It’s always been difficult to find and recruit a good hacker when you need one. But, as threat landscapes and cybersecurity approaches have evolved for Canadian organizations in recent years, the growing gap between available talent and understood roles has resulted in what a recent Deloitte report called a “chronic shortage of cybersecurity talent.” That study found that Canadian organizations would need to recruit 8,000 new cybersecurity roles between 2016 and 2021, but even in 2020, the gap is proving exceedingly difficult to close. The talent is out there, though perhaps hidden in bedrooms or languishing in other less-suited roles. The problem is that approaches to training, recruitment, and strategy have not yet caught up to real world needs.
Within organizations, cybersecurity policy and practice have traditionally been the province of IT departments, and largely in a reactive capacity. Today’s most effective cybersecurity teams stand alone from IT and are present in conversations from the C-Suite on down. Security is not simply an operational matter, but a strategic and existential one. As organizations shift broadly towards a Governance, Risk and Compliance (GRC) approach, cybersecurity becomes more than a job responsibility but a priority throughout the organization, with separate budgets and reporting pathways in day-to-day IT operations.
Building a new kind of cybersecurity team for today’s modern business means more than just convincing reluctant talent to come on board—it requires changing internal expectations and assumptions, and standardizing at an industry-level to get the right training and recruitment pathways in place. Teams need to be built and recruited through long-term strategic planning, rather than reactive, incident-based concerns.
So, as organizations are finding an insatiable demand for new roles they never previously knew they needed, how do they create and find the right talent for these brand new roles, and build a long-term structure with clear pathways for development? How do they even write a job description for roles that have never existed for them before? The answer, on an industry level, is an important move towards standardization.
Beyond outmoded job descriptions, towards human-centric standards
The non-traditional nature of many of the key roles in a modern security team can make recruitment extremely difficult. Current training pathways in Canada don’t necessarily lead toward clear and obvious certifications that match the required responsibilities, and students don’t necessarily understand the expectations of these new roles. As it stands, you can’t write a job description with a list of qualifications and skills, or years of industry experience, and simply expect to find the right match with these basic search criteria.
Instead, a recruitment approach needs to begin with a thorough assessment of needs and existing skill sets within an organization. Deloitte calls for an approach that’s “human-centric”—in practice, we think this is pretty simple to articulate: you’ve got to understand who can do what, and what you need that they can’t do. What an organization needs most to help build this kind of approach is the same as what educators and recruiters need—a robust standardization of roles and requirements in a manner that’s flexible enough to work across industries and existing workflows.
In Canada, these much-needed standardization efforts are being led by Technation (formerly ITAC, the Information Technology Association of Canada) in a multi-year, all-stakeholder process. The Technation efforts build on the hard work already done by NIST in the United States to develop the National Institute for Cybersecurity Education (NICE) framework, codifying national occupational standards (NOS) tailored to unique Canadian industry needs and regulatory requirements.
What should a modern cyber security team look like?
The NICE framework is useful but extremely complex and tends to be best suited for large and varied institutions. Technation’s efforts aim to simplify it in a way that encourages more flexible and realistic implementation within businesses of all sorts. The approach we outline here is ADGA’s own, informed by the Technation process but based on our interpretation of what works in today’s market. As the standards settle, we hope to see them similarly reflect real world operational and strategic concerns.
The modern cybersecurity team should not be considered simply in terms of offensive and defensive roles—a division that typically emphasizes reactivity more than strategy—but rather five key categories of responsibility that carry throughout all aspects of an organization’s operations, regardless of business sector, while encompassing a range of technical and non-technical roles.
We have listed a range of example roles under each category—roles would not be limited to those listed here.
The challenges of attracting talent
As it stands, if you’re looking for these positions, you’re probably not going to find them via traditional recruiting methods. It will take many years before standardization efforts settle and search criteria can more easily match skills according to defined NOS.
Right now, many people uniquely suited for these roles simply aren’t applying for traditional jobs, or looking in the same spaces where organizations know to post. People attracted to these roles tend to be more often driven by the challenge of the work itself, something rarely articulated in traditional job descriptions. And, being frank, a younger generation of security professionals who’ve come of age online tend to be resistant to full-time office placements in suburban locations.
A team’s composition should be based on needs, with permanent staff in the critical positions, and a blend of staffing, tactical, or project-based recruitment where it makes sense (for instance for standalone development initiatives). Outsourcing entire functions, such as intelligence, should be considered where the expertise simply does not exist within the business structure.
Building a team with ADGA
Here at ADGA, we have over 25 years of experience leading strategic cybersecurity engagements and implementations for clients at all levels across Canada.
Our processes for sourcing, screening, and onboarding candidates have been tested and borne out over time, and have been evolving to match the ever-changing landscape.
With 1,000+ pre-screened candidates on our books, and an understanding of exactly what they can bring an organization within this new standardized model, our approach builds human-centric and effective modern teams as a matter of course.
Key members of the modern cybersecurity team