“If it’s scarce, it drives the price up,” said McAfee director of systems engineering Sahba Idelkhani. And DevSecOps talent is scarce, and expensive.
Restrictions on international travel are having an effect on immigration in some countries, notably Australia. But there’s practically nothing employers can do about that.
But some aspects of the supposed skills shortage are, in part, self-imposed. One example is recruitment ads that specify “5+ years’ experience required” (or something similar) when that level of experience is only a desirable characteristic.
Such practices don’t just restrict the field of candidates for that particular vacancy, they also make it hard to find entry-level positions. If candidates can’t get a foot in the door, how can they gain the experience that employers say they want?
DevSecOps Change is Needed
Idelkhani suggests that organizations need to change their hiring practices and put more effort into reskilling existing employees.
In particular, if you’re looking for DevSecOps people, he suggests it’s better to teach developers about security than it is to bring security specialists (who are also in short supply) up to speed about development. The result is less rework, reduced risk and shorter development timelines.
However, there is a risk that security specialists will tell developers what they did wrong. Proactively educating developers about security is a more productive approach.
Cloud Academy is one of many sources for online security training courses and includes hands-on labs, sometimes involving the same tools that criminals use to breach security. Other tips Idelkhani offered include adopting a “build secure” mindset to reduce the security effort needed after systems have been created.
A similar perspective can be applied to entry-level positions.
Idelkhani has hired new graduates, even though it requires effort to guide and train them to the point of being productive.
He has even adopted this approach with experienced people that have no background in security, including a former CTO and mobile developers and a pre-sales engineer.
Revamp job descriptions so more people can apply, urges Idelkhani, as aptitude and skill are more important than specific experience, which can be taught.
For example, instead of a large financial services organization recruiting someone with experience in incident response for cloud systems, it would probably be better to hire an incident responder and then sponsor their cloud training, he suggests.
Furthermore, a diversity program increases the supply of candidates, quite apart from the other benefits it may bring.
DevSecOps Training
Employers sometimes suggest training is a waste of time and money because people simply take their new skills elsewhere in search of higher pay.
But Idelkhani reports that his staff turnover has, in fact, fallen over the last three years, and no one has left after being trained.
He puts this down to establishing an “emotional connection” between employee and employer, at least in part.
However, organizations do have to accept the need to pay people what they are worth as they master new skills. But standard HR practices don’t suit skills development situations, he warns.
People usually won’t move from their current role or company for a 10% to 20% pay raise, Idelkhani said, but would be more willing to do so for the 200% to 300% increase that comes from being considered an accomplished worker rather than a mere trainee.
At McAfee, he is able to argue for ‘pay for value’ raises for his team; that task is generally harder at larger organizations, he said.
“It needs a rethink [of] HR practices,” he added.
Planning
Substantial raises tend to require approval from higher up in the hierarchy, and that requires a clear justification for the increase. He suggests this should be done in terms of the capabilities that are being built, not based on the numbers alone.
Managers should look at the skills they are going to need in order to deliver on the business’s strategic goals and plans, and decide how best they can be obtained. An expected DevSecOps vacancy might best be addressed by hiring a cloud developer and training them in the necessary security skills, or by retraining a person with potential who is already on the payroll.
“It’s a long-term process,” though, that requires a lot of management effort, Idelkhani said. Using this method means identifying people’s interests and skills, aligning them with company goals, identifying the skills gaps and then developing those needed skills. This requires a training budget and getting one approved means having clear plans.
But once you have shown the value of this approach, senior management is less likely to question it in the future.