Staff Training, Retention, and IT Leadership in Cybersecurity

Andrew Nuxoll

Sr. Director of Infrastructure, Operations, and Cybersecurity at UNICEF USA

Learning Objectives

Please Join the Senior Director- Infrastructure, Operations and Cybersecurity, Andrew Nuxoll in this Executive Interview where he will discuss the keys to retaining Cybersecurity talent.


"The reality is, if a hiring manager begins the recruitment process without clear and realistic expectations, they probably aren't going to have great success finding candidates."

Andrew Nuxoll

Sr. Director of Infrastructure, Operations, and Cybersecurity at UNICEF USA

Transcript

Britt Erler

Hello, everyone. Welcome to the CISO VISIONS Cybersecurity Virtual Summit hosted on Quartz Network. My name is Britt Erler, QN Executive Correspondent. Thank you so much for joining us. I would like to welcome our executive speaker Andrew Naxal, Senior Director of Infrastructure Operations and Cybersecurity at UNICEF, USA. Welcome, Andrew.


Andrew Naxal

Thanks, Brett. I’m happy to be here.


Britt Erler

Pleasure to have you here. In today’s interview, I know you and I are going to discuss the key themes of really acquiring and retaining top cybersecurity talent. Before we do so, if you wouldn’t mind giving the audience some context about your background and your current role.


Andrew Naxal

Well, I’m happy to say I’m supporting the children of the world and UNICEF USA’s mission to support them and ensure they have the things they need to have successful lives. My role encompasses, as you said, infrastructure operations and cybersecurity. I’ve had a role in some part of that for the past 25 years. I’ve obtained my CISSP, CCSP, CISM, CGIT, CDPSE, and so on—passionate about cybersecurity and IT in general. I’m happy to be able to use my talents to to support the mission of UNICEF.


Britt Erler

Absolutely. It’s an incredible organization. I want to start by talking about cybersecurity talent at its heart. Something I’ve been hearing a lot within the industry, as I’ve spoken with other professionals, is that there is a shortage of top cybersecurity talent. Do you agree with this? If so, why do you believe that’s the case?


Andrew Naxal

It’s kind of a trick question. If you ask a hiring manager or recruiter, their answer would probably be yes. It can definitely be hard to find good cybersecurity talent, but the unfortunate thing is that the perceived skills gap that does exist is mostly self imposed. People with skill and talent and cybersecurity frequently aren’t even considered for security roles. I think we’re nearing a paradigm shift when it comes to hiring cybersecurity talent. One common problem that I see is, and this isn’t unique to cybersecurity, but it’s prevalent, and it is what I’ll call the experience paradox, I still see job postings or notifications on LinkedIn asking for 10 years of experience in a product that’s only been released for 3 years. Obviously, especially for senior level roles, an organization is going to want to be hiring experienced individuals. Even the most senior of resources isn’t going to have 15 years of experience in Azure cloud security or even 10 years with Kubernetes because neither those products have been around for that long. It also extends to junior level resources. Are there really too few resources capable of functioning in a security role? Are the expectations for those types of roles unrealistic? I’ve seen entry level job postings that prefer a particular certification that coincidentally can’t even be obtained without 5 years of time in a security role. How has anyone ever going to get certified? They have two options, either catch on with a company that recognizes their talent and gives them the opportunity to grow in a cybersecurity role to gain the experience that the certification requires, or they can lie on their application and hope that somebody vouches for them. The reality is, if a hiring manager begins the recruitment process without clear and realistic expectations, they probably aren’t going to have great success finding candidates. You really have to understand the requirements of the role you’re filling. If you do want a junior resource, don’t expect be leafing through resumes full of certifications or pages of candidates that have security in their job title and so on.


Britt Erler

So a bit of what I’m gathering is it’s not that there’s a lack of cybersecurity talent, it’s really making sure that the job postings you’re putting up there have the correct requirements for that particular role. Also, being open minded to bringing on cybersecurity professionals and giving them the opportunity to grow and learn within the role you’re hiring for.


