Former TikTok CSO: How to Tackle the Cybersecurity Talent Shortage

The number of open cybersecurity jobs globally is predicted to reach 3.5 million by 2025, marking a 350% jump over eight years (Cybersecurity Ventures). As the cybersecurity talent shortage continues to be a hurdle for CISOs and their peers, what measures can they take to empower and engage current employees? What can they do to find and attract cybersecurity professionals from an ever-shrinking talent pool?  

We speak with Roland Cloutier, former CSO at TikTok, on why it’s difficult to search for cybersecurity talent, how to adapt to the shifting expectations of today’s young workforce, what cybersecurity leaders can do to make their efforts visible to the rest of the organization, and more.  

*This article recaps Roland Cloutier’s presentation at the session, The Employment Gap: New Approaches Hacking the InfoSec Talent Shortage. 

   

WHY IT’S HARD TO FIND CYBERSECURITY TALENT

Cybersecurity is a demanding career field involving working odd hours and 12-to-16-hour days. Cloutier comments that only a special group of people can take on that level of mission-focused fight daily. One of the reasons he loves the cybersecurity field is that every day is different. However, this line of work is not for everyone. “The problem solving and understanding the deep issues is never fully complete or transparent. You have to dig for those answers. We hear that a lot from people that don’t end up going into cybersecurity.”  

Cloutier cites these reasons as contributors to the talent shortage:  

BROAD, SPECIALIZED, AND ALL-ENCOMPASSING 

Cybersecurity has so many specialized areas including cyber defensive operations, incident response, threat management, threat detection, content development, privacy enforcement groups, data defense, and more. “There are so many different aspects that require technical specialties. It’s hard to find talent for all these specific areas.” 

DIFFICULT TO UNDERSTAND  

“It’s difficult to understand what we need as leaders in this career field, to figure out how to make it easier to understand, and what type of further career programs to have.” 

SUPPLY AND DEMAND 

Cybersecurity professionals must be highly technical, university-educated, and trade-certified individuals to accomplish the field’s level of depth and understanding.  

“We’ve got an uphill battle in front of us. But there are a lot of incredible possibilities, especially with today’s new, young, and dynamic workforce.” 

 

HOW TO FIND CYBERSECURITY TALENT  

HAVE A 10-YEAR PIPELINE 

Although the average job lifespan of a global CSO is two to five years, Cloutier advises cybersecurity leaders to have a 10-year pipeline when it comes to finding talent. “In the U.S., it starts in junior high school, and funding organizations in STEM with a cyber flair that are focused on bringing people to the company and understanding the cybersecurity field.” 

GO WHERE THE TALENT IS 

“Sometimes we’re focused on a city that our corporation is in, but if the talent isn’t there, work with your business to open a center of excellence in a different location. Reevaluating your locations every one to three years is important to make sure you know where these cyber practitioners are gathering or graduating from.” 

IMPROVE UNIVERSITY ALIGNMENT 

Cloutier stresses that university partnerships must be continually aligned with organizational needs. Universities need to have the right disciplines within their undergraduate and postgraduate programs. “We want people to want to come to our companies. Large MNCs should have partnerships with two to four universities. The selection is small enough to directly manage those relationships.” 

RECRUIT FROM THE MILITARY AND GOVERNMENT 

He adds that many government agencies and militaries today have major cyber programs, cyber commands, and cyber defense organizations that train competent practitioners. “They may not have a traditional path to where they are, but they are great personnel that you can choose from. In Europe, organizations like Europol and Interpol have cyber specialists that come from law enforcement or the military. They have real-life experience and can support your team greatly.” 

 

CHANGING WORKFORCE DEMOGRAPHIC AND REQUIREMENTS 

HUMAN CAPITAL MANAGEMENT (HCM) 

Cloutier stresses the importance of having a designated HR specialist for finding and engaging cybersecurity talent. “The HCM has to become a cornerstone of our organization to ensure that not only are we hiring and retaining people, but implementing programs as part of the business of security to ensure our teams are cared for.” He also mentions that the average age of today’s workforce is getting younger. “How do I engage with that workforce? Who are they and how do they want to be engaged?”  

METHODS OF ENGAGEMENT 

It’s as simple as sending out a survey to find out how the workforce wants to be engaged. Cloutier says that engagement in the past focused on one-on-ones and direct opportunities to listen to the leadership. He adds that the younger workforce wants weekly engagement on a more flexible basis. “You have to understand your workforce to find out what they are interested in. Engaging with your practitioners is something that all organizations should measure.” 

“Cybersecurity professionals understand the concept of good and evil, and they want to use their technical skills to do good things and see the impact of their work.” 

A JOB FAMILY THAT REFLECTS ORGANIZATIONAL NEEDS   
“Does your job family reflect the requirements of your business? Face it, none of us have firewall engineer one-on-ones or old network security job positions anymore. We have cloud security engineers and risk and threat analysts. These are very different job descriptions. We have to make sure that our job family reflects that.”  Cloutier adds that today’s workforce wants to join organizations with forward-thinking and leading capabilities. For example, what is the path of an analyst who wants to become a CISO?  “It’s important to have programs in place to train, educate, and elevate them into the next generation of the job family.” 

