TIAA boosts cybersecurity talent strategy with university partnership

TIAA CISO Tim Byrd and company CEO Thasunda Brown Duckett joined other private sector executives and education leaders at the White House this past August to discuss the nation’s need to address cybersecurity threats.

There, President Biden called out the growing sophistication of attacks and the increasing damage they’re inflicting. He also highlighted the desperate need for more qualified cybersecurity professionals, stressing the 500,000 open private and public sector security jobs due to the worker shortage.

Byrd knows firsthand the importance of having a fully staffed security team and the challenge of achieving that.

But he also has insights into solving that challenge.

Two years prior to the White House event, Byrd had launched at TIAA a new education program that advances his own teams’ skills and also builds security skills among business unit workers.

TIAA

He uses the program to help with both retention and recruitment, thereby easing (if not eliminating) the impact that the talent shortage has on his company.

“We had to look at how to better address the talent shortage we have today,” he says of his decision to create the program.

That message shouldn’t be lost on other CISOs, who will likewise need to create new employee development programs and cultivate new workforce strategies if they hope to get the talent they need, says Deborah Golden, a principal at Deloitte & Touche LLP and the US cyber & strategic risk leader for Deloitte Risk & Financial Advisory.

“There are some mature organizations who have leaned into alternative [talent] models, and the CISOs who do that have been able to attract people,” she says. “Others are still throwing money at this. But that’s not a long-term solution, because at some point they’ll run out of money and that strategy stops being profitable.”

Solving a national issue at the organizational level

Byrd developed his education plan soon after joining TIAA in April 2019. He assessed his staffing needs, employee benefits, and training requirements and saw a need for a more robust offering to retain and recruit workers.

So, he worked with his colleagues in human resources as well as officials at New York University Tandon School of Engineering to create a new educational pathway for workers. Byrd also worked with TIAA’s communications team to create a multipronged marketing strategy to drum up interest.

“I looked at our workforce strategy in TIAA, how we help workers from a career development perspective, what we were doing outside the organization, how we recruit and saw this as a way to help us with the internal piece, to encourage learning, to help retain employees, and to increase employee engagement,” Byrd explains.

The program, which launched in the summer of 2019, has two components: Its Cyber Fellows component allows any TIAA employee who already has a degree in science, technology, math, or engineering (STEM) the opportunity to enroll in a cybersecurity master’s degree. An NYU Tandon scholarship and TIAA tuition reimbursements cover nearly all costs.

Its Bridge to NYU Tandon component allows any TIAA employee to enroll in the NYU Tandon certificate program that provides an introduction to topics across the computer science discipline and prepares students for the Cyber Fellows program. The cost for employees is covered by TIAA, too.

The program’s goal, Byrd says, is to address the national cybersecurity talent crisis on the local level by advancing his own team members’ skills and creating a pipeline for bringing more workers into the profession.

He has seen success from the start: TIAA has had about 50 students enrolled each semester so far.

Part of a broader effort

Other CISOs may need to follow Byrd’s lead and find new, creative, and alternative ways to get ahead of the talent gap, especially as some signs point to a worsening situation.

Forrester Research in its 2022 predictions for Cybersecurity, Risk, and Privacy says data shows that 51% of cybersecurity professionals experienced extreme stress or burnout over the past year and 65% have considered leaving their job because of stress. Furthermore, Forrester predicted that one in 10 experienced security pros will exit the industry in the near future.

Some efforts to counteract those figures are under way, as government leaders and industry groups have launched various programs seeking to bring more workers into the profession.

In September, for example, the Cybersecurity and Infrastructure Security Agency (CISA) with Girls Who Code to get young women interested in tech and cybersecurity careers and to guide them into these fields.

Meanwhile, Marian Merritt, deputy director of the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology (NIST), advocates for using apprenticeships to draw in and skill up needed workers.

Educational institutions are also stepping up.

Take, for example, the work happening at California State University, San Bernardino (CSUSB).

The National Science Foundation in 2021 awarded a five-year $3.9 million grant to CSUSB for its Cybersecurity Center’s CyberCorps: Scholarship for Service Program. The program awards scholarships to students interested in studying cybersecurity, provides intensive hands-on training in all aspects of cybersecurity and provides access to internships around the country.

Also in 2021 the National Security Agency (NSA) awarded the CSUSB Cybersecurity Center a $3 million grant for its proposal that, in part, creates cybersecurity educational apprenticeships.

Employers must cast a wider net

Tony Coulson, director of the CSUSB Cybersecurity Center, says such government programs are needed if the country wants a fighting chance at closing the cybersecurity talent gap. But he also believes CISOs and their organizations must be open to considering a broader pool of candidates than those they have traditionally sought, with those conventional candidates being people with bachelor’s or master’s degrees in highly technical disciplines and professionals with conventional cybersecurity experience.

Coulson says CISOs also should work with partners such as universities to cast a wider net for candidates and develop programs, such as apprenticeships, to train those candidates in the skills they lack.

“We’re doing our part, and some employers are starting to do more, too,” Coulson says.

Others agrees that CISOs need to do more to boost the cybersecurity talent pipeline by thinking of new programs and policies (as TIAA’s Byrd has done).

CISOs can start by creating a good workplace for their existing workers and then promoting that externally, says Patrick Gray, managing director at Raines International and head of the talent consulting firm’s CSO practice.

“If you’re running a world-class program, people want to join that,” he adds.

Meanwhile, Golden says CISOs must take a holistic approach. They should work with HR teams and other executives to develop plans on recruiting conventional cybersecurity candidates as well as alternative ones. They then should put in place pathways for all of them to develop needed security skills and advance their careers.

“We need more robust efforts to build channels into this profession,” Golden says. “The next generation of cyber professional needs to look different than those 10 or 20 years ago.”

TIAA’s efforts pay dividends

TIAA’s program, at just 2 years old, is already delivering on that, and its paying dividends for Byrd and the company as a whole.

The payback comes in several ways, Byrd says.

The participating cybersecurity team workers bring the business and security skills they gained in their classes back to their roles at TIAA, along with fresh ideas and new perspectives.

Workers are more incentivized to stay, as they have a clear roadmap for professional growth and internal mobility. And they’re more engaged and have higher morale—as measured by TIAA’s own employee engagement surveys.

Meanwhile, the workers who aren’t security specialists who enroll in the program are building new knowledge of cybersecurity practices and policies that they then take to their own jobs. That helps build a culture of security throughout the organization.

“The more our employees understand cybersecurity, the better we’re able to protect our systems and our clients,” Byrd notes.

Just as importantly, those workers are gaining the education and experience they need to move into and/or up in the cybersecurity profession.

Furthermore, the partnership with NYU has allowed Byrd to participate in university career and recruiting events, which has generated 50 candidate leads to date.

Taken all together, Byrd says his efforts have been a win for recruitment and retention at TIAA. But he acknowledges that there’s still more work ahead: “Yes, this is helpful for TIAA,” he says, “but we still have to come together as a nation to deal with the worker shortage we have in cybersecurity.”