The Unconventional Way to Build a Cyber Talent Pipeline | Jim Routh and Damon Carter

Episode 42 | Reimagining Cyber
The Unconventional Way to Build a Cyber Talent Pipeline | Jim Routh and Damon Carter

Jim Routh  00:00

In a scarce market, you hire talent when you find it, not when you need it. And so what you do is you create an evergreen job requirement or, you know, post it that says, you know, we're always open. We're always recruiting, whatever your interests are, come talk to us. You keep it as generic as possible. You don't make it specific and say these 14 certifications are fundamentally required for this job. You basically do the opposite. You say, Well, let's see. Can you fog a mirror? Okay, yeah, we'd like to talk to you, literally because you're just trying to evaluate the one thing you can't teach, which is intellectual curiosity.

Rob Aragao  00:48

Welcome to the Reimagining Cyber podcast where we share short and to the point perspectives on the cyber landscape. It's all about engaging yet casual conversations and what organizations are doing to reimagine their cyber programs, while ensuring their business objectives are top priority. With my co host, Stan Wisseman, Head of Security Strategist, I'm Rob Aragao, Chief Security Srategist. And this is Reimagining Cyber. So Stan, who do we have joining us for this episode?

Stan Wisseman  01:12

Rob, we have a special episode today with both Jim Routh and Damon Carter joining us and we'll be discussing approaches they've taken to break the mold on how to recruit and develop cybersecurity professionals. As many of our listeners know, Jim has had a storied career leading cybersecurity programs at some of the largest organizations in the world such as American Express, JP Morgan Chase, MassMutual, and Aetna, CVS. And he's continued making an impact, even though he's retired from being a CSO role. And Damon has also had a great career leading HR organizations like at GE Express Scripts and Aetna. Jim, it's great to have you join us again,

Jim Routh  01:50

Stan, happy to join you and Rob on this call.

Stan Wisseman  01:53

And Damon, welcome.

Damon Carter  01:55

Thank you very much happy to join you and Rob as well.

Stan Wisseman  01:58

Let us jump right into this topic. The Cyber talent gap is something that's being discussed broadly in our community, it's, it's sort of a desperate cry for help. A lot of studies are showing and suggesting that cyber talent supply needs to grow like 145%, in order to meet demand. Jim, earlier this year, you published an article with the ICIT that articulated some unconventional approaches that you and Damon took. While you're both at Aetna. And I know, Jim, you've done this at other organizations as well, with other HR partners, Jim, what was an initial trigger that made you realize that things needed to change and and, you know, using a different approach for recruiting and retaining cyber talent?

Jim Routh  02:46

Stan, I think it's number one where the market conditions were firmly established, there were a lot of statistical evidence that was clearly showing the lack of supply to meet the demand. But the trigger for me was the forecast looking forward in the forecast for the demand was continuing to increase. And the forecast for the supply of cybersecurity professionals was increasing at a significantly lower level. And so it was obvious to me that this wasn't this wasn't like a short term, you know, multi year kind of phenomenon. This is essentially a trend that is going to continue for the next decade. And so the conventional approaches that we were using to go to market for talent, really don't apply under these kinds of market conditions, which are only unfortunately going to get worse from the enterprise perspective. Maybe you could argue that they get better from the individual employee perspective, because there's more choice of, of job opportunities, but but it's not going away. It's it's a problem that's with us for long term. And that means we have to fundamentally adjust the traditional or conventional acting talent. And there are also some changes that we have to do to develop that talent and be more proactive and how we create opportunities to develop that talent, which satisfies not only the employees that are in your program, but future employees that you hire as well. So there's a relationship there,

Stan Wisseman  04:29

Get them in and also retain them over time.

Jim Routh  04:32

You know, I don't like to use the word retains, but that's exactly it, Stan, and that's what every HR professional will say is you want a positive employee retention. I don't like to use that word. Here's why. You're an employee or you have been an employee. I've been an employee in the past. We never wanted to be retained. That wasn't like what motivated us. But if you change the verb to we will wanted to be developed? That was that was positive, right? So I want to stop talking about retention because that's the employer side. And I want to be a little more sensitive to the employee side. And the employee side says, I want to be developed, I want opportunities to learn and develop new skills. And, and that's what motivates me. And if an employer can, can satisfy that over the long term, well, you can survive in this marketplace quite nicely.

Rob Aragao  05:33

Very true. And I actually might come back to that point a little bit later on the way in approach that you and Damon worked together to kind of change that to be where the employees become more marketable, right, as opposed to the whole routine.

Jim Routh  05:44

Rob, if you don't mind, I'm gonna set this up. Because there's a fundamental dichotomy, if you will, or there's certainly conflict in that the message I'm sharing is that you have to partner with your HR professional, and collaborate with your HR professional in order to adopt the unconventional employee management practices that the market conditions require. And the irony or the, you know, the conflict there is that it's changing, established HR practices in collaboration with your partner. And that's, that's a difficult juxtaposition, if you will to wrestle with, and one that Damon can really add a unique perspective on coming from a HR professional perspective.

Rob Aragao  06:45

And that's where I want to go next, actually, is Damon, as you and Jim partner to actually make this successful. Atena as an example, I just kind of want to take a step back. So here comes Jim, approaching you and saying, Hey, I've got some issues as it relates to hiring cyber talent. But I have some ideas, some unconventional approaches, which Jim is infamous on unconventional approaches within the cyber world. And now he's applying it towards this HR business function. And you are all open ears. But at that point in time, like what was going through your mind as you're hearing what he's saying, and just the thought process, because there's specific, obviously, practices that you have within HR that you've been used to following and now you're looking at this kind of paradigm shift. So what what happened at that point? And how did that transpire as you moving forward with the program?

Damon Carter  07:38

Well, thank you for the great question. Rob. I am, as Jim came forward, as he joined the organization, we are at a state of influx, it's a lot of change occurring just across the organization within the IT world specifically, which I supported, along with several other functions at that time. And growing up in large corporate environments, I was accustomed to get here's your typical talent management process, here is your typical performance management process. But I learned very early on that that wasn't enough. You need to make it I think an HR partner, a really successful HR business partner is really understanding the needs of the client, and understanding the tools they have in your toolkit, and how can they move the needle and help enable the client to meet their strategic objectives, particularly from a talent perspective? So it was very, I think it was a very organic play. Honestly, I think Jim's ideas were very timely. But Jim was also open to hearing my ideas, as well. So it wasn't just Jim saying, Hey, here's the playbook go, it was, hey, let's get together, let's collaborate, let's figure out how do we meet this demand moving forward, because I'm not doing my job as HR leader, if I'm not putting the business in a position to meet their talent needs, and the the market conditions that Jim spoke to, with how fast the market was shifting the limited amount of talent that was available, because they couldn't keep up from a development perspective. And then you layer the costs of buying the talent versus growing the talent, we had no other choice but to get creative. And I will say apply these, how I cared, how I would characterize it, progressive kind of talent strategies, and and very specific to the needs of, you know, the cybersecurity group because every IT area had their own specific needs. So in order to systemically address this issue, I was asked to come up with a broader strategy to say, hey, how do I address the needs in Enterprise Architecture at the same, they're very unique, but also address be able to pivot and address the needs of cybersecurity and their interest in infrastructure. So, we had I had to take a step back and look at this holistically and create a kind of a strategic workforce planning strategy that took those economic factors into place the future business demands, understand the current landscape and figure out what kind of plans need to be put in place to address those. And that's where Jim and I kind of met in this effort.

Stan Wisseman  10:14

Jim sounds like you had a great partner with Damon. Somebody who is open to working this, but I'm curious when he, you know, this people strategy? Where did you get? Where did you initially start? I mean, obviously, it's probably multi prong, right? Where it's increasing the size of the funnel of, you know, folks coming in that you're considering as well as how to not retain, but develop your staff. So where did where did you get going?

Jim Routh  10:40

Yeah, Stan to answer your question. The first part is, I was fortunate, I was fortunate in that I was working with Damon Damon was the best HR professional I worked with in in 30 years of corporate experience. And I worked with some really good ones. But  Damon was the top. And he rightly understood the marketplace dynamics, and recognize that they weren't changing anytime soon, and that we had to open it up and to kind of new ideas. What I didn't know, when I started working with Damon, which I now understand is that it isn't just about changing the techniques relative to recruiting. A lot of people think that talent acquisition is based solely on what you do to recruit talent in the organization. And it turns out that actually the way you lead, and the way you support, and give employees an opportunity to learn what it is that they wish to learn, that actually is a recruiting tool. So you're focused on the existing employees, and enabling their choices and options in terms of improving their marketability. But by the same token, people that are outside the organization that are looking for opportunities are partially basing their decision, their determination of how you lead, you know, under normal circumstances, and will they have the opportunity to grow and learn.

Stan Wisseman  12:21

I think one of the things that I found interesting in your ICIT report was the decoupling of that talent development from performance measurement.

Jim Routh  12:31

So I grew up in an era where I was told this was your, this is your performance, here's your rating, here's the money, you know, here's your merit increase, here's, you know, your, your your bonus. And, oh, by the way, here are two, three things to develop yourself. So you can make more money next year, right. And those things were like, there were three different conversations, but they're often part of the same dialog, right? And it just went from one to the other. And the reality is that when employees hear the money part, they don't pay as much attention to the other aspects that that you offer. That's just the nature being what it is, because there's a lot of pressure and uncertainty about the financials, so and so what we're doing is we're decoupling for the talent development discussion, making it stand alone. It's still related to your relationship to your leader. But it's fundamentally different. It's almost like it's like a charitable giving program, a charitable giving program has as its foundation, the employee decides on a cause. And that decision is a personal decision. It's because their family member had an experience or they knew someone, but someone close to them created a need, and they want to fulfill that need on their behalf. And that's a very personal decision. Now, the enterprise will say, Look, if the charitable organization meets this criteria, we'll double that investment, we'll match your investment of your, you know, treasure that you're willing to commit, we'll match that and and then you get double your money essentially for the same output. And that's what a charitable giving program is. Well, professional development should be based on the same model where the individual employee makes the choice of what they want to learn to be more marketable and given giving them more opportunity.

Stan Wisseman  14:51

And they're motivated to do it then.

Jim Routh  14:53

Exactly. It's a personal decision. So Stan you nailed it. I mean, because it's a personal decision, they're motivated. And so the leader doesn't have to be the motivator. And matter of fact, the leader just has to get out of the way and be a support like a coach, and basically say, Oh, so that's what you want to learn. Here are the development activities that we can enable you to learn what it is you're choosing to learn. And frankly, if that means an adjustment to your role, to allow you to learn what it is you want to learn, we're going to do that. And that is where the transition from recruiting and attracting talent comes based on the foundation of a commitment to educate employees, and a demonstration of that commitment. And the difficult part. And I'll have Damon talk about this, as well. The difficult part is, we're trying to make employees more marketable. But we don't want them to leave the organization, we want them to have the choice to leave the organization. We want them to have many choices to leave the organization. And that sounds like backwards. But actually, if we do our job as leaders, we will give them better choices to stay and learn what it is that they wish to learn. And so what ends up happening is people will get an opportunity to leave for more money. And they'll choose to stay because they're learning faster and learning the skills they're choosing to make themselves more marketable. And that's actually more valuable to them, you know, at that time in their life. Damon thoughts on that?

Damon Carter  16:49

Yeah, I would add, don't lose sight of the leadership engagement piece there. Because by moving shifting from the performance management, traditional performance management conversation, which leaders struggle with doing that particular if you're asking to do that on a regular basis, you're shifting to leaders are there to help their people grow, and we're telling them as an enterprise, this is your role as a leader to grow your talent. That's a totally different conversation that have with the employee. And it's a much more engaging and comfortable dialogue between the leader and the employee on a regular basis. So that that shift was, I think critical to get away from the traditional performance management. What did you do, right, what did you do wrong? Versus how can I help you?

Stan Wisseman  17:38

And Jim, you talk about, you know, leaders having to dedicate up to 30% of their time to being that educator.

