Building cyber talent through competition, residency, and real-world immersion
In this Help Net Security interview, Chrisma Jackson, Director of Cybersecurity & Mission Computing Center and CISO at Sandia National Laboratories, reflects on where the cyber talent pipeline breaks down and what it takes to fix it. She discusses skill gaps, hiring and retention realities, and how cybersecurity careers are evolving beyond traditional paths.
Where do you see the real bottleneck in the cyber talent pipeline? Is it skills, training models, compensation, or something deeper like organizational culture?
As we look at the cyber talent pipeline, the bottlenecks I’ve seen are primarily in bridging the gap between knowledge from colleges, universities, and certifications and the practice of defending complex networks, risk management and incident response. With the dynamic landscape and threats of cybersecurity, continual learning, evolving and understanding the balance of enabling business while defending the networks is a complex balancing act.
With a compelling mission and competitive market pay, you open up the bottleneck. With the additional opportunity of work/life balance amidst the stress of a profession that has a high burnout rate, organizations can open the door to attracting additional talent. Organizations continue to work on the delicate balance between operational efficiencies and retaining talent.
Which cyber roles do you believe are scarce, and which are only scarce because job descriptions or experience requirements are too narrow?
Cybersecurity is a very dynamic field. The skill set used to be monolithic and having a “cyber” background was self-explanatory and focused on network connections and the internet. Data as a commodity and the immense attractiveness of data combined with the interconnectivity of devices from cell phones, operational technology and the emergence and power of AI brings complexity to the landscape and the emergence of specialties within the cybersecurity job field. The biggest scarcities (and most highly sought after skills) are those who have experience and understanding in these newer areas.
I don’t believe this is a job description issues, but instead, this is a maturation of the technology and field of research. Universities’ and colleges’ research and degrees as well as certifications are expanding to reflect this, but there is a lag as they catch up and the scarcity in the market reflect this (along with the higher salaries for these specialties).
What sourcing or evaluation methods have you seen deliver strong candidates that traditional résumé screening would never surface?
Sandia leverages three key avenues for sourcing to identify and deliver strong candidates. First and foremost, pipeline programs such as our TracerFIRE competitions we host on university and college campuses throughout the U.S. and other exercises we host in partnership with the National Nuclear Security Administration and the Department of Energy attract students.
Top students become part of our intern program where they work alongside our teams and then may become part of our staff and then we provide training and embedded opportunities through a cyber residency rotation program (modeled after a medical residency). This provides us a strong vetting and pipeline for students.
We also work to identify experienced hires. The two avenues that have proved valuable are 1) leveraging our experienced staff and teams who network and attend conferences, workshops and know our culture 2) leveraging embedded technical recruiters that can also vet for the skills and cultural elements we need at a national security laboratory.
Retention in cybersecurity is often framed as a compensation issue. What non-financial factors do you see having the strongest impact on whether top practitioners stay or leave?
Any person will want to feel that they are fairly paid, and this is a critical part of compensation. Once we get past this aspect, we have found a strong mission connection, work/life balance, opportunities to train and develop your skills and the support of leadership is key. Investing in your team, from the technical skills of the cyber team to developing the leadership to provide and sustain a strong culture is critical.
How should security leaders rethink career paths in an era when the traditional analyst to senior analyst to engineer ladder no longer reflects how practitioners grow?
Security leaders need to be careful to think that any career path in cybersecurity is linear or proscribed. Some of the strongest and most creative cyber teams have teams that have diversity in their technical background which allows them to approach problems in unique ways. Our strongest teams combine talent cultivated in our traditional pipelines combined with team members who come from adjacent skill sets who can look at the problem differently or bring new analytical or risk-based approaches to the table.
When team members bring their complementary skillsets, we can leverage our cyber residency rotation program bring them into the cyber team and provide them insights into the cyber domain to accelerate their contributions.
Read more: