Canadian HR Reporter

CANADIAN HR REPORTER SEPTEMBER 2018 18 NEWS CAREpath is the only Canadian Health Care navigation program of its kind offered in Canada. We have extensive experience in navigating Canadians through the health care system. Cancer Assistance Seniors' Care Assistance HealthCare Assist Your Wellness Partner "I would rather take an MBA and turn them into a security ex- pert than try to take a security ex- pert and turn them into an MBA." Security people "worth their salt" realize if they push too hard, things will break, said Curtis. "ere's an art to that, and that's part of the reason why it's tough to find people to fulfill those roles — it takes experience, it takes some wisdom, good judgment, man- agement judgment skills, and... I'm not finding that in the aver- age candidate, it's not something that's easily taught." While the educational system recognizes the need to develop cybersecurity talent, the field is moving so quickly that educators find it difficult to keep their cur- ricula up to date, according to the report. "Colleges are doing a good job of increasing cybersecurity pro- grams and increasing enrolment in those programs, but their chal- lenge is getting enough instruc- tors to teach… all the cybersecu- rity professionals are out in the industry working," said D'Souza. Another challenge is too few people are venturing into this field, judging by enrolment rates. And academia has developed programs and curriculums that don't necessarily provide the skill sets employers are looking for, said MacKinnon, "so there wasn't a good intersection between pub- lic-private working together with academia in order to be able to set the requirements and produce talent they can actually take from vocations and academia in order to put into roles they're trying to fill today." Seven personas In an attempt to improve the situ- ation, e Changing Faces of Cy- bersecurity: Closing the Cyber Risk Gap presents seven cybersecurity personas that personify the set of capabilities that apply to various cybersecurity functions. A "strategist," for example, has capabilities such as influence, leadership and communication, along with skills such as busi- ness acumen and security-risk management. A "firefighter" has the ca- pabilities of agility, judgment, critical thinking and a threat mindset, with skills such as secu- rity incident management and IT administration. Right now, in looking at cyber job descriptions, they're often very technical, so only a few peo- ple can understand what they're asking, which means employers are limiting the pool of potential candidates, said D'Souza. "And because it's not techni- cal, it's much more inclusive, so people who aren't technologists or have technology backgrounds can look at these and think, 'Maybe there's a place for me.'" e personas also help employ- ers to see both what they can do now and what they can be train- ing for in the future. And they take recruitment to a much more stra- tegic level, she said. "e technical skills that one puts in a job description are changing so rapidly that you almost send out a job descrip- tion, and by the time you recruit and onboard someone into the organization, those skills you recruited for are outdated… so these personas take a more stra- tegic approach, a more stable approach to looking at what you need in an organization." ere are many different stake- holders involved with recruit- ment, from executives in charge of business cases to the talent and cybersecurity function, said MacKinnon. e personas provide a frame- work for HR or cybersecurity experts to create a common lan- guage to talk to one another in developing talent strategy. "ese are really a personifica- tion of a set of capabilities in order to be able to address certain func- tions within the organization… and it's really in a language that people can relate to," he said. Even job descriptions and on- line postings that are often passive and ineffective can use the perso- nas as a starting point to better describe potential opportunities, with employers looking at which capabilities should be mandatory and which skills can be trained, said the report. Talent strategy needed The report also recommends employers use an overall talent strategy to combat the prob- lem, instead of just tactics such a hackathons or flexible work programs. at means articulating a talent value proposition that shows what you can offer people in exchange for them bringing their careers to your organization, such as defined career paths, formal and informal training opportunities and access to strategy leaders. Employers should also gather data about their current work- force to identify and remediate gaps in capabilities, skills and behaviours. is will help with finding po- tential solutions, such as cognitive technologies and automation or alternative sourcing, on-demand workers or crowdsourcing. "A lot of organizations are not yet ready to answer that question in terms of 'What actually are we missing so we can deliberately and thoughtfully fill the roles in terms of capabilities?'" said MacKinnon. "They need to have strategy that's encompassed with the total value proposition. So is your stra- tegic intent to be an employer of choice?" "Is your strategic intent to be a world-class security organization? Or is it just to make sure you don't have any breaches and keep the lights on? at would mean very different ways that you attract and retain your talent." Employers should also build and actively live a culture and brand that connects with the cy- ber workforce they are targeting, said the report. "People have to want to work in the cyber field, and right from el- ementary school through to mid- career professionals we need to do a good job of explaining why cybersecurity is important — why it's meaningful — because you hear that millennials want mean- ingful work… cybersecurity is quite meaningful, when you think it's (about) protecting people, so there's a whole opportunity to educate people and improve the image of this field," said D'Souza. Employers are also trying to get ahead of the curve by work- ing with colleges and universi- ties with an openness to look at other sources of talent, such as boot camps and other technology education players, such as smaller, private establishments. "e benefit of that is they're quite able to keep curriculum very up to date," she said. Non-traditional sources Organizations can also make a point to better incorporate stu- dents into the cybersecurity field, or retrain people already in the workforce by providing a path to transition to a cybersecurity role, said the report. "Career shifters" such as mid- career professionals, can be trained in other areas and bring a mature mindset and know-how to the new role. Non-traditional talent sources should also be considered, such as veterans or women, as the average Canadian cybersecurity team is 29 per cent female, compared to the global average of 11 per cent, according to D'Souza. "Your pool is quite limited if you're only drawing from males and the IT field (instead of ) looking at more women and… mid-career professionals," said D'Souza. "We should be looking to tap into them and how can we map their current skills to the skills, for instance, in these personas… and what will it take to train them to transition over?" And once new employees are onboard, it's important to fo- cus on retention strategies such as mentorships, rotational as- signments, assigning a variety of projects to engage people, promoting continuous learning, defining clear career trajectories, and keeping compensation plans at pace with the market, said the report. Overall talent strategy trumps hackathon tactics CYBERSECURITY < pg. 3 "A lot of organizations are not yet ready to answer that question in terms of 'What actually are we missing so we can thoughtfully fill the roles?'" LOOKING FOR A SUPPLIER OR VENDOR? Visit hrreporter.com/hr-vendors-guide

• Cover