How to Identify Staff for Senior Infosec Roles

Identifying top-tier talent and ensuring their advancement through coaching, development and promotion is essential to building a mature security organization. This piece explores the various criteria that determines whether an individual is ready for promotion or advancement on your Infosec team.

The Great Cybersecurity Talent Shortage

The last decade saw an explosion of cybersecurity threats and breaches, and a consequence of that is a heavy demand for cybersecurity professionals. However, this demand has not been met by a corresponding supply of cybersecurity workers needed to secure assets effectively.

Because of this supply/demand gap, some sectors, like fintech and healthcare, tend to get very competitive, which compounds the severity of this issue for smaller organizations and other sectors that have limited resources. In addition, the work-from-home lifestyle, online school and a much heavier reliance on e-commerce as a result of the COVID-19 pandemic have driven the demand for cybersecurity professionals even further.

While recent rounds of workforce reductions have stabilized the talent shortage, great cybersecurity talent is always in demand. Therefore, it is important to identify the top-tier talent in your organization and put plans in place to ensure they have a career path and advancement based on readiness. In the absence of that, dissatisfaction creeps in, which leads to the loss of key talent.

How to Develop Cybersecurity Talent Ready for Promotion

In addition to developing current cybersecurity talent, you should also ensure you are building and sustaining a good talent pipeline. This involves attracting, recruiting and retaining qualified candidates for cybersecurity roles, as well as creating career pathways and advancement opportunities for them. Some key things to consider in this respect are:

• Assessing the needs of the organization: It is important to identify the current and future workforce needs of your organization. The NIST Workforce Framework provides great guidance on how to structure your cybersecurity workforce and how to determine which skills your organization needs.
• Creating a learning environment: To create a very effective cybersecurity organization, it is important to create a learning environment where the talent continues to grow and advance. The following are some aspects that can help with this:
• Mentorship: Ensure your promising team members are paired with great mentors. In some cases, it may be important that these mentors are from outside the security department because it can help with the development of cross-functional skills.
• Rotation: Rotating assignments is a tactic that many organizations employ to develop junior talent’s broad understanding of the company. This entails rotating an individual across several different areas of the company temporarily before their final placement (for example, a fresh college graduate may be rotated quarterly across security engineering, security architecture, SecOps and AppSec). This supercharges their development and helps junior employees better understand where they fit in the company.
• Certificates and training: High-quality certifications and trainings help advance the skills and acumen of the staff. This can include different domains and levels of cybersecurity, such as network security, ethical hacking, cloud security or cybersecurity management. You can also encourage your staff to pursue industry-recognized certifications, such as the CISSP, Certified Information Security Manager or Certified Ethical Hacker, that validate their skills and knowledge.
• Promoting career development: This entails aligning career goals with the needs of the organization. This should be formally tracked within the performance management system of the company.

Download: The 2023-2024 Cybersecurity Staff Compensation Benchmark Report

Determining Infosec Promotion Readiness

Determining promotion readiness doesn’t need to be hard. The key is to be as formulaic and objective as possible to prevent misunderstandings between manager and employee. The following are some suggestions in this respect:

• Job leveling: It is important to have a standardized job level in the company. Most HR departments have access to standardized criteria which provide critical information in this area. For example, below are six levels for cybersecurity:
  • Level 1: Entry
  • Level 2: Developing
  • Level 3: Career
  • Level 4: Advanced
  • Level 5: Expert
  • Level 6: Principal
• Each of these levels has well-defined criteria associated with it. For example, someone who is at Level 4 Advanced is expected to work on complex issues where analysis of situations requires in-depth evaluation of variable factors and requires exercise of judgment. When evaluating someone for promotional readiness, you can examine whether the criteria for a certain level has been met.
• Cross-team collaboration: Cybersecurity is a collective endeavor, and implementing effective security measures requires the cooperation of multiple cross-functional teams. For example, an application security engineer must work closely with developers across the enterprise, or an infrastructure security engineer must work closely with network engineers. That’s why a key criterion for promotion to senior levels is the ability to collaborate across the enterprise.
• Advanced communication skills: Effective communication helps cybersecurity professionals work closely with other departments and teams, and it helps them explain complex technical concepts in a way that nontechnical stakeholders, such as business stakeholders, can easily understand. This is one of the biggest challenges and gaps in many information security teams. An individual who excels in this respect is demonstrating a key aspect of readiness necessary for advancement.
• Leadership of complicated initiatives: Security initiatives tend to be complex. For example, deployment of user and entity behavior analytics requires understanding of all identity and authentication systems used by the company, as well as what anomalous behavior looks like. Individuals who can weave a solution while taking advantage of the expertise of these platforms are demonstrating they can handle complex business needs and are driving success of the company.
• Innovative problem-solving skills: Cybersecurity challenges are oftentimes unique in nature. Most organizations face ever-evolving adversaries who are continuously attempting to work around the organization’s security controls. An example of this is attacks conducted through bots. Constant and rapid innovation is required to manage such attacks. Individuals who bring this level of innovation are few and far between. So, this should be a key factor in determining promotional readiness.
• Performance-tracking system: It is important to document the goals and objectives of an individual in the performance tracking system and align with the employee on the criteria that needs to be met for promotion. That makes the discussion objective and reduces the friction between manager and employee.
• Certifications: Well-respected certifications, such as CISSP, Certified Information Systems Security Manager, Certified Secure Software Lifecycle Professional, Offensive Security Certified Professional, etc., are an indication that an employee has mastered a discipline and has broad knowledge of various domains of cybersecurity. It also makes them more attractive in the marketplace. This can be a part of the training/development regimen of an employee, tracked within the performance management system, and an objective criterion for promotion.
• Feedback loop: It is important to get a 360-degree understanding of an employee by getting feedback from the key stakeholders of the employee—peers inside the organization, peers outside the organization, business stakeholders, etc. This helps identify both strengths and opportunities and can be used as an effective means to level set with the employee on criteria that must be met for promotion.

Recommendations for Infosec Promotion Support

Promotions can be a contested affair in many enterprises due to budget limitations. The readiness of an individual alone may not suffice to get the individual promoted; finance, HR and other stakeholders may need to sign off on the promotion, too.

That’s why it is important to socialize the promotions well in advance of the actual request. Make sure you are partnering with your human capital partners on the development plans of your employees and that they are a supporter of the promotion request.

It also helps if the organization generally understands the criticality of the security function. Some actions that can be done to advance this cause are:

• All-hands meetings
• Security ambassadors to champion in different areas of the enterprise
• Recognize and reward key employees in public forums
• Include your staffing plans in board meetings

Best Practices to Promote Top Infosec Staff

Recognizing, rewarding and promoting key talent is a crucial aspect of building a great infosec team. To make this happen:

• Focus on cybersecurity talent development: Development of talent is a foundational element and a precursor to promotions. Focus on understanding the needs of the organization, mapping career development to those needs and creating a learning environment.
• Use defined criteria to promote individuals: Take advantage of the performance tracking system and clearly outline goals and objectives with well-defined metrics and measures. This leads to common understanding between employee and management and shows the path the employee needs to pursue.
• Determine promotion readiness: Look for signs of readiness for promotion such as excellent feedback from the stakeholders, cross-team collaboration, great communication skills, stellar problem-solving skills, etc.
• Build the support structure in the enterprise: It is important that proper financial and other accommodations have been made to support the promotion of employees who are ready. Toward this end, create strong relationships with company executives, finance, business and board.

To provide first-hand insight into staff compensation and satisfaction, IANS and Artico Search, fielded a new Staff Compensation and Career survey which captured responses from 563 cybersecurity staff across a range of industries and company types in the U.S. and Canada. This report presents insights from the survey, including staff compensation data, staff diversity, work-from-home expectations and job satisfaction.

CISO Compensation & Security Budget Benchmark Reports

Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security budgets, key security staff compensation and job satisfaction.

These in-depth reports feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, department and career path.

Download our 2023-2024 Cybersecurity Staff Compensation Benchmark Report – the fifth in our series – for additional insights and data for hiring and retaining staff within the security organization.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.