Andrew Naxal

I think a more reasonable approach is really to dig in and evaluate an applicant’s skill. It isn’t always a quick process, but it’s important to identify what they do know. You have to determine where have they been exposed to cybersecurity in the past. Just as importantly, are they passionate about it? If so, how can they contribute while they when they join your organization while simultaneously being trained to take on more responsibility? I mentioned earlier the paradigm shift that that I think is really taking place now. I think we’re on the verge of having to treat cybersecurity almost more like a skilled trade than we do other typical roles. Without that type of change, we’re never going to be able to get the resources, experience they need from an apprenticeship perspective perhaps to grow into an advanced cybersecurity role.


Britt Erler

It sounds like, after you’re talking about this with me, that it’s not necessarily a shortage of talent, but it really is making sure that you’re putting the right requirements for the role up onto platforms such as LinkedIn or other job searching websites. In your experience, what do you believe are the two requirements for a cybersecurity role?


Andrew Naxal

Well, the requirements are obviously going to be role specific. An architect is going to have different requirements and, say, a pen tester.Similarly, a senior level role should demand more experience than a junior level role. When I think about the most successful cybersecurity practitioners I know across many different roles that I’ve led worked with or encountered in general, there are definitely some common characteristics that pop up. The first of those is going to be an individual who’s passionate about cybersecurity. It isn’t just a job, it’s a subject they really enjoy. There’s a colleague of mine, for example, that I respect and talk with frequently and was venting to me not long ago about how many hours of continuing education they required to maintain their certifications. But ironically, when they went to log everything, they realized they had more than doubled the amount needed just from webinars they attended, education they participated in, presentations they gave, conferences they attended, albeit virtually now. This person has clearly immersed themselves in cybersecurity. The passion that drives them to learn is really what’s helping to make them successful. The second characteristic, I would say, is someone that’s committed to research. If you can find someone that really loves researching problems and issues, they’re probably going to be more successful than someone that that doesn’t. I don’t mean they have to be the type of person that is writing white papers for fun or something to that extreme, but it’s more about identifying someone who’s relentless when they’re driving to understand a topic or they’re always keeping research in mind when it comes to solving a problem. They’re also the type of person that taps into their professional network for help. If they see an article about a data breach, they’re not just going to read the headline and regurgitate that in their next conversation. They’re actually going to try to digest it, learn from it, how does it apply to their role and what can they do to protect themselves in the future? The third thing I would say is, something that I’ve seen more often recently, is a candidate that has mentors that they lean on, and really likes to engage someone to help them grow in their career. From a professional standpoint, having a mentor or coach you can rely on for advice is a great thing. It helps you really learn business practices, in addition to technical topics, and in a lot of times gives you an outside perspective that you might not have gained otherwise. So someone that has mentors or really looks to rely on leadership that they know to grow is a type of person that is probably going to be successful in the long term.


Britt Erler

I completely agree with you. I think those are some really key points. At the end of all of that, the main idea is that you are constantly learning in this role. No matter how high up you make it within a company, cybersecurity is changing daily. So you need to be willing to do the research, you need to be willing to learn and to adapt constantly, whether it’s through, as you mentioned, going to a bunch of webinars, having a mentor there to walk you through. I think that’s incredible advice, especially for this industry, and in the world we’re living in now where it’s really changing and pivoting so quickly day to day. Now, a question I have for you that I get asked a lot is, for professionals that may have it experience, but they don’t have experience within the security sector per se, is it realistic then for someone with IT experience to transition into that security role?