Jim Routh  17:49

It's more than just employees. But you know, we're focused on employees for this discussion. It's really all stakeholders in an enterprise. So if I'm a CSO, I have a board of directors, I have to worry about their educational needs. I have a executive leadership team, the CEO and the rhetoric boards, well, they have some unique education requirements as it relates to cyber resilience as well. I have my peers in IT, and they have you know, needs relative to cybersecurity, now, it's changing their tactics and techniques. And then developers, software developers, they need that. And so if you look, they're multiple stakeholders, and they all need education, including your employees. And so we really are educators as leaders, and that means that we have to pull together educational curriculum from multiple sources to satisfy the diverse needs of our stakeholder groups, and recognize that our employees may want to learn different things. So when I started in cybersecurity, you start as a sock analyst, you know, number one, then you became a sock analyst, number two, became a sock analyst number three, each one with a very distinct set of requirements and skill mandates that you had to achieve. And you stayed in security operations like that was it? Well, security operations is where you spend all day looking at a screen, you know, looking through log files, and that's redundant and tedious. And frankly, a lot of security professionals are interested in other aspects. They're interested in software security, are interested in network security are interested in pen testing, you know, and they're interested in growing and developing their skills. And so our job as leaders is to give them that opportunity and enable the learning that's required, and then adjust their roles accordingly. So you wanted to be a sock You know, analyst, too, and then move into security intelligence function and, and then maybe two years later into an engineering role for security operations, then that should be the natural flow that the leader enables, supports, and builds a culture around that kind of evolution. So it used to be, you know, this is maybe decades ago, but when an organizational change happened, there's usually a business trigger event that caused it, you know, we have a riff, you know, the economics are bad, you know, that that's causing the, you know, the change. So we're going to reorganize, we just bought a business. So, you know, we're going to reorganize around that new business that we bought. But there's usually a business trigger, in this case, the trigger is the employee choosing a skill that they want to master. And we're the organization giving them an opportunity to do that by adjusting their role to allow them that opportunity. So instead of fitting people into tightly defined roles that are predetermined, you're basically giving an opportunity to morph or change the role that they're in, based on what they want to learn. Now, what I've just described, bucks up against or is constrained by traditional HR practices that say, there's a job description that has a level, and that, you know, moving from one job description to another has to, you know, include some kind of promotion and an evaluation process of the available candidates. And so, it's not that we have to not and then that we jettison that. But we have to be cognizant of the fact that that tight structure around jobs, and job definition needs to have more flexibility. And that's where there's kind of this balancing and an equilibrium. Damon, what are your thoughts,

Damon Carter  22:07

I think it's a great point. And it is a interesting shift. And it was interesting shift. And the way we kind of broke that up was, through this process, we spoke about T shaped professional development. So to what degree do you want to choose a path? Are you you know, are you gonna want to focus your skills on becoming more of a generalist in your space? Or do you want to dig deep and become a specialist in your space, and you can still do that from your current seat, instead of waiting for a nod a bump? You know, somebody to say, Now, you, you've been blessed to move forward to this next opportunity. Now, you can start to grow differently. Now.

Stan Wisseman  22:46

You can take that action yourself.

Rob Aragao  22:50

That makes sense. And Damon out of curiosity, so this obviously work for you guys within, you know, Jim's specific functional area, which you guys are partnered on. But I'm just wondering, did that translate into other, you know, have your own kind of an HR partner side community and saying, what worked for you guys was able to actually go in and be applied to other parts of the business with another HR hiring teams as well?

Damon Carter  23:11

Yeah, we actually, the timing was great, because from an organizational perspective, as I mentioned earlier, there's a lot of change occurring and the CHRO at the time, you know, started to really focus on strategic workforce planning efforts. So I was able to kind of share exactly what we were doing from an internal benchmarking perspective, with the broader organization, there are other pockets, the organization that we're taking similar approaches, as well. And so, you know, it came together is just very well timed. And I will say that, you know, what Jim was doing, even within the IT space, was definitely pushing the envelope and really setting a great standard, not just within IT, but for the organization at that time.

Jim Routh  23:54

I'll tell you, one of the most difficult constraints I would say that we collectively had to deal with, and this is my experience across three different companies, is the notion that traditionally, you hire talent when you need it. Meaning that you produce a job description, job posting, there's a posting process internally and externally, you find the best candidates, you'd make sure you've got, you know, diversity, diverse backgrounds covered, and then you hire the best person and you move on and the next time you have a need, you go through that same process again, the and there's nothing wrong with that process, if the marketplace provides the depth of talent to support that, but in a scarce market. You hire talent when you find it, not when you need it. And so what you do is you create an evergreen job requirement or post it that says, you know, we're always open. We're always recruiting, whatever your interests are, come talk to us, you keep it as generic as possible. You don't make it specific and say these 14 certifications are fundamentally required for this job, you basically do the opposite. You say, Well, let's see, can you fog a mirror? Okay, yeah, we'd like to talk to you, you know, literally, because you're just trying to evaluate the one thing you can't teach, which is intellectual curiosity. That's the one thing we can't teach. So that's what is is absolutely based on requirement. But once we start a dialogue with you, it's exploratory. It's not tied to a specific job description,

Stan Wisseman  25:41

You're being agile as far as where you can possibly leverage that individual in your organization.