TRUST IS ESSENTIAL  

“As a leader, people are going to trust you when they understand what you’re doing. But that has to be transparent for both good news and bad.” Trust, transparency, and articulation are also important to get employees to believe in the company’s mission. “When I was at TikTok, I was there to allow freedom of speech and expression for people around the globe. We embed these concepts as a mission primer and continue to deliver our cyber risk and privacy services with a focus on that. If you can align what an individual is doing to that mission and articulate it to them, you’re going to have a happy employee that’s engaged in that mission and moving it forward.” 

 

LEADERSHIP MATTERS, ALWAYS 

“There are many practitioners that have followed me from organization to organization over the past 20 years. When I asked why they stay, they say that they like working with my leadership and that I empower them to do their jobs well. Continuing to deliver that commitment to engage and be a positive leader is something that’s important to me.”  

Cloutier also highlights these areas for leaders to prioritize: 

VISION, KNOWLEDGE, TRUST 

“Those who work for us don’t always understand the decisions we make or why, so there’s pushback. But if you share that knowledge and vision of where you’re going, it creates trust and helps them become successful in the organization. Building trust is a major component of that.” 

LISTEN, ENGAGE, ACT, COMMUNICATE 

Listening is the most important and the hardest. “We’re fighting incidents, we’re trying to gain budget to tackle hard problems. These things take up our time. But stopping and listening to the beat of the organization and what they’re saying is going to make our jobs that much easier.” 

WEEKLY TOUCHPOINTS 

“With a new workforce, spend 30 minutes a week with the entire organization, a stand-up where they can dial in to ask questions. It really works. I know large global organizations record it and play it for teams that are in different time zones.”  

 

INDIVIDUAL SUCCESS = ORGANIZATIONAL SUCCESS  

“It’s hard to find people and keep them. But when word of mouth goes out that people can be successful in your organization and grow their careers, it’s fantastic,” Cloutier says. 

Individual success can translate to organizational success through consistent work in these areas:  

EDUCATION 

“We can’t send hundreds of people to events all over the globe, but we can buy a package of online-based training for our organizations where everybody gets an opportunity to learn. Consider education as a primary requirement in your budget process.” 

RECOGNITION 

“People want to be appreciated by their peers for doing great work. Doing that on a frequent basis really helps drive team camaraderie.” 

FUTURE LEADERS AND RISING LEADERS 

“I look at programs that focus on management — from individual contributors to management, and management to next-level executives. There should be special security-focused programs that are either six months or a year that provide training to make them next-generation effective leaders.” 

COMMAND STAFF EXCELLENCE 

“The requirements of leadership have continued to change. Understand the changes in the industry, technology, and investment theories for security programs. Your command staff wants to work for a leader that looks out for them.” 

 

BUILDING BUSINESS TRUST 

For cybersecurity leaders in a high-functioning organization, a lack of understanding from business-minded colleagues can put pressure on their teams. Therefore, Cloutier says that building programs that drive business success is vital.  

“We have a responsibility to our people to help build trust with the remainder of the organization.” 

PROGRAMS THAT HELP DRIVE SUCCESS 

“Discuss the strategic pillars your CEO has set out with your team. What can your organization do to help accelerate that? How do you promote that internally to show that you’re driving the business forward?” 

PROMOTING ACROSS BUSINESS LINES 

“Do you have an incredible technical leader who can do great things as a CIO or CRO? Consider doing these swaps where they can get promoted and be fully engaged in those departments.” 

ORGANIZATIONAL EFFICACY, METRICS, AND TRANSPARENCY 

“Make sure you’re driving your organizational effectiveness, not just standard metrics.  How are you ensuring you’re meeting the requirements of the organization financially? How are you delivering that transparently to the rest of the executive team in your organization?” 

 

KEY ISSUES TO ADDRESS URGENTLY 

RETURN-TO-WORK AND WORK-FROM-HOME POLICIES  

“Practitioners can work from wherever they want. You’re in competition with security, risk, and privacy practitioners that can work from home. Many major multinationals are now taking their analysts and IR teams and allowing them to totally work. It’s really up to you and your organization to have a plan that is fair.” 

CHANGE OR BE CHANGED OUT  

“The same job isn’t going to be there in the next five to 15 years. Make sure everybody understands the expectations of the next-generation job, what positions they should be focusing on, and what are their requirements. You have to get people comfortable with change in their career field and force them into it. If they can’t do defense operations in cloud or work around data, it’s going to be problematic. We have to push people in these areas and plan for it.” 

STRESS 

“Organizational stress has always been there. We need to make sure that we’re swapping people in and out, and that we’re giving time off and down days for training. When it comes to self-stress, make sure you’re physically and mentally fit. We all have ups and downs. This job is extremely taxing.  Be a leader who takes time off so that you can maintain that level of pressure and high output.”