Andrew Naxal

Absolutely. I think we can all agree that basic IT experience is fundamental to be able to perform in a cybersecurity role. As time goes by, more and more companies are beginning to focus on improving their security posture, and in many cases, doing it in the absence of a formal security team, at least to start out with. That doesn’t mean that that the people doing the work aren’t really security professionals, it just means they don’t have that title yet. On the contrary, they’re the ones building a new security program, which is great experience foundationally. Whether they end up standing up an endpoint protection system or configuring a network or firewall for security or even working on client security at the endpoint level or end user level, they’re all gaining critical experience that they can use along along the way. That’s your pipeline for junior level security talent. It should be happening organically. Interestingly enough, I think the lack of abundant security resources directly correlates to slow adoption of cybersecurity practices. If you have an organization that is lagging behind in developing a cybersecurity program, they’re not going to have the pipeline of talent to really support it, they’re going to have to look outside. What I see now is, industry wide, organizations are beginning to place that focus on cybersecurity. There really are more junior level resources available than they were before, but in many cases, they just haven’t grown into those formal positions yet. Another part of the experience paradox that I mentioned earlier is a candidate that has worked in IT developing security practices or installing tools, are they really a junior level resource? Quite frankly, they’re probably not going to want to be called that when they move out of their current role. They’re an administrator, an engineer, technician, or they want a label that is junior, so they actually have much more experience than they’re given credit for. Something as simple as a title means a lot to some people, although I don’t think it should.


Britt Erler

Right. Now, a lot of companies are really just starting to build their cybersecurity teams, or if they have one place, they’re looking to improve and really bring on candidates that fit the company as a whole. In your experience, how do you build a strong cybersecurity team? Where do you start?


Andrew Naxal

I’m a firm believer in promoting within whenever possible. Sometimes, it’s too easy to get stuck on specific technical requirements of position, and forget about the other experience and intangibles that can provide significant contributions to a team. There’s always a ramp up period for new hires, and it’s hard to accomplish much of anything really add value in the first three months of a new role. The technical part of the role is obviously important, but so is understanding the business and its mission. Building relationships and just getting familiar with the core processes and technologies that go along with a new role. So regardless of whether you can hire from within or not, there are a number of other ways to build a strong team and strengthen existing team. Obviously, providing training or other educational opportunities to employees is key. There aren’t many industries, like you were mentioning earlier, that change or evolve as quickly as cybersecurity. There’s something new every day, the threat landscape is constantly changing and evolving, new vulnerabilities surface daily. If you aren’t enabling your team with opportunities to learn about the challenges they are facing, you’re really limiting their potential. This extends to promoting engagement and user groups, community engagement, attending the webinars, conferences, like we spoke about earlier, and just finding ways to get people education relevant to their roles. Also, encouraging team members to learn about other parts of the business that they’re supporting is really beneficial. It helps to understand the technologies partners are using, their goals, challenges they face, and so on. This type of knowledge often helps to identify and address concerns that might be leading to poor security practice or other inefficiencies.


Britt Erler

It really goes to show that collaboration and communication is key. Even if you’re in the cybersecurity sector, it’s really important to understand what those other departments that you’re supporting are doing, so you can make sure that you’re all on the same page and aligned across the board. Now, once you get the strong team of talent on board, I think especially this year, with everything going virtual, the toughest part of that is retaining the talent and keeping them engaged. I know one of the major sections that you’ve mentioned is educationnand continuing to educate your employees. What are the some of the other ways that you believe are crucial for retaining this top talent?


