It's that time again. October and with it another National Cybersecurity Awareness Month (NCSAM) has arrived. The monthlong campaign, put on by the National Cyber Security Alliance (NCSA) is an annual all hands-on deck effort that spans both government and industry to raise awareness about the importance of cybersecurity and online privacy.

At DG, we’re proud to be a NCSAM Champion Organization for the fifth year in a row!

To celebrate NCSAM, we decided to ask Tim Bandos, Digital Guardian’s VP of Cybersecurity, some questions about one of the most talked about topics in infosec of late, the cybersecurity skills gap. We asked Tim why it’s been so tricky to fill positions, the best way to find qualified job candidates, why retention is key when it comes to keeping employees happy and motivated, and more.

Read on for the full interview.

What in your opinion, have been the trickiest jobs to fill over the last couple of years?

In my opinion, the hardest IT roles to fill are experienced Incident responders and threat hunters. I’ve had to hire for many different positions over the last 10+ years, including IT audit, compliance, operations, etc., but I often find that it’s those two that are the most difficult to fill.

Why experts in key areas are so hard to find?

For the positions I mentioned previously – threat hunter, incident responder, etc. - becoming an expert requires years of hands-on cyber threat experience. While attending yearly SANS training courses can prove beneficial – and is highly recommended – researching and responding to incidents within an enterprise is truly invaluable real-world experience. It becomes even more difficult to find qualified candidates who have experience responding to state-sponsored attacks. Understanding a threat actor’s tradecraft and knowing what to look for as it relates to TTPs (Tactics, Techniques, and Procedures) is an incredibly valuable, and sometimes a rarely acquired, skill.

What do you think is the best way to find a qualified job candidate for a for hard-to-fill positions?

Networking is a big help. The best and most qualified job candidates I’ve come across were from individuals I’ve met over the course of my career at security conferences, threat intelligence forums, and, ironically, even Twitter. Typically, when we post for a job we’ll get flooded with hundreds of candidates. And most of the time, unfortunately, they don’t lead anywhere. The candidates I hire from the various connections I have seem to work out the best.

What are job benefits are most likely to attract qualified applicants?

As always, pay is a big motivator, but aside from that, applicants are mostly looking for an experience where they’ll be able to grow and learn in their career. It can get monotonous doing the same task every single day and can sometimes prompt employees to look elsewhere. If organizations offer employees an opportunity to work with some cool tools, give them the freedom to work on mini-projects that they’ll enjoy, it will likely further your team’s capabilities help build an open and collaborative environment. This should not only help attract talent, but retain it as well.

Much has been written lately about retraining employees to fit the need of organizations. What are your thoughts on this approach?

Retraining employees can yield several positive outcomes. It gives that employee new skills and possibly lights a new fire to keep them motivated. It avoids having to spend time and money finding new candidates that may or may not work out. Additionally, current employees are already familiar with the company and culture, so they can hit the ground running almost immediately. Before I hire for a position, this is always one of the first items I ask/evaluate: is there someone already here that we can repurpose and grow?

This question is similar to the retraining employee question – but what about retaining the employees you already have – doesn’t that have value?

Retaining good employees is also a very critical component to workplace success. Today, I run a global Managed Service organization for data protection with employees that are scattered throughout the world. Making sure that everyone on the team has a defined career path, goals that have been outlined, and a plan to further build out their technical capabilities is imperative to our group’s success. On top of honing their skills technically, we all get together twice a year for a three or four-day training and team-building event. The team loves being able to interact in a more causal setting and get to know one another offline, in a more personal context. I believe that putting these activities help to build a much stronger and unified team and encourages retainment.