Episode 7: Dan Maslin
Cia: Welcome to Employee Activation, the HR podcast that takes you into the minds of some of the world's brightest workforce strategists to find out how they make both their employees, and their organisations thrive. Talent shortages, skills gaps, and evolving workforce needs. These challenges aren't unique to any one industry, but cybersecurity, one of the most in demand fields today, provides a powerful case study for how organisations can rethink hiring and workforce development.
I'm Cia Kouparitsas, and today I'm joined by Dan Maslin, Group Chief Information Security Officer at Monash University. Dan has been a champion for changing the way organisations think about building teams for years. Instead of relying on traditional hiring methods, he's embraced a skills first approach, tapping into talent from non-traditional pathways to create resilient, high-performing teams, and we are going to be digging into that today.
Welcome to the podcast, Dan.
Dan: Thanks for having me, Cia
Cia: Dan. Now before we dive into the conversation, I would love you to tell us a little bit about your career journey. How did you end up leading cybersecurity at Monash University?
Dan: Yeah, so I've sort of come full circle. So I did a degree back over 20 years ago at Monash.
And so, a few years ago when I rejoined, it was quite nice, full circle there. But I left university, I went into, I guess generalist IT, so I sort of came up through, you know, the help desk and the desktop support and went into some of these, infrastructure type roles. So very technical roles, and went into a few leadership roles 10 or 15 years ago leading probably, you know, teams of 10 to 20 people.
I worked all over the place. I was in Australia here, I was in, I did two stints in London as well. And in almost every industry you can you can imagine, but I landed in the architecture and sort of design space and found sort of my, my skillset was pretty good there in terms of doing road mapping and, and long-term planning for IT infrastructure and IT teams.
I guess over the years, well, probably about 10 years ago, I had the opportunity, I built out a three-year roadmap for an organisation on the cybersecurity front. And they said, Hey, we're going to establish a new team to deliver this capability. Are, are you interested in heading up the teams? I was the, the head of cybersecurity for that organisation and I guess I've been doing that uh, that type of role for about 10 years now.
Cia: Wonderful. I always love hearing how people get into cybersecurity because it's such an important aspect of the world today and there is so much growth. And that kind of is a great segue, I think, into the topic for today's episode.
We hear a lot about talent shortages across industries, particularly for those high demand areas like cyber, and I would love to get your view of why you think so many organisations struggle to find the right people for these roles, these kinds of cyber roles.
We hear it all the time.
Dan: There are very niche roles, and it's a very fast changing environment, and so I think hiring managers realise this, the majority of them, but you're not gonna find somebody with 10 years’ experience in securing something like AI or a trend from a little while ago, you know, blockchain or something like that.
But you can find people that have skills, problem solving skills. They have an inquisitive mind. They're fast learners. They're adaptable. I'm not convinced there is a talent shortage in cyber. There's definitely some roles that are really niche and, and, and, you know, they may stay open for a bit longer than others, but I think you are not gonna find someone that's done the same role before.
It's very difficult to find someone with five to 10 years’ experience of an emerging technology.
Cia: I think the other thing with cyber is, and, and I've heard this from a lot of different cyber leaders, the importance of diversity in that particular field is, is a really important aspect to consider. And I think this is kind of getting into how we started to build our relationship with you, Dan.
I know the team at WithYouWithMe has been working with you and the team at Monash University for a number of years on the workforce problem. And what I love is that you have taken a very different approach to workforce development in terms of building pathways for people from different backgrounds into the organisation.
Can you talk us through sort of what led you to that and how it's worked for you guys?
Dan: I guess at the highest level, three or four years ago myself and my leadership team came together and, and realised that we wanted to retain the talent that we did have, and we wanted to have a pipeline of talent that were available if positions came up or if we needed to expand.
So we actually built an attraction and retention framework within our team. So there were six streams within that. One of them was around unique sources of talent. So one was around retaining. And so we do, when we have someone in the team, we have a clear career pathway through the team. So, moving to different roles as they, as they improve their skill sets and have more experience.
And tied into that is professional and personal training and, and development as well. But from the unique source of talent perspective, we ended up landing on two things. We are fortunate, being a very large university, we have over 90,000 very smart students. And so we've tapped into those students as well as a source of talent.
So we built internally what we, we call the cybersecurity Student incubator program, where we take typically third year students and we employ them usually around three days a week for at least 12 months. At the end of, end of their degree while they're still studying. So that's a, a unique source of, of talent and we've had some fantastic folks come through that program.
So really, really smart typically young people, not always, but typically young people. And then the second one was looking again at unique sources of talent. So how, how can we help people transition into cybersecurity, into the cyber team? And we landed on, WithYouWithMe. So we ran a pilot program to try that out.
