat.

Within this category of spending, you’ll have cloud computing, monitoring, hosting, and other fees associated with having redundant operations. Make prudent decisions about what needs to move over and what doesn’t. Work through scenarios and threat contingencies with your team to make decisions.

Behavioral Tracking with Advanced AI

AI is weaving its way into cybersecurity in many ways. Much of what AI can do is monitor and spot patterns or anomalies. The technology is advancing, and AI can now analyze data collected regarding online behaviors. Tracking the behavioral movements of hackers seems a little futuristic, but it’s the next logical step. This technology is really augmenting your team. The AI cleans up the data and gives raw results, which your team can decipher to continue to understand attack methods and defend against them.

There’s another way that AI is worth investing in with your budget.

Automation Increases Productivity and Has a Strong ROI

Automation tools that assist with managing, validating, remediating, and tracking your security should be on your budget. They leverage things like RPA (robotic process automation) and AI to deliver digital robots that can do a lot of manual, repetitive tasks so your people can focus on more strategic work.

There are many different things that you can automate. You’ll need to understand your end goal and the processes related to them to determine what to adopt. Some categories include:

  • Software updates for devices connected to the network
  • Tracking asset posture
  • Monitoring and alerting
  • Network Intrusion Detection Systems (NIDS)
  • Network Intrusion Prevention Systems (NIPS)
  • Security logging tools
  • Data aggregation

Focus on the most labor-intensive processes that rarely deviate when selecting automation tools. Get feedback from your team on the tasks they’d most like to move to automation when deciding where to spend these budget dollars.

Investing in Your Team in Traditional and Nontraditional Ways

Using cybersecurity budget dollars to upskill, train, and certify your staff is always a wise investment. For one, they become better at their job. They also can appreciate the acknowledgment that they are worth upskilling, which can support longer retention and less turnover. You can do this with those at all levels, from junior roles to senior ones. Cybersecurity is a dynamic, ever-changing ecosystem, and your good guys need to be learning more ways to outwit the bad guys.

Along with technical skills, you should consider helping them develop soft skills. They pay off just as much as hard ones. When technical people are better communicators and have greater awareness, everyone can be more efficient and effective. In such a high-stress environment, people that have people skills are immeasurably valuable.

So, how do you develop technical people into excellent communicators and collaborators? The Secure Methodology™ is a concept I created that includes seven steps to do just that. This kind of investment in people demonstrates that you want them to be successful and contribute. It’s a great framework for any cybersecurity leader to adopt. You don’t need a huge budget to do this. You’ll likely invest more time, but it’s worth the work. The return on this investment is positive for your people and the business’s ability to mitigate risk.

You can learn more about it by reading my book, The Smartest Person in the Room, and checking out the Secure Methodology Course.

Cybersecurity Workforce Retention: Keep Top Talent with the Secure Methodology

cybersecurity jobsFinding qualified and skilled talent has been a struggle in cybersecurity for years. According to data, that’s only getting harder. Exasperating the cybersecurity workforce shortage is the fact that retaining employees is challenging. Cybersecurity workforce retention is as important as your recruitment strategies.

So, how do you keep cyber professionals on the job? It’s not an easy answer, as so many factors impact this. However, you can build a retention plan alongside your recruitment strategy. In this post, we’ll uncover why turnover occurs and how to create a culture and environment that will make them stay.

The Cybersecurity Workforce Retention: State of the Industry

A study from the ISACA found that 60% of cyber leaders said it was difficult to retain cybersecurity professionals, up 7% year-over-year. The survey outlined why it’s happening, with these being the top reasons:

  • Recruited by other companies (59%)
  • Compensation and incentives (48%)
  • Few promotion and development opportunities (47%)
  • The high stress of the job (45%)
  • No management support (34%)

Some of these challenges are easier to combat than others. Currently, cybersecurity jobs are greater than those available to fill them. A study estimated that over 3.4 million cyber jobs are available, which will only increase. As a result, other companies will try to lure away your employees, even if they aren’t actively looking for another job. How they respond to this will depend on how they feel about working for you in terms of money, autonomy, support, and satisfaction.

Compensation is another tricky area. Competitors may be offering more money. While that’s a critical part of why people work, money may not be the top factor in retention. Regardless, depending on their experience, role, and market, you should pay your team a fair wage. With the cost of living increasing, you must keep up with this.

Next is development, which is something you can control. Continuing to train and upskill your team shows you’re investing in them and their future. You should also be clear with them about the opportunities to advance.

Stress is inevitable in almost any job. Cybersecurity is a dynamic industry with fire drills all the time. Focusing on ways to destress workers should be part of your culture. It could be rewarding your team with social or team-building activities. Having an open door for employees to share their experiences with you and their stress can also be helpful.

Finally, you have complete purview over management support. As a leader, you have to earn and keep the respect of your team. Being a great leader requires you to communicate honestly, listen intently, acknowledge their work, and support them in any way you can.

Addressing these common reasons for turnover is critical for your organization because its impact is considerable.

The Impact of Turnover

An inability to retain staff affects many aspects of operations. Being understaffed creates more risk because everyone’s stretched thin. It’s easy to miss key things when someone is overwhelmed. Turnover also prevents your ability to be more strategic because you’re in a reactive mode versus a proactive one. Productivity suffers as well.

Turnover also costs you money. The average cost of hire is $4,700 and could be even greater considering how in demand these roles are. It’s in your best interest to retain your technical folks, which isn’t easy. You may be looking at many methods to decrease turnover, including increasing wages and benefits, allowing for flexible work, asking for feedback from your team to propel improvement, and providing the right tools to do the job.

Those are all good things to have, but retention has much to do with engagement, satisfaction, feeling valued, and having respect for leadership. These things can mean more than money, which is why applying the Secure Methodology™ to cybersecurity workforce retention makes sense. It’s a seven-step guide that defines a roadmap to transform technical people into highly communicative and collaborative professionals.

Let’s see how each step can support retention.

Applying the Secure Methodology to Cybersecurity Workforce Retention

With every step of the Secure Methodology, there are lessons to learn that impact retention. Here’s how to use these in your organization.

Step One: Awareness

Tapping into awareness is an important attribute to have in life and work. We all have blind spots, but some are bigger than others. Without being aware of these, there are consequences. It negatively impacts relationships and erodes trust. Without being aware, your team doesn’t realize how their behavior affects others and the environment. Things can become toxic very fast. If those things are lacking, it’s easy to see why some would want to leave.

Awareness means being cognizant of your blind spots and working to address them. A more aware team will be more collaborative and communicative. Here are some ways that this can support retention:


Coaching is vital to broadening awareness. If you can open the eyes of your team in a conducive way, they may have “aha” moments. Shifting their stance from being self-centered allows people to get a better perspective.


Using specific, relatable language helps technical people better understand expectations and culture. When there’s no confusion about where everyone should focus, they will likely feel more empowered.


Understanding motivations is critical to unlocking awareness. Tapping into what makes them tick helps strip away some of the technical posturing cyber professionals often do. Knowing their motivations allows you to personalize how you support and coach them.

Step Two: Mindset

There are two types of mindsets — fixed and open. Many technical folks have fixed mindsets with no desire to change, learn, or grow. However, it doesn’t mean they have to stay that way. Fixed mindsets are poisonous to retention. Even if one in the group is this way, it can taint it for others. When we’re fixed, we refuse to move.

A growth mindset is freeing and enables people to be flexible and adaptable, which is necessary for cybersecurity. Evolving a fixed mindset to a growth one is possible, but it requires commitment from you and the employee.

Some key results of a fixed mindset include:

  • The ability to reflect on situations and understand how to handle it differently.
  • Healthier and consistent communication.
  • A culture that welcomes growth personally and professionally.
  • Growth mindsets can be a significant reason employees stay with your organization.

Step Three: Acknowledgment

Acknowledgment is scarce in technical fields. Yet, it’s so crucial to retention. Your employees want appreciation for the work they do. Its absence is because most cyber leaders only respond to things when they go wrong. The small wins everyday matter so much to your people, so you must become vigilant about feedback.

Your approach to acknowledgment should include:

  • Being positive by looking at what went right first
  • Specificity in your feedback
  • Immediately offering feedback in the moment
  • Praise in public and relay ways to improve in private
  • Consistency in how you address acknowledgment

Lack of appreciation and lack of feeling valued are two primary reasons why people leave their jobs. If your people don’t receive acknowledgment, they’ll actively seek another job.

Step Four: Communication

Communication is part of every step in the Secure Methodology, along with having its own step. It is, without a doubt, the most critical part of a thriving culture and support to retention. You probably know there are communication issues among your technical folks. It doesn’t mean they aren’t articulate. Rather, their communication styles are often too aggressive, overly complicated with geek speak, and always on the defense. They also suck at listening, the other component of communication.

This storm of dysfunction will have people, often your best, running away from your organization. Thus, it’s critical to make communication the foundation of your culture and retention strategy. Here’s how to use it:

  • Be honest and transparent as a leader.
  • Move away from overly technical language and simplify the message.
  • Encourage open discussion and dialogue that’s respectful.
  • Praise your people when they make adjustments in communication.
  • Practice active listening in exercises, so they grasp how crucial it is.

If you can lay out these tenets, your people will likely see the value and follow you. If some still don’t realize it, they may be dragging others down. In some cases, you may have to let those folks go, so they don’t make it unbearable for everyone else.

Step Five: Monotasking

Monotasking is focusing on one thing, the opposite of multitasking. Many describe multitasking as an excellent quality, but it can actually hamper productivity. Forcing multitasking can make your people feel pulled in many directions. Those feelings create animosity and dissatisfaction. So, remove this pressure and instead recommend blocking time for specific tasks, meetings without distractions, and saying “no” to some things that aren’t urgent.

Step Six: Empathy

Empathy is a valuable quality to have. In terms of cybersecurity, cognitive empathy is essential for a healthy environment. It means that others can understand the feelings and perspectives of others. Without it, you have no team or human connection, and you need those to retain your people. All the things you put in place to get to this step support the building of empathy. Developing this in your team enables a trust factor and creates more satisfaction.

Step Seven: Kaizen

The final step is kaizen, which is a Japanese term. When translated into English, it means “continuous improvement.” So, this step isn’t an end to the journey; it’s how to sustain it. If your team believes in this process, they’ll want to continue identifying ways to improve and follow through with them. When kaizen is part of your cybersecurity culture, your technical folks will evolve and realize that this is where they can continue learning and growing.

Retaining your workforce won’t be easy. With the Secure Methodology, you have a framework. You can go more in-depth by reading my book, The Smartest Person in the Room, and viewing the Secure Methodology course.

Cybersecurity and Meaningful Work: Why New Generations Entering the Field Want Purpose

Cybersecurity Purpose - Christian EspinosaThe cybersecurity talent pipeline is facing the same challenges as many industries. A strong job market and low unemployment mean that many well-qualified professionals aren’t actively seeking new jobs. As a result, cybersecurity needs to look to the latest generation entering the workforce, Gen Z. Gen Z is a unique generation, which makes the ability to recruit and retain them much different. They have new ideas about work and that it should be more than a job and provide them with purpose and fulfillment—a trending topic in the world of HR known as meaningful work.

In this post, we’ll examine the Gen Z demographic, what matters to them, the concept of meaningful work, and how cybersecurity leaders can use this information to connect with a new generation of workers.

All About Gen Z and Their Entrance into the Workforce

Gen Z describes individuals born between 1997 and 2012. They currently make up almost 21% of the U.S. population. The oldest of this group have entered the job market, with many more to come in the next few years.

Gen Z is described as the most racially and ethnically diverse generation. They are also digital natives who have had a device in their hands most of their lives. This demographic has also been through many major events during their young lives, including the war on terror, a major recession where they witnessed parents and family members lose jobs, and the pandemic.

All these factors shape how they view work and what’s important to them. They are often adamant about work-life balance, flexibility, autonomy, and having modern technology as part of their job. In addition to these expectations, they also want to work for organizations that share their values. In fact, 77% of Gen Z said this was important in response to a survey conducted by Deloitte. Another thing they value highly in an employer is diversity, equity, and inclusion (DEI), which 87% agreed was critical when considering jobs.

Gen Z also cares about company culture. Cybersecurity should be very culture-focused, which could entice them. Overall, they want to work for a company that cares about their well-being.

Work for them isn’t about a “grind” or purely a transactional relationship. They desire meaningful work, and if it’s not present, they’ll have no problem moving to the next opportunity. Long gone are the days when employees worked for a single company their entire lives.

As a cybersecurity leader, ingesting this information about Gen Z may give you pause. Yet, they have some key attributes that make them attractive as workers beyond technical skills.

How Gen Z Workers Can Benefit Cybersecurity

Gen Z had a big head start on technology aptitude. It’s been part of their lives forever, and they’ve been early adopters. Beyond these skills, cybersecurity leaders are placing more emphasis on people skills, which is the central message in my book, The Smartest Person in the Room. These can be very hard to develop in older workers that have been in the industry for years.

The nature of Gen Z’s life experiences naturally predisposes them to value being communicators and collaborators. The stereotype of this group as never putting down their phones and being detached in communication isn’t accurate. They do love tech and spend lots of time on social media, but it’s not their entire personality.

Since they sincerely care about the world around them, they also understand the value of having strong interpersonal skills. Some might not be as confident in soft skills, but they won’t “fight” you on realizing the need to develop them as older generations may. As a result, they may be more amenable to participating in exercises, programs, and activities that will help them cultivate better people skills.

All these things make Gen Z an attractive group for cybersecurity careers. The onus of making your industry and company appealing has a lot to do with meaningful work.

What Is Meaningful Work?

Meaningful work is a newish concept in the world of HR. Its definition is somewhat flexible because “meaning” is subjective to an individual. The idea is universal in that it means that an employee believes the work to be important for the greater good and is part of something. As a result, workers are motivated and engaged in what they do.

Another aspect of meaningful work is that employees can use critical thinking skills and be problem-solvers versus taskmasters.

Both align with a career in cybersecurity and what Gen Z wants in a career. In the end, meaningful work is good for workers and businesses.

For example, employees who engage in meaningful work from their perspective may positively impact their mental health, something Gen Z is serious about. Healthier employees typically have fewer absences than their depressed counterparts. They’ll also be more engaged in building a strong cybersecurity culture and collaborating to do great things.

An environment of meaningful work supports retention, as well. The attachment that occurs in this situation delivers tangible benefits. Companies can see 50% less turnover and a 56% increase in job performance.

It can also deter burnout, which can be a problem in cybersecurity. It’s a high-stress field with many risks, threats, and stakeholders. If you have a team that feels the work is meaningful, that you and the organization value them, and is a culture that’s inclusive, you have an advantage over others. As a result, you’ll be a more attractive option for those entering the field.

So, how do you promote your company as one that delivers meaningful work?

Attracting Gen Z with the Promise of Meaningful Work

There are a few key strategies to consider when recruiting Gen Z and using the angle of meaningful work. First, it’s essential to know that Gen Z is proactive in their job search. For those in college, a quarter of them began job searching in the first two years. Second, they seek internships to get experience for the future and test out a field to see if it’s a good fit. Taking this into consideration, here are some ideas.

Partner with Universities and Community Colleges to Find Talent

Get to Gen Z while they are still learning by creating relationships with educational institutions. It’s an excellent way for students to become aware of your company. This can lead to mutually beneficial internships. The first impressions that Gen Z has about your company will matter, so talk about culture and how much you value interpersonal skills as much as technical ones.

Add Meaningful Work to Job Descriptions

Most cybersecurity job descriptions are dry and standard. It looks like a computer wrote it! Gen Z will not respond to this, as they value authenticity. Be honest in how you position your roles. Yes, it’s important to talk about technical skills, but you can also include that meaningful work is part of your organization and that you provide an environment where people can learn and grow.

Tap Your Current Gen Z Employees for Referrals

If you already have Gen Z workers on your team, talk to them about referrals. Ideally, if they are happy with the company and the work, they’ll be up for this. A referral is better than most applications for both parties. For you, it’s a sign that your employee vouches for them. For the candidate, they’ve heard about what it’s really like to work for you and weren’t discouraged by what they learned.

Once Gen Z becomes part of your group, you have another consideration that makes or breaks. How will older generations react to them?

Is Your Team Ready for Gen Z and Meaningful Work?

If you’ve made meaningful work a priority, then your current employees know this. However, it’s not going to matter to all of them. Some are still stuck in old perceptions about cybersecurity. Their “meaning” is that they are the smartest, most capable technical people. If that’s your current predicament, there will be some friction.

In a way, you have to prepare them for the entrance of Gen Z, which will require that they work on their people skills. Hopefully, they’ll realize this process benefits them in many ways. However, it involves change, and resistance is inevitable. Through the Secure Methodology™, which I developed in my book, you can find a seven-step guide on how to transform these outdated mindsets.

They’ll be helpful for all your employees, regardless of their generation. The way they respond and their effort will vary. Ultimately, you’re trying to work as a cohesive team that respects each other, cooperates well, communicates clearly, and can find meaning in what they do.

The journey ahead will be challenging at times. You have a chance to make a real difference in the lives of your employees and your company’s ability to manage risk and mitigate threats. Use the Secure Methodology as a blueprint to do that. Get the entire message by reading my book and check out the Secure Methodology course, as well.