Scott Scheppers, chief experience officer for AT&T Cybersecurity, weighs on how his team is addressing the cybersecurity talent shortage. This is part one of a two-part blog.
The boundaries between the physical and digital worlds are decreasing. The Internet of things (IoT), artificial intelligence, blockchain technology, and virtual reality are buzzwords that have already made their way into everyday language. Services that were traditionally hardwired, such as copper landlines and traditional PBX systems, are being brought online through cloud computing and Voice over Internet Protocol services. For many businesses, the chosen catchphrase to describe this movement is 'digital transformation'. According to Forbes, this transformation is not only growing at an exponential pace but is also one of the most impactful business trends in 2023.
While this shift promises increased efficiency and growth, it also opens more opportunities for cybersecurity attacks and, consequently, an accelerated need for cybersecurity experts. Unfortunately, the latter part is where the industry is facing a challenge.
The (ISC)2 2022 workforce study revealed there is a shortage of 3.4 million cybersecurity specialists, an increase of 26% from the previous year. On the other hand, the Bureau of Labor Statistics reported that the field is expected to expand by more than 33% from 2020 to 2030. The industry’s need for skilled cybersecurity practitioners is, in fact, growing faster than the number of people entering the field.
To address some of these pressing issues, Scott Scheppers, chief experience officer (CXO) at AT&T Cybersecurity, lends insight on how his team is meeting the challenge of hiring and retention. Scheppers has more than 30 years of experience in security, and his team staffs nine global network and security operations centers that run 24/7/365. Throughout his career, Scheppers has witnessed the industry’s explosive growth firsthand. He was on the front lines of National Defense before Cybersecurity was even a fully developed concept.
“When the cyber domain began growing in the late ’90s,” says Scheppers, “it wasn’t even called cybersecurity. There was just a bunch of IT professionals worried about keeping the IT department running. They didn’t think operationally. They just had to service desks, close tickets, and make emails work. Then, in the late '90s and early 2000s, we had demonstrations of how easy it was to hack someone’s email. That was just the beginning.”
He continues, “When I first started in the air force, I was an intelligence offer. In intelligence, you focus on what the adversary is doing, collect information, and analyze it. This is different from the IT department, that is mainly focused on keeping things running.”
“In the intelligence team, our focus is the adversary. We needed to be constantly thinking strategically about how to combat the rise in cybercrime. And so, our team was perfectly positioned to transition into cybersecurity. I entered the Air Force as an intelligence officer and was the head of cybersecurity by the time I left. During this time, I watched the transformation of cyber into a critical warfighting domain. It was a crazy time of sick or swim. I am grateful to have been part of teams that led our national response to key cybersecurity events.”
After Scheppers’ time of service in the government, he accepted a position in AT&T’s Cybersecurity department. Today, he oversees the operations team that runs all of AT&T’s managed security services. AT&T is, in fact, among the top cybersecurity services companies in the world, providing cybersecurity consulting and managed network and security operations for small to large enterprises, as well as mid-size business and government organizations.
Scheppers saw a difference in leadership style in his transition from government to civilian organizations. “In the Air Force, leaders essentially ‘own’ every aspect of their airmen’s lives; when you want to move someone for vitality or the betterment of the unit, they don’t get a vote. In civilian organizations, people do get a vote on who their boss is. In fact, people often follow a boss from job to job. This adds a wrinkle to leading the organization. You must win the hearts and minds of your team daily by growing and delivering for them.”
He describes his current position of leadership. “Today, I have great people that are doing great things in my organization. If I set the table correctly, I hope for a relatively boring day where I can focus on touchpoints or strategize on higher levels to plan the next steps of the organization.”
What are the biggest misconceptions about hiring in Cybersecurity?
According to Scheppers, one of the biggest misconceptions in entry-level Cybersecurity recruitment is that certifications equate to potential and capability. “People often think they need to hire someone with a bunch of certifications to be successful,” Scheppers states, “But I don’t think entry-level workers need to come in with piles of certifications. If they have them, that’s great, but these certifications alone don’t translate to a great hire.”
“In my organization, we look for people with inquisitive mindsets who like to solve problems – like the detectives in CSI,” Scheppers adds with a chuckle. “Of course, you can’t loathe IT-related things, but the truth is, you don’t need a cybersecurity degree to get started. If you have basic computer skills and an inquisitive mindset, you are off to a great start.”
Scheppers believes this common misconception is one of the reasons companies struggle with hiring cyber professionals. “Right now, there is a shortage of people in the field and it’s highly competitive to hire existing professionals. If companies only accept entry-level people with all the right certifications, they’re going to end up paying a high price. The key is to train your people. Then, you can also build your own culture in the process.”
“A few of the characteristics I look for are from Patrick Lencioni’s definition of an ‘ideal team player’,” Scheppers adds. “Ideal team players are people who are hungry to learn, humble, and people smart. These qualities are foundational to healthy organizational cultures.”
When recounting previously successful hires, he shares that they have hired people who came from selling entertainment packages door-to-door or pulling fiber lines in the attics. “Although they weren’t your typical cybersecurity hires, they had the qualities we look for. So, you bet we brought them onboard. Not only have they been outstanding performers, but they have also grown into key leaders of our operation.”
While this hiring mindset may apply to entry-level hires, Scheppers clarifies that this is not a rule across the board. “If I need someone with specific experience who can hit the ground running from day one, I’ll have to find someone more experienced.” In such cases, those specialized, verifiable skills and training are important.
He adds, “Certifications and courses are valuable, and they matter in this industry. They help provide credibility and sharpen skills. For those who come in and don’t have the education needed to succeed, we provide them with opportunities to grow here! Just note that certifications are not the only metric for bringing an entry-level hire onto the team.”
Article Link: Cybersecurity hiring and retention challenges in 2023