Get the Most Out of Your Recent Security Hires: The Value of Professional Development

Landing a technically qualified security recruit in this market is quite an accomplishment. Yet for both the employer and the newly onboarded employee, the challenge to make the most of this new relationship is only the beginning. Employers have a vested interest in helping their recent hires continue to grow into productive security professionals — especially since it is likely to cost more next year just to find someone with a similar set of skills.

Here’s how to best approach the continuing professional development of freshly recruited talent to benefit both the employer and the employee.

A Refresher Course in Professional Development

What are key components of effective continuing professional development (CPD)? What are the components of a CPD cycle, and how do those help the individual integrate learning with the job at hand?

According to the University of Manitoba’s “Principles of Effective Continuing Professional Development“:

  • Adults learn best when they are actively engaged in the learning process and when the learning builds on their prior knowledge and experience.
  • Learning must be relevant to their work or some other aspect of their lives.
  • Adults learn best when they feel that learning is necessary to solve a practical problem, whether professional or otherwise.

BCS: The Chartered Institute for IT described the key activities that should be part of a CPD cycle for each individual as:

  • Planning CPD activities;
  • Executing and recording the CPD activities;
  • Recording the outcomes of the activities; and
  • Reflecting on the experience.

The first two elements (planning; executing and recording) are the most likely to be happening already. However, the latter two (recording outcomes; reflecting) should not be skipped because they provide opportunities for both the employer and employee to look back at the road traveled and better discern the value provided by the CPD activity. This means realizing, of course, that value to the employee might not always translate into direct value for the employer and vice versa.

The BCS also reminded us that the CPD is unique to each individual and over time that individual’s goals and aspirations may change. However, it behooves both the employer and employee to come together to chart goals that are mutually beneficial.

This is also echoed in the guidelines from (ISC)², which state that by “growing and enhancing their skills through continuing professional education (CPE) activities, members are making an important investment in themselves and their career — increasing value to their customers and employers.” However, one should not just opt for goals that provide immediate utility but instead invest in learning that will provide long-term future returns.

Accept and Accommodate Different Learning Styles

University College Dublin’s Adult Education Center provides a very helpful guide on the characteristics of adult learning, motivations, learning styles and reflection questions. The research on learning styles was completed by Honey and Mumford and aligned everyone’s learning style as a combination of the following four types:

  • Activists are those people who learn by doing.
  • Theorists like to understand the theory behind the actions.
  • Pragmatists need to be able to see how to put the learning into practice in the real world.
  • Reflectors learn by observing and thinking about what happened.

To get the most value out of CPDs, ensure that your organization’s approach to activities can accommodate these different learning styles. Conversely, look at balancing an individual’s CPD activities with complementary ones (i.e., encourage employees to attend different types of conference or technical trainings).

Learning Can Be Contagious

Employers may balk at the cost and disruption of sending their new recruits to security conferences, but there is an upside: A new recruit is less likely to be one of those key employees whose departure for a week will leave the organization in a bind. Better yet, the employer can leverage the conference attendance to both further develop the employees who attended and still benefit those who didn’t get to go by asking for post-conference updates.

These activities could include short presentations on what the conference-goers determined has short- or long-term relevance or might present a risk to the organization (e.g., a new way to bypass ASLR controls). Those updates provide additional CPD activities for the conference-goers through teaching, mentoring and presenting, as well as information for those who stayed behind.

Learning Can Take Different Forms

Both the (ISC)² guidelines and the ISACA CPE Policy contain a large sample of CPD/CPE exercises, including:

  • Attending conferences, educational courses, seminars, trainings and even some vendor presentations;
  • Studying printed materials, webcasts and podcasts;
  • Preparing for presentations and training sessions;
  • Publishing materials (e.g., articles, books, reviews);
  • Volunteering;
  • Serving on a board for conferences or a security organization.

Learning Doesn’t Always Have to Be Expensive

While employers should be committed to investing several thousands of dollars annually into CPD-related activities for each of their information security professionals, not all activities come with the high price tag of customized training or security conferences.

Some of the learning or doing can happen within the organization’s walls through teaching peers or providing some time off for self-studying. It could even be organized at a nearby coffee shop or another site via mentoring, event organizing or volunteering. An organization can even get free in-house training and education by opening its doors and hosting an event from a local chapter of a major organization in the field such as (ISC)², ISACA, ISSA or OWASP.

Learning Can Help Nurture the Right Attitude

Organizations will also benefit from having employees that are focused on a positive path forward in that those employees’ interactions with everyone, both inside and outside of the organization, will be lifted. But in addition to finding the right technical focus in employees, finding the right approach and character can be challenging.

As one management consulting firm put it, “Many companies have made the mistake of hiring technically gifted people under the assumption that they can re-engineer any bad attitudes through sophisticated training programs.” Organizations must ensure they are recruiting the right type of employee, and putting new hires through special training sessions and activities may help weed out poor fits right away.

A continuing professional development plan will go a long way toward keeping your employees productive but also positive, for the benefit of all.

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is an associate professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.