Andrew Naxal

A big part of it, I think, is you have to provide the teams the tools they need to do their job. I’m sure everyone’s familiar with the the saying, “A chain is only as strong as its weakest link.” You can have great people, but if they don’t have the tools they need to be effective, you’re gonna face difficulties. If you think about something for alert, like alert management, for example. I consulted with a company a while back regarding improving their cybersecurity program. Not long after that engagement, engagement, they implemented a sim solution. I spoke with the the woman that ran the program afterward, and she was shocked at the amount of data they were collecting. They literally had millions of alerts being processed a month. I’m not talking about a massive company here, it was a rather moderate sized company by most standards. Fortunately, they had some good fundamental security practices in place. They were taking a proactive approach rather than being reactive. But they made a comment and I paraphrase, “I have no idea how we were effectively securing this environment prior to putting this tool in. How in the world could a team of five people really manage without this?” At a minimum, if the team is really scanning all the alerts that are coming in, they’d have no time to do anything else. The team has to have cycles to be proactive, in addition to performing the reactive work that they have on a daily basis. I would say that you want to make sure that you’re providing the education and the tools that are necessary for your team to be impactful and really perform their job. There’s really not a simple answer to this question. It’s hard to retain cybersecurity talent because it’s just in demand. It’s a supply and demand issue. Demand exceeds supplies, and that leads to complications. So if you’re not giving resources, the tools, and empowering them to perform their job, it’s easy to lose them. A recruiter I work with a lot has placed a number of resources, and admitted that many expletives are strewn about when a new placement request comes in for a cybersecurity professional. There are other keys to retaining talent that are mostly common sense. Career pathing and providing the right opportunities to continue to grow in your position are important to cybersecurity professionals like they are anyone else. Setting clear goals and remaining engaged to track progress goes a long way with people. One thing that’s often overlooked is the importance of just remaining engaged with individuals and teams as a whole, trying to find a way to get together especially in a remote workforce, and facing the difficulties that we are right now is something that really helps keep people interested and feeling important. I think all too often, InfoSec resources end up feeling isolated to begin with. When you complicate that with a pandemic, it obviously gets even worse. I’ve noticed that many organizations that I’ve worked with have high turnover in InfoSec. The same ones that were hesitant to invest in cybersecurity program as a whole are definitely impacted more than those that are not. Like I mentioned earlier, with the security landscape changing so rapidly, you’re going to have this type of issue in the field. So count likes to work with, good cutting edge tools, they like to have the education to do, and they like to feel supported along the way. If you can accomplish all of those things, you’ll probably do a good job of keeping your talent.


Britt Erler

I completely agree with you. Now, I would assume with COVID hitting, this new virtual environment, and now the threats that most companies are seeing with their entire workforce going remote, that cybersecurity has really become even more of an interest to a lot of new professionals coming into the workforce. Is that the case or am I wrong in assuming that?


Andrew Naxal

I definitely think the more you see cybersecurity in the news, whether it be a positive light or in response to a breach or anything along those lines, it definitely all contributes to increased interest. So I would agree. There’s more interest now, and that’s definitely peaking with the remote workforce and all the complicated tools and requirements that go along with supporting those groups.


Britt Erler

Right, that we’re seeing today. I completely agree with you. Any final piece of advice that you have for leaders that are in a similar role as yourself? Not necessarily even in the cybersecurity sector, but leaders whose roles have expanded, they’re managing new teams. What pieces of advice do you have for them?


Andrew Naxal

I think that you just need to be reasonable about your expectations with new resources, and understand that people skills and a person’s ability to learn and their overall work ethic are going to play a significant role in their success as a cybersecurity professional just as they would any other role. Like I mentioned earlier, don’t get hung up on needing specific niche expertise in given areas. Understand what the researcher considering has to offer and how they fit in. Are they a good culture fit, hat can they do to gain experience while they’re in their ramp up period, and so on. That will really help you to identify and retain good candidates.


Britt Erler

Absolutely. I think that is great advice for all cybersecurity departments across the board. Hopefully, for those that are just starting that journey, this will really give them the tips and tools they need to make sure they kick start that department in the right direction. Thank you so much, Andrew. It’s been an absolute pleasure having you here today. Thank you for taking the time. Thank you to everyone who’s tuned in as well. If you have any final questions or comments for Andrew, there will be a discussion forum underneath this presentation. Please stay safe, everyone. Be healthy, and enjoy the rest of the Cybersecurity Summit.


Andrew Naxal

Thank you, Britt.


Britt Erler

Thank you.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden