There is no denying the large number of vacant full-time positions to be filled in the cybersecurity workspace. The numbers range from 3.5 to 4.7 million globally. As most CISOs will attest, the talent pool has never been tighter, and the squeeze will only continue. Necessity is the mother of invention, so this critical need requires different thinking about who can contribute to security teams\u2019 successes.\n\nFor some, the answer is surrender. They simply accept they are resource constrained, keep the executive staff informed of the risks they are assuming due to lack of resources, and call it a day. This is not the path I\u2019d advise, as it is almost certainly a step toward the self-fulfilling prophecy of the alternate CISO acronym, \u201ccareer is so over.\u201d \n\nFor others, this is an opportunity to create new pathways to success for their teams and the individuals who are afforded opportunity. Here are some ideas about what those pathways might look like.\n\nMake entry-level cybersecurity jobs just that\n\nDuring the recent RSA conference, I asked Curtis Simpson, Armis CISO, about the complexity of the tools being brought to market and the learning curve needed to be a contributing member of a team. He sees a high school graduate, maybe with some community college classes and \u201ccritical thinking skills\u201d as having what they need to know to fill an entry-level cybersecurity position and be operational within days. The key, he says, is in removing the complexity of the systems being used.\n\nHPE\u2019s CSO Bobby Ford shared with me some perspective as to how he believes, \u201centry level, should mean just that \u2013 an entrance into the field or role. I feel very strongly that you\u2019re overlooking potentially tremendous talent if a particular skill set is used as a barrier to entry. My approach to cultivating talent is drawn from my experience in the military. I\u2019m looking for people who have an interest in the subject matter. We can teach the skills to anyone willing to learn.\u201d\n\nFord gets no argument from me as one who has spent a good part of his professional career developing vocational instruction for a rather unique skill set of the intelligence officer. Early in my professional career I was also the benefactor of the \u201ctake someone with interest\u201d way of thinking Ford describes. I was a 20-year-old file clerk whose claim to fame was he knew A-Z and 0-9. I was given the opportunity to learn a skill as a \u201ctelecommunications specialist.\u201d The CIA was experiencing a shortage of radio-qualified operators who knew Morse code, Radio Teletype (RTTY), and how to use encryption methodologies (one-time-pad, one-time-tape, and a variety of devices). This was almost a half-century ago, but the lesson remains valid.\n\nThe Agency created a homegrown variety of operators. The cadre was taught the skills necessary and were sent out to the field. It was a great success and kept the bits moving along the blazing 120 bps RTTY circuits. Before you roll your eyes about Morse Code, yes, I once did use Morse Code encrypted with OTP to pass staff communications in a frosty period of the Cold War: For a six-week period a certain government cut the lease line and jammed outbound RTTY transmissions in a fit of diplomatic, \u201cWe\u2019ll show you.\u201d The communications under my remit were degraded, not cut off. My Morse Code speed was a mighty 21 wpm.\n\nCreate and grow your security professionals\n\nIn the recent \u201cHPE 2023 Cybersecurity Annual Report,\u201d Ford discusses how his organization has \u201cworked to create and grow our security professionals.\u201d The highlights of the HPE effort begin with perspective. Ford sees the \u201ccybersecurity talent shortage\u201d as misidentified, he refers to the situation as an \u201cexperience shortage.\u201d As we all know, the only way to garner experience is by doing. He opened doors to \u201coverlooked\u201d talent, with the creation of their Cybersecurity Career Reboot Program.\n\nThe program\u2019s key factor probably broke every HR sorting tool, as they sought out individuals who had been passed over because the \u201clack the experience required to land entry-level jobs.\u201d HPE set up a six-month in-house program where \u201cparticipants are paid while learning the nuts and bolts of cybersecurity, embedded within various cyber functions within HPE and taking on project-based work while being mentored by our team members.\u201d \n\nHPE wasn\u2019t done. They then used their Professional Rotation Experience Program (PREP), which took recent grads and put them in \u201ctwo-year rotational program that includes global exposure to all our cybersecurity functions. PREP participants gain experience with the foundations of cybersecurity through hands-on project work, exposure to a variety of experiences, and innovative training and development, rotating through the different teams within cybersecurity every six months during the program.\u201d\n\nKeep an eye on employee growth and retention\n\nWhile the focus of homegrown talent programs is on the new and eager employees, CISOs must also keep an eye on retaining and improving the talent already in place. Simpson and Ford both noted the value of mentoring. Keeping your current stable of professionals at their peak also requires investing in training.\n\nThis may be a larger lift than one would think based on the recent Immersive Labs Cyber Workforce Benchmark report, which highlights how \u201cseasoned cyber pros are more complacent in their skills than junior staff.\u201d They explain that their data displayed how \u201cjunior staff tend to challenge themselves with more difficult exercise and are more likely to stay current with new threats compared to more experienced cyber professionals.\n\nThe White House cybersecurity workforce plan for the US\n\nThe White House on July 31, 2023, issued a \u201cNational Cyber Workforce and Education Strategy, Unleashing America\u2019s Cyber Talent\u201d and it aligns with the thinking of both Simpson and Ford. The strategy emphasizes the need to \u201cchart a path to resolving these challenged by working towards filling cyber jobs for working families.\u201d What are the challenges? An education system that lacks a cyber focus and an \u201cinsufficiently diverse workforce.\u201d\n\nThe plan has four pillars:\n\nThe US federal government has its CyberCorps Scholarship for Service program that provides scholarships to those studying cybersecurity related field. The National Security Agency (NSA) invests in providing certification to colleges and universities as centers of academic excellence. The pipeline is bright for those positions requiring academic degrees or certifications. In time, they will deliver qualified individuals into the pipeline.\n\nWhile the White Houses initiative and those of other governments will enable resources to grow the cyber workforce of the future, we need results in months not years. Companies must take the initiative today to help themselves and by extension the overall cyber community.\n\nIn sum, if we are to close the gap in open cyber position requirements, we must create home-grown solutions, ensure our established cyber workforce is afforded training opportunities, and to embrace the concept of mentoring both intra-company as well as across the cyber community landscape.