Like what you read and curious about the conversation? Visit CISO Perspectives to get further insights into this topic. CISO Perspectives is a weekly column and podcast where Kim Jones explores the evolving landscape of cybersecurity leadership, talent, and risk—because success in cybersecurity is about people, not just technology.
Strategic approaches to talent: A practical guide.
Welcome to the CISO Perspectives Weekly Briefing, where we break down this week’s conversation, providing insights into relevant research and information to help you further understand the topics discussed.
At 650 words, this briefing is about a 4-minute read.
Assessing Talent.
When hiring new employees, organizations often struggle with how to strategically acquire cyber talent in ways that truly strengthen their teams and overall security posture.
While seeking certifications and previous experience can be helpful, these requirements do not always address current organizational needs effectively. Too often, hiring efforts rely on job seekers interpreting vague job descriptions and hiring managers making decisions based on unclear evaluation criteria, leaving both job seekers and managers frustrated.
In recent years, talent acquisition has shifted from this frustrating process to one that emphasizes skills-based hiring. Meaning, that instead of having postings emphasizing a candidate’s qualifications, they focus on listing skill keywords often alongside degree criteria.
This shift has already begun to gain traction across both the government and private industries. At the White House’s 2024 cyber workforce event, Ledios detailed its pledge to the White House and how the company intended to pivot to using skill-based hiring. When pledging, Lynsey Caldwell, Leidos’s cybersecurity workforce program director, stated that their “pledge addresses critical challenges in cybersecurity and will help us enhance security, promote innovation and future growth, and foster collaboration among private, public, and educational organizations.” Alongside Leidos’s pledge, agencies like the Department of Energy, the Office of Personnel Management, and the National Science Foundation adopted this approach.
Notably, this strategy does not solely involve hiring new employees but also centers around upskilling existing employees. Leidos's strategy involves implementing the following recommendations to prioritize this skill-centered approach:
- Developing a skills taxonomy and clear career pathways for cybersecurity professionals.
- Using learning and development activities to upskill and retain cybersecurity professionals.
- Expose existing employees across the organization to existing cybersecurity jobs
While this skills-based approach requires pivoting strategies, the theory revolves around the idea that simply hiring more people does not result in a more defensible organization. Rather, by addressing skills gaps, whether that be through upskilling existing talent or strategically acquiring new talent, organizations can be more productive and effective.
One of the most underutilized tools that can support this shift is the NICE framework, which details and standardizes existing cybersecurity roles and their associated technical competencies.
The NICE framework.
In the 2024 SANS/GIAC Cyber Workforce Research Report, the theory was assessed. One of the key metrics of the report revolved around assessing hiring practices. When surveying cybersecurity managers, SANS found that:
- 37% of cybersecurity managers believe that HR could better support security efforts by better understanding cybersecurity roles.
- 17% of managers identified a way that HR could better support hiring efforts.
- 14% of cybersecurity managers emphasized the need for improved collaboration.
This gap is representative of the value of skill-based hiring. By identifying tangible skills, hiring managers and cybersecurity managers can clarify what the organization needs and identify more valuable candidates. A key metric for this tool would be through using the NICE Framework. SANS found that a “wider adoption of the NICE Framework across an organization could facilitate communication and collaboration between HR managers and cybersecurity professionals, benefiting both managers and employees cohorts and the organization’s security as a whole.”
However, despite the value of the framework, it has not seen widespread usage. SANS found that of the respondents:
- 56% did not use the framework
- 30% were uncertain about whether they used it
- Only 14% said that they used it
Despite the growing movement to adopt skills-based hiring practices, frameworks, like NICE, remain underutilized. By adopting structured tools, like NICE, or at the minimum, clearly defining the skills needed for each role, organizations can more effectively identify talent, close capability gaps, upskill current employees, and create a stronger, more resilient cybersecurity workforce.