Stagnant wages, high demands, and poor work/life balance compound the skills gap for security practitioners. Here's how your company can better recruit and retain them.
The shortage in skilled cybersecurity professionals is only growing worse, with the projected talent gap reaching 1.8 million jobs by 2022.
"It's definitely a seller's market," said Forrester analyst Jeff Pollard. "If you have security skills, there are plenty of opportunities available for you. If you have an interest in security and perhaps have a nontraditional background but are willing to learn, opportunities are certainly open from that perspective as well."
However, the shortage has left many companies stuck: A recent report from ISACA found that 55% of organizations reported that open cyber positions take at least three months to fill, while 32% said they take six months or more. And, 27% of US companies said they are unable to fill cybersecurity positions at all.
Here are five common reasons companies struggle to find cybersecurity professionals, and solutions to help you better recruit and retain them.
1. Demanding too many skills
It's no secret that the US suffers from a shortage of people trained in cybersecurity. However, companies often exacerbate the shortage by demanding that cyber job applicants have mastered a large number of highly-specialized practices, as well as soft skills like project management and communication.
"It can be difficult to find employees who possess all of the skills, experience, and intangibles the job requires," said Keri Christman, manager of talent and culture for Rook Security. "This skills gap is compounded by the fact that the industry and threat landscape change and evolve so quickly that it can be difficult even for talented professionals to keep pace with new skills and demands. It's without question a job seeker's market, but it remains competitive because the requirements for the job are constantly increasing."
A good course of action is to prioritize which specialized skills are most important, and hire for those positions, according to Pollard. Then, to fill gaps in your security structure, you can hire a service provider or vendor partner. "They help augment the skills gaps you have on your security team," Pollard said. "Security has traditionally fought every battle, and tried to hire for every skill. You have to get smarter about how you staff your team and what you are going to have internally versus what you'll go external for."
2. Poor compensation
Cybersecurity specialists generally make more money than others working in IT. However, for general security practitioners, pay has remained stagnant, Pollard said. "Whenever I talk to an organization that says 'We're struggling to find security talent,' I tell them to add an ellipsis to that sentence, and add '...at the rates I'm willing to pay for that talent,'" he said.
As mentioned above, companies are often looking for people with highly specialized skillsets who will work for a low cost, which is not practical, Pollard said. "They're trying to hire someone that can do incident response, malware analysis, firewall management, and design cryptographic algorithms, and are paying that person what they would pay a firewall engineer," he said. "You're not going to find that person."
"There are a lot of openings in the security profession, but the dream list of qualifications they want is either not realistic, or definitely not realistic for the pay grade," Pollard said.
As important as security is, no company has an unlimited budget, said James Stanger, senior director of products at CompTIA. "Costs—including salaries, software, hardware, training and certification—are all considered very, very carefully," he said. Companies need to be selective about the skills they truly need on staff, and willing to pay competitive rates for those skills, Pollard added.
SEE: Cybersecurity spotlight: The critical labor shortage (Tech Pro Research)
3. Overlooking talent
Current employees, recent graduates, veterans, and women are all untapped cybersecurity resources, Pollard said. Companies struggling to find cyber employees should consider cross-training current staff members, particularly those already in IT, he added. For example, your web app developer could become a web security assessment resource. Job rotation programs, in which people try out security roles for a set amount of time, can help identify talent, Pollard said.
Women comprise only 11% of the cybersecurity workforce, according to recent research from the Center for Cyber Safety and Education and (ISC)². "Companies should reexamine their cyber recruiting practices and ensure that women are included in the interview process," said Suzanne Hall, managing director in PricewaterhouseCoopers' cybersecurity practice. "Once on board, pair new hires with strong female role models and mentors within their organizations to build relationships and provide personal and professional support."
Working with local universities to create internships and jobs for students and recent graduates is another way to build up your talent pool, said Rob Clyde, a member of the ISACA board of directors. "A lot of times people only want to hire those with experience, but it is worth exploring how you can bring people into the organization and the field that are straight out of school and help them gain the necessary experience so they will be great employees," Clyde said.
4. Poor work/life balance
Achieving a true work/life balance in cybersecurity is difficult for two reasons, experts said. For one, for many people in the industry, security is not only their job, but their passion and hobby as well. "Because of that, work/life balance is less important," Pollard said. However, as people from more diverse, non-tech backgrounds enter the field, companies must consider work/life balance policies, as well as the age of the workforce and their values, he added.
Though the hours might not technically be 24/7, cyber professionals are often responsible for responding to alerts, no matter when they occur. "They're on call because of the possibility of a breach," said Deidre Diamond, founder and CEO of CyberSN and #brainbabe. "When you go into incident response mode, you might not be home for days, because you're working around the clock." This is especially true for environments with high attack surfaces, such as Fortune 500 companies and government agencies, Diamond said.
This makes the term "work/life integration" more accurate for people in cybersecurity, Clyde said. "It's definitely a field you go into because you love it," he said. "If you're one of those individuals that wants a 9-5 job and to never be bothered after those hours, this is probably not for you," Clyde said. "If you are looking for a job with a lot of flexibility and remote work, you could really enjoy it."
To incentivize people to take these jobs, companies can consider offering benefits such as working remotely and flexible hours to make up for time spent working outside of regular business hours, experts said.
5. Inefficient recruiting processes
Hiring processes at many organizations are inefficient and lengthy, which can cause companies to lose candidates, Diamond said. And it's no longer enough to simply post a cybersecurity job online and wait for applications to appear in your inbox, she added.
"Recruiting is a constant," Christman said. "Organizations need to be present in the community creating a strong reputation for being an enjoyable place to work. We need to be at conferences, events, hosting lunch and learns—making sure that people know who we are, our mission, our vision, and how they can grow with us."
Companies need to network the same way employees do, said Veronica Cuello, vice president of information assurance and cybersecurity at eGlobalTech, through LinkedIn and groups like ISACA that have frequent meetings of cybersecurity professionals. Because the world of cyber is small, some of the best ways to find talent is through people already in your network, and offering referral bonuses.
"If you're looking for the high-demand people, you have to strike while the iron is hot," Cuello said. "If you find somebody you like, put together a good package for them. Get to the bottom of what they're looking for—compensation or telework or whatever it is you have to offer them to get them to come on board."
- Report: 57% of businesses can't find enough IT security pros (TechRepublic)
- Video: What the Secret Service can teach us about cybersecurity (ZDNet)
- Cybersecurity: Two-thirds of CIOs say threats increasing, cite growth of ransomware (TechRepublic)
- IoT devices can be hacked in minutes, warn researchers (ZDNet)
- Report: Despite growing security threats, CXOs struggle to find cybersecurity professionals (TechRepublic)