Jim Routh  25:47

Actually, I didn't even think about that in the interview process, I think about what is it that you as the candidate, what do you want to learn? And I try to understand at least two skills that they want to learn and they're often somewhat cautious. They're like, are you asking me what I'm weak at? And I'm like, No, I'm asking you what you choose? Where if you if you had unfettered access to education, what would you choose? Like, what's your interest? And what's your passion? And, you know, what do you feel that at this point in time is important for your career. And the reason I want to know that is that's the hook. Ultimately, whatever job I asked you to take, I have to make sure that jobs gives you the opportunity to learn those two skills that you're so I have to get it right. So that's what I'm my primary focus on in the exploratory interviews, is figuring that out. Secondarily, I'm trying to determine whether this is this person represents diverse talent. And, and if they do on a relative basis, I may end up offering this person a job that doesn't exist today that I'm going to create, to satisfy what it is they wish to learn. And at the same time, by doing that, giving them a stretch opportunity to raise their level of contribution. Now, that sounds like it lacks in specifics. But again, I'm trying to get out of their way in terms of development, and not be the critical path to development. I want to be a supporter, a coach of their development. And I want to give them access to the education

Rob Aragao  27:36

Jim out of curiosity. So as you go through these different approaches, and you think about even an example that you just walk through, as you're, as you're kind of talking to people getting a feel for what they really want, again, it's that motivation, that personal aspect, right? And you're translating, where can they plug into my organization, is I don't need a name, right? But just as an example, is there an individual that came in that way through, you're kind of saying there's a fit, there's, let's let's put you in here. And kind of they've had that tricky, because you have over time had a lot of people that you've kind of mentored to become CSOs in many large global organizations, right. So I'm just curious, did any of them come up through that kind of channel and that approach?

Jim Routh  28:16

A lot of them did. I hired a journalist. And I hired a journalist, because I realized that journalism as a professional career is kind of a calling. And it's very difficult to break into journalism. And it doesn't pay a whole lot of money. And the digitalization of journalism has funnily changed the dynamics. And so I figured, well, you know, you need good communicators, you need people can write, you need people that, you know, have a technical, bent and understanding, let's see what we can get. And so I ended up hiring a journalism major who graduated and I think had one or two jobs before and kind of struggled, and is now flourishing in cybersecurity, and, and going into other technical areas in cybersecurity, kind of gaining that, that knowledge and skill. So, that would be one example. I, I probably have, you know, over a dozen people that are CSOs today, that worked, you know, that were part of my leadership team at one time or another. And they're all doing, you know, tremendously well. So, yeah, lots of examples.

Damon Carter  29:34

Yeah, I would just add, I mean, I think that you not only Jim's connection with the talent coming through the door, but as part of his process, this professional development, you had they had to every person had to identify a mentor to help them grow in this area that they wanted to grow in so it wasn't about beyond go to this person you know, implement this plan and tie it strictly your manager is your only option is your resource to push this development because you may be Looking to grow in a space that your manager doesn't have a lot of, you know, experience in. So, you know, it wasn't just Jim. Jim has tons of stories I've watched these folks grow professionally after the fact. And it's amazing to see. But there are a lot of others that because of those connections that are made through this process with other mentors, other than Jim as well, that think benefited greatly from, you know, career development perspective. 

Rob Aragao  30:26

It's just so enlightening to hear the examples of what's happened in the program that the two of you partnered up to put in place. And I think it's critically important, especially for our audience and thinking about, you know, the cybersecurity skills kind of gap in certain cases, the hiring concerns we have, and just how to have different approaches really out there to be able to make it effective. And I think you guys just really summed it up very nicely in a very short conversation we just had, which is just think outside the box, right? Look for the aptitude to desire, the motivation that individuals have, what did they want to get out of it, mutually partner, and then, as you said, look at all the great successes that actually made for them as individuals, and also for what you were trying to accomplish in each of the different organizations you've both been part of. So we appreciate you both coming in and sharing this knowledge with us and hopefully, people take away some great lessons from this. Thanks again.  Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes and don't forget to subscribe. This podcast was brought to you by CyberRes, a Micro Focus line of business where our mission is to deliver cyber resilience by engaging people, process and technology to protect, detect and evolve.