That was probably about three years ago, and we've expanded on that since then. And if I just think, you know, more recently, probably the last two that have landed in, in the cyber team I think one's come from a aged care background and the other, another one's come from a defence background, but they had some awesome skills that we felt that they could transition and, and be very successful in, in our cyber team.
Cia: That's wonderful to hear and I, I would love to hear more about your perspective on balancing that life experience with technical skills in hiring decisions. How does that play out practically for you? Because obviously you need someone to have those, those technical hard skills to be able to hit the ground running, but the value of bringing, you know, diversity of thought and life experience certainly comes to play in the cyber sphere as well.
Dan: So we are a large organisation. We've got 40,000 employees, 90,000 students. We've got a fairly large IT team, almost 700. So we've, we sit about around 50 to 55 staff within the cyber team. So we have some really niche roles, which means we have really diverse skill sets that we need. So you're right, there are some really technical engineering type roles, but there's also a lot of design roles.
There's a lot of training and awareness type roles. We have risk and compliance, which is a different skillset again. Project managers, business analysts, a whole lot, and as well as the, the people leadership side. So I guess depending on the role, we can look for those transitional skills to, to fill those, fill those gaps.
But I think, you know, like I just mentioned the, the two examples before we've seen, in both of those cases, those people bring in their learnings from other organisations and other industries and say, Hey, have you thought about doing it this way? Have you thought about doing it that way? I've seen this work. I, I've seen this not work.
And so I think bringing in people from different organisations, different sectors, different parts of the world, different stages of their career, the way that they think about things from a neurological perspective, like I think bringing in a real mix of people helps you succeed a lot more.
Cia: I love that, Dan, and I think it's interesting because a lot of the time hiring from non-traditional pathways is considered a diversity initiative. But for Monash, I think we've seen as a really powerful strategy or you know, you've demonstrated it's a powerful strategy for building a more capable team, as you've just articulated there.
When building a business case for these kinds of initiatives and you know, some organisations, it may not be as easy to implement an approach where you're looking for alternate pathways, but what tangible business benefits would you really say help with building that case.
Dan: So from a business benefits perspective, we, in our, in our team and with the, through the, WithYouWithMe program, we've had a very high retention rate.
So, within the cyber sector generally, it's got quite a high turnover, and I think we see people typically leave a role within two to three years. We haven't seen that. We've managed to retain them, so we're doing something right there. But you're right, we, we don't, we don't approach it as a diversity initiative.
We're approaching it as let's make a welcoming, nice environment for, for people to, to work in, to learn in, to develop in, and we would then welcome everyone from, from all walks of life to come in. And that works well for us. We've gotta be welcoming for people. There are different stages of their personal and professional life.
Be flexible understand where, where they want to go with their careers understand where they wanna work from, how they wanna work, all, all those sorts of things. And I think if you, if you provide flexibility in all those different aspects of the role, naturally you will get a lot of different diverse people apply for those roles.
Cia: It's great to hear in particular those retention metrics because I think that is one of the biggest challenges leaders face in society today, they're bringing people in and the cost of those individuals moving on is certainly something that if we can mitigate it in any way, you know, you're gonna wanna try those new tactics.
I'm curious to explore this idea of using data to make decisions as to how you form your team. I know many organisations still rely on resumes and, and more traditional recruitment processes in terms of how they select their candidates. So what has someone done today as a demonstration of what they could do tomorrow for, for the organisation.
But Monash, through your partnership with, WithYouWithMe, leveraged psychometric testing and some data-driven insights to start to make some of those hiring decisions. How has that changed the way that you think about hiring now?
Dan: It was an eye opener to, to change the way that we went through the recruitment process. But it probably happened around the same time that we had our cybersecurity student incubator program as well, which was very similar.
So we have typically people coming through both of those programs that haven't done that particular role before. So a CV, or a work history is not gonna be as, as helpful in those cases. So we do have a hybrid approach now, so we still have our internal organisational processes that we need to follow.
But we merged those with for example, the, the psychometric testing that you referred to there. Again, I'll go back to the, just the two recent examples of the, WithYouWithMe program placements we've had through them. In both cases, the hiring manager said to me after the first week, both of these people, it feels like they've been here for a year.
Because we did the psychometric testing of both the candidate and the team. We matched everybody together and they just gelled so well. Personally, I hadn't seen that approach before where both sides of the equation were sort of tested and, and, and measured, probably measured is probably a better word there, but yeah, it worked really well.
And again, we've had a very high retention rate for, for those that have come through the program as well as our incubator program as well.
Cia: So good. The power of data and certainly I think that culture fit can't be underestimated. You often hear, you know, the, the idea that skills can be taught and getting the right culture fit, the right attitude and personalities in the team is really what makes them sing. So I'm so glad to hear that's working well for you.
I am also very interested in understanding your advice for others who might be starting to embark on this journey? You know, as I mentioned earlier, not all organisations are as progressive in their thinking around moving away from traditional hiring models towards alternative pathways.
