Recruitment and retention of ‘cyber ninjas’ doesn’t have to be a dark art, report says

Those on the front lines of the cybersecurity workforce crisis are dogged by one question above all others: how to recruit and retain the highly technically skilled personnel they need.

Now, thanks to the SANS Institute, they have some fresh answers — at least in the government contracting sector.

The institute, an information-security training provider and research clearinghouse, analyzed a list of the top 100 U.S. government contractors, and identified the eight companies which score highest on two indices reflecting metrics developed by the Center for Strategic and International Studies think tank last year.

The eight firms are all major U.S. defense and intelligence  contractors, called systems integrators because they build IT and other business systems for the government by assembling hardware, software and services from multiple vendors.

According to the SANS analysis, the eight companies have had “remarkable success” in recruiting and retaining the highly technically skilled individuals that the CSIS report dubbed “cyber ninjas.”

The CSIS report found three top factors that cyber ninjas listed as more attractive in a place to work compared with their non-ninja colleagues. They were:

• Employer-provided or funded technical training.
• “Engaging and challenging tasks” at work.
• The opportunity to acquire seniority without going into management.

“We were looking for characteristics of organizations that made them attractive to the people that we came to call cyber ninjas,” CSIS report author Franklin Reeder told CyberScoop.

Cyber ninjas are the highly technically skilled individuals that an organization needs a critical mass of on the front lines before it can be “cyber competent,” said Reeder, cofounder and director of the Center for Internet Security.

And the imperative to recruit and retain these individuals is complicated, because there are a plethora of certifications in the cybersecurity field.

Ninjas tended to have more and more various certifications then their non-ninja colleagues and certain technical qualifications were much more common among ninjas, Reeder explained, but there is “no single qualification or certification.”

In the end, “We defined cyber ninjas by what they did,” said Reeder. In the cyber operations field, “[Job] titles don’t mean anything.”

“Ultimately, we wanted to provide a basis for what SANS is now attempting to do — actually identify the best places to work,” he said.

Ideally, this would create “a virtuous cycle of competition” between companies for the best cyber talent, he concluded.

SANS compiled two indices based on the CSIS metrics — one measuring the density of certifications among employees; the other benchmarking the availability of advanced training — and applied them to a list of the top 100 government technology contractors.

“The concentration of employees who hold highly technical certifications is a valuable, though imperfect, surrogate measure for concentration[s] of ninjas,” reads the SANS research.

• The “advanced certification ratio,” or ACR for each employer is “the number of advanced technical cybersecurity certifications held by the company’s employees divided by the company’s federal IT and other systems integration and engineering revenue.”
• The “cybersecurity training ratio,” or CTR is “the number of intensive cybersecurity classes attended by the company’s employees divided by the company’s federal IT and other systems integration and engineering revenue.”

To add a qualitative dimension to their work, SANS researchers are interviewing cyber ninjas at each of the eight firms that came out ahead:

• Booz Allen Hamilton
• CACI
• CSRA
• General Dynamics
• Lockheed Martin
• ManTech
• Northrop Grumman
• Raytheon

While welcoming the SANS research, Reeder cautions against over-interpreting the data, noting the select nature of the sample, and the difficulty to applying statistical rigor to matters of judgment like defining the best place to work.

“This has not yet reached the level of science,” he said, adding, “It’ll always be to a degree subjective.”