Chances are that right now, your company has unfilled cybersecurity positions. Whether those roles are for analysts, software developers, penetration testers, or systems/network engineers, the reality is the same – there is an ongoing shortage of skilled cybersecurity professionals.
A 2021 report from Cybersecurity Ventures laid out the cybersecurity skills shortage in stark terms: The number of unfilled cybersecurity jobs has grown by 350% over the past eight years. In the U.S., the cybersecurity workforce consists of more than 950,000 jobs, yet half of them are currently unfilled.
Like many other companies, Leidos, a Fortune 500 science and technology solutions provider with 44,000 employees globally, recognized that the cyber skills shortage could eventually affect its ability to acquire and retain enough cyber talent. Without taking steps to address the issue, competitors can lure away qualified cybersecurity workers from existing positions with offers for more money or attractive benefits.
In 2019, Leidos’ Cyber Workforce Development team began tackling the issue in earnest.
“We knew we needed to find a way to entice employees and show them that the organization is investing in them – and if cyber is a critical requirement, let’s invest in those people who want to go into cyber,” said James “Slim” Beamon, a senior cybersecurity manager who had also worked as a cyber instructor for organizations such as ISACA, ISC2, and CompTIA. Beamon joined the team in mid-2019. He became the Dean of the CyberEDGE Academy in early 2020. EDGE stands for “Engage, Develop, Grow, Experience.”
Designing a Cybersecurity Education Program
With the goal of building Leidos’ cybersecurity bench, the group began to invest in employees’ cyber education and upskilling. As part of the education arrangement, program participants would agree to stay with the company for 18 months after taking the training. The investment would extend not only to IT staff who wanted to expand their cyber expertise but even to nontechnical employees interested in cybersecurity.
Leidos also decided that they wouldn’t turn anybody away from the program who met cybersecurity experience requirements. The company plans to even support non-Leidos employees in the future.
It's a good deal for everybody, Beamon said. The typical candidate receives about eight months of training, including more than 500 hours of knowledge-based training, and about 100 hours of lab-based training. If they were to price that training separately, it would be much more costly, he added.
Leidos then created a mentoring program to support its candidates throughout the program and beyond. Its training partners include the InfoSec Institute, a cybersecurity training company, and SANS Institute, which helps with advanced training in areas like cloud penetration testing and advanced malware reverse engineering. All parts of the program are based on a virtual, on-demand platform.
When applicants enter the program, they go through a process to get what Beamon calls their “Cyber DNA.” Cyber DNA identifies each person’s unique capabilities and is used to create a focused curriculum. Program participants also get a personalized roadmap for achieving their goals.
While following their personalized roadmap, participants can learn about any aspect of cybersecurity they are interested in. They can also gain several different types of cyber certifications, including CompTIA Security+, which focuses on network and application security, compliance, and cyber threats; and the Cybersecurity Analyst (CYSA+) for continuous security monitoring. Both are excellent certifications for becoming a SOC analyst, Beamon noted.
Along the way, participants can consult with their assigned mentor, who can work with them on everything from becoming more comfortable with virtual training to discussing opportunities. That’s important, Beamon said, especially for people who are outside the traditional demographic of cyber employees.
The Results Speak for Themselves
So far, more than 100 people have gone through Leidos’ main program. An additional 30 have gone through the advanced training offered through SANS. The majority of participants have been Leidos employees.
The program also seems to work. It has a 95% finish rate and an 85% placement rate. And these aren’t low-level jobs.
“You would think a brand-new cyber defense analyst would come in at the very lowest level, but our candidates very quickly move up to the next level,” Beamon said. “From there, it’s only about two to two-and-a-half years to the mid-level cyber-defense analyst ranks. And they can always upscale their current training and rise even higher.”
As Leidos looks at ways to improve the program further, decision-makers are considering adding more self-paced training, which Leidos offers in other training programs. The company is also considering adding more Leidos-specific training, geared to the specific work Leidos does for its customers.
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.