What advice would you give to those who are looking to, to step down a similar path?
Dan: So I spoke about our framework earlier. One part of that was to understand the skills that we had in the team and, and the skills that would exist in a cybersecurity team. So we used industry frameworks, so SFIA was one of them.
It's a common IT skills framework and the NIST - NICE frameworks a cybersecurity specific ones for workforce skills. So we used those, both of those combined together, and we built a bit of a heat map, so understood where we were really heavy in skills and then where we were light. We looked at the ones where we were light and made decisions around, we're probably gonna outsource those or get those from external, or we wanna invest in those as well.
So when it came to having roles to go through the, WithYouWithMe program, we knew the skills that we wanted to, to fill right down to the SFIA codes for each of those skills. And we could write position descriptions exactly for those skills. So I think you, you need to take a bit of a step back and understand what sort of skills you're looking for.
Then have a think about can those skills be either taught through training on the job or can they be sort of transitioned from, from other roles. And like I said, we've seen great success in the half a dozen or so come through the team in the last couple of years.
Cia: Great. And I'm interested to hear about your use of SFIA and skill frameworks more broadly.
So this was an exercise you obviously went through to understand the capability you needed to bring into the team, but more broadly, do you look at skills in terms of the general management of the team, where people might have the opportunity to grow and progress their career, where there may be gaps that need to be addressed?
Is that something that you're sort of using as a, a team wide approach?
Dan: That's one of the other streams in our internal framework that we have, which is the career development and the career pathway. So, each of our team members would be aware of what the next role could be within our cyber team and what they would need to do to get there and roughly the, the timeframe.
So through that, we, we sort of work out whether it's professional or, or sort of technical skills or whether it's more maybe people management or other types of skills might be writing, report, writing, communications, presenting, those sorts of things that they'll need to work on with us over the next whatever it is, one or two years, and we build out a personal development plan over the next one to two years to complement that.
So we do have that nice pathway through the team. Like I said, there is quite a high turnover in cybersecurity. We've been very fortunate. Our regrettable loss or, or turnover has been single digits for years now, often zero. I'm very happy with that. But you know, we always say we expect someone in cybersecurity to be in a role for two to three years, but we hope people will do two to three roles within our team.
So we're hoping for something like four to six years of an employee. Love for 'em to stay on longer. But you know, realistically within cybersecurity, there's, there's quite a large, large turnover.
Cia: It's a great use case though for the value of taking that skills-based approach and how it can ultimately lead to, you know, greater engagement of your, your team members, giving them the career path that, you know, will keep them with the organisation for a little bit longer. So yeah, really interesting to hear and learn about that one, Dan.
Now the final question, and it's one that we ask all of our guests, is your personal advice in terms of what you've seen in your current role, but just throughout your career as well when it comes to activating your employees to help them realise their potential in a role in an organisation.
We know that it helps to align someone's aspirations with the organisation's goals. How do you typically go about doing that in terms of making sure that there's a match between what the individual wants to achieve and what the organisation needs them to achieve?
Dan: I've probably been saying this for over 10 years now, but I see my, my role and, and leaders typically of large size teams got two roles.
One is to set the vision for, for one to three years, and then number two is to clear the roadblocks so people can deliver on that. And so I think I find if you set a roadmap for three years, and typically in it and, and cybersecurity in particular, it's hard to sort of define something longer than that 'cause everything's changing so rapidly.
But you can define a roadmap and a vision for three years that's aligned with the organisation. On many levels that works well. So, at the, at the high end of town with the executives, they can understand where references gonna be made and, and the outcome over multiple years. But then within the team, people are able to see how the work they do contributes to the bigger picture.
But it also gives them the opportunity to say, Hey, for example, next year I can see there's this initiative or this project, that's a bit of a stretch project for me. I'm interested in that. How can I get on that project, how can I lead that initiative? And then again, we go back to then building out their development plan to make sure that they've got the skills to either be able to deliver that or, or learn through that project.
So I think setting that vision is something that I think leaders, that's almost their primary job within an organisation is, is to set that vision. Then clear the roadblocks for the team to, to deliver on that vision.
Cia: Such great advice, Dan, and what a, what an incredibly insightful conversation. Thank you for taking us through not only the work that we've done that we're really proud of with Monash, but just more broadly how as a leader you've really led from the front in terms of providing different avenues into your organisation and into meaningful cyber careers for people.
I think the work that Monash is doing is such a powerful example of how organisations can unlock more from their people and tap into untapped pools by taking a, a different view of things. So thank you for being so generous with your time and insights.
For our listeners who wanna learn more about Dan's work and the strategies that were discussed today, you can head to our website that's WithYouWithMe.com, and check out the Employee Activation podcast page.
We'll make sure we put up links to additional resources and information on some of those skills-based hiring and workforce transformation projects.
Dan, thank you again for joining us, and we'll see you all next time.
