A number of high-profile cyberattacks on critical U.S. infrastructure have brought conversations surrounding network security to the forefront for companies around the globe. In May, Gartner forecasted risk management service and information security spending to exceed $150 billion in 2021, representing a 12.4% increase from 2020. As organizations look to onboard new talent amid a tight labor market, a speculated Great Resignation of sorts could complicate operations in the months ahead. But there are strategies companies can implement to attract, recruit and retain their top security talent.
SEE: Security incident response policy (TechRepublic Premium)
Remote work, cybersecurity and IT burnout
At the onset of the coronavirus pandemic, companies transitioned to remote operations on short notice. With the switch, employees were left to finagle home offices on the fly and companies implemented new virtual collaboration tools to enable a remote workforce. Originally, the priority may have been ensuring business continuity and some organizations may now need to focus on bolstering network security.
“Many companies didn’t use Teams or Zoom prior to COVID-19. These solutions were executed rapidly and now in some circumstances, there are security holes needed to be fixed because of the great rush to go digital,” said Nathan Beu, a partner in West Monroe’s technology practice.
Cyberattacks surged during the coronavirus pandemic and recent high-profile attacks on U.S. facilities have led to supply chain disruptions across industries. Increased ransomware attacks alongside companies building and maintaining the “infrastructure and resources needed for remote work and a digital presence,” have also led to a “heavier workload” for IT and cybersecurity employees, Beu explained.
Employee burnout and the “newfound freedom” of long-term remote work are some of the top factors driving high turnover right now, Beu explained.
“We’re seeing an uptick in demand in the industry, especially security, as that’s become a very hot market due to the attention recent cybersecurity events have received,” Beau said, citing the Keystone Pipeline and Kaseya attacks. “As a result, firms are paying a premium to get good talent in the door,” he continued.
Kevin Hanes, Cybrary CEO, said he hasn’t any recent quantitative stats related to high turnover among security professionals while noting that it “seems like there is more movement than normal” from what he’s observed in his professional network.
“Cybersecurity recruiting always seems to be at “high speed.” I do believe that some people were waiting for “post-covid” to make a job change, so it makes sense that companies could be seeing higher turnover,” he continued.
Cybersecurity hiring and retention tips
To prevent a mass exodus of tech talent, companies can take proactive measures to attract top professionals and retain talent. Hanes said that companies need to “invest in learning and development opportunities, as well as their people, if they want to keep them.”
“Investing in your people generally improves acquisition and retention. It also helps an organization with costs and to be able to handle the attrition that will no doubt happen in a competitive talent landscape,” he added.
To recruit top talent, companies are pulling out all of the stops, offering flexible work arrangements, signing bonuses and more. At the same time, companies could also be looking to poach top talent amid a tight labor market.
There are a number of strategies employers can keep in mind when attempting to recruit security talent, although one approach may involve looking to groom top internal talent, rather than looking elsewhere for top security talent.
When seeking out new security talent, hiring teams could also consider professionals with nontraditional occupational histories. Mark Adams, chief security officer at Adobe, said “recruiting security talent from nontraditional backgrounds is quickly becoming one of the industry’s strongest assets.”
“Teams work better when they have unique and diverse perspectives to help solve complex problems, which is why companies should consider a spectrum of skills to help fill these critical security roles,” Adams continued.
Internally, Adams said identifying candidates who are “particular curiosity in cybersecurity can be another great resource.”
“Internal mobility can help further bridge the gap giving employees new challenges and providing fresh perspectives,” he added.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
In general, Hanes said that it’s difficult to “attract people who are already security professionals” adding that companies need to be “really good at finding people with the right fundamentals, drive and curiosity” and then investing in these employees.
High turnover presents both labor and economic burdens for companies. To this point, Hanes said “the cost of onboarding a new employee is astronomical compared to investing in learning and development opportunities.”
“Organizations need to invest in their employee’s professional growth and ensure they have the resources they need to skill up in their role and grow with your organization,” he said.
Upskilling and micro-credentials have been popular for many professionals looking to brush up their resumes over the last year. However, these programs and educational opportunities could also prevent in-house turnover and exodus-induced brain drain.
“One of the most common reasons people leave a job or come to us for training to find a new one is when they no longer have the opportunity to grow or don’t feel they have a clear path forward in their current role,” Hanes said.
Interestingly, Hanes also discussed what he described as a “common misconception” about additional training leading employees to “leave for greener pastures” once upskilled, adding that this is “simply not true.”
“Well-supported employees are more likely to stay as long as they are seeing value in your organization,” he said. “The greater risk is having people and not training them nor providing them with development opportunities and a clear path at the organization.”
Ironically, withholding training opportunities to prevent talent from walking out the door could have the opposite impact on workforces.
“Developing cyber talent is crucial given the demand for cyber resources. We know that cyber professionals aspire to upskill themselves continuously – and if they don’t find that opportunity, they will look elsewhere,” said Joe Nocera, principal in PwC’s cyber, risk and regulatory practice.