So what can we do about this, in practical terms? Well, one of the strategies, that I’ve talked to a couple of people about this in healthcare, It’s embracing security excellence. Right so, if you’re looking to bring new talent to your organization in cybersecurity. If you say, “look, we are really committed to security,” that’s good. but if you’re like really really committed, and you’re like we’re going to be a center of excellence for security in healthcare, that appeals to a certain kind, and I think a particularly good kind, of cybersecurity person. And it’s one draw that doesn’t cost you money in terms of salary but it’s a positioning which obviously is good for the security of the organization if you can get the organization to commit to that. Also, commitment to ongoing education, mentoring, and both hard and soft skills. So it’s not just a question of hiring somebody as a security analyst and sending them on on tech classes but but also, if you’re nurturing talent, you need to bring out the soft skills. and I’ll show you a chart later about the importance of soft skills in cybersecurity professions. In your hiring process, you need to use the standard terms for knowledge skills and abilities. In a way, nothing says, “we don’t really get security” like a badly written job listing, right? So, these laundry list job descriptions that I refer to, are you know just, “we want you to do this this this,” and it’s this long list of undifferentiated things which are typically done maybe by different people than the one whose title is in there. Craft the requirements with care. You don’t need a 4 year computer science degree for every security hire. You don’t necessarily need certifications for every hire. if you’ve got people who can get certified when they’re with you. And try to help HR to help you. If you’re working on your internal talent, and you know if you’re in a rural location or a non-urban area. this may be your best approach: is to look for people in-house, who are interested in security, who seem to show an aptitude for it. Bring them on. Nurture them with mentoring, training, conferences and recognition. It’s strategies that I think can help you nurture that internal talent. And I’ve met some terrific people in security in healthcare, who you know, they’ve been in the same organization for 20 years and they’re running the security now and doing a very good job. So helping human resources to help you, you need to take time to explain the nature of cybersecurity work. It’s different from other kinds of work; quite significantly in some ways. Have input on the job listings. Offer to help with resume screening and initial candidate evaluation. Some security people don’t present the same as managers or account representatives. They’re quite a different bunch, some of them. But that doesn’t mean they don’t have the skills, ability, and potential to do your security. Be clear about what you’re looking for and how to recognize it. And look at this.This is the value placed on different attributes by security professionals. and communication skills comes right up there, followed by broad understanding of security field, and awareness and understanding of the latest security threats. If you’re hiring at the entry point in security, those communication skills are something which you can nurture but you you want to be able to do that and when you’re hiring at the higher end, it’s going to be very important. If the person in charge of cybersecurity can’t explain why a particular new wave of ransomware requires a particular response, you’re going to be in tough shape. If they can’t communicate that down to the technical folks and up to the board.