Landing a technically qualified security recruit in this market is quite an accomplishment. Yet for both the employer and the newly onboarded employee, the challenge to make the most of this new relationship is only the beginning. Employers have a vested interest in helping their recent hires continue to grow into productive security professionals — especially since it is likely to cost more next year just to find someone with a similar set of skills.

Here’s how to best approach the continuing professional development of freshly recruited talent to benefit both the employer and the employee.

A Refresher Course in Professional Development

What are key components of effective continuing professional development (CPD)? What are the components of a CPD cycle, and how do those help the individual integrate learning with the job at hand?

According to the University of Manitoba’s “Principles of Effective Continuing Professional Development“:

  • Adults learn best when they are actively engaged in the learning process and when the learning builds on their prior knowledge and experience.
  • Learning must be relevant to their work or some other aspect of their lives.
  • Adults learn best when they feel that learning is necessary to solve a practical problem, whether professional or otherwise.

BCS: The Chartered Institute for IT described the key activities that should be part of a CPD cycle for each individual as:

  • Planning CPD activities;
  • Executing and recording the CPD activities;
  • Recording the outcomes of the activities; and
  • Reflecting on the experience.

The first two elements (planning; executing and recording) are the most likely to be happening already. However, the latter two (recording outcomes; reflecting) should not be skipped because they provide opportunities for both the employer and employee to look back at the road traveled and better discern the value provided by the CPD activity. This means realizing, of course, that value to the employee might not always translate into direct value for the employer and vice versa.

The BCS also reminded us that the CPD is unique to each individual and over time that individual’s goals and aspirations may change. However, it behooves both the employer and employee to come together to chart goals that are mutually beneficial.

This is also echoed in the guidelines from (ISC)², which state that by “growing and enhancing their skills through continuing professional education (CPE) activities, members are making an important investment in themselves and their career — increasing value to their customers and employers.” However, one should not just opt for goals that provide immediate utility but instead invest in learning that will provide long-term future returns.

Accept and Accommodate Different Learning Styles

University College Dublin’s Adult Education Center provides a very helpful guide on the characteristics of adult learning, motivations, learning styles and reflection questions. The research on learning styles was completed by Honey and Mumford and aligned everyone’s learning style as a combination of the following four types:

  • Activists are those people who learn by doing.
  • Theorists like to understand the theory behind the actions.
  • Pragmatists need to be able to see how to put the learning into practice in the real world.
  • Reflectors learn by observing and thinking about what happened.

To get the most value out of CPDs, ensure that your organization’s approach to activities can accommodate these different learning styles. Conversely, look at balancing an individual’s CPD activities with complementary ones (i.e., encourage employees to attend different types of conference or technical trainings).

Learning Can Be Contagious

Employers may balk at the cost and disruption of sending their new recruits to security conferences, but there is an upside: A new recruit is less likely to be one of those key employees whose departure for a week will leave the organization in a bind. Better yet, the employer can leverage the conference attendance to both further develop the employees who attended and still benefit those who didn’t get to go by asking for post-conference updates.

These activities could include short presentations on what the conference-goers determined has short- or long-term relevance or might present a risk to the organization (e.g., a new way to bypass ASLR controls). Those updates provide additional CPD activities for the conference-goers through teaching, mentoring and presenting, as well as information for those who stayed behind.

Learning Can Take Different Forms

Both the (ISC)² guidelines and the ISACA CPE Policy contain a large sample of CPD/CPE exercises, including:

  • Attending conferences, educational courses, seminars, trainings and even some vendor presentations;
  • Studying printed materials, webcasts and podcasts;
  • Preparing for presentations and training sessions;
  • Publishing materials (e.g., articles, books, reviews);
  • Volunteering;
  • Serving on a board for conferences or a security organization.

Learning Doesn’t Always Have to Be Expensive

While employers should be committed to investing several thousands of dollars annually into CPD-related activities for each of their information security professionals, not all activities come with the high price tag of customized training or security conferences.

Some of the learning or doing can happen within the organization’s walls through teaching peers or providing some time off for self-studying. It could even be organized at a nearby coffee shop or another site via mentoring, event organizing or volunteering. An organization can even get free in-house training and education by opening its doors and hosting an event from a local chapter of a major organization in the field such as (ISC)², ISACA, ISSA or OWASP.

Learning Can Help Nurture the Right Attitude

Organizations will also benefit from having employees that are focused on a positive path forward in that those employees’ interactions with everyone, both inside and outside of the organization, will be lifted. But in addition to finding the right technical focus in employees, finding the right approach and character can be challenging.

As one management consulting firm put it, “Many companies have made the mistake of hiring technically gifted people under the assumption that they can re-engineer any bad attitudes through sophisticated training programs.” Organizations must ensure they are recruiting the right type of employee, and putting new hires through special training sessions and activities may help weed out poor fits right away.

A continuing professional development plan will go a long way toward keeping your employees productive but also positive, for the benefit of all.

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read