For years, companies have been pressed to find sufficient cybersecurity talent for years – it’s been a stubborn trend pre-dating the pandemic and the current, volatile labor landscape.
Now, as companies deal with The Great Resignation, the hunt for talent can feel like even more of an uphill battle. According to ISACA’s State of Cybersecurity 2022 report, 63% of organizations have unfilled cybersecurity positions, up eight points from the previous year’s study. Along similar lines, six in 10 respondents indicated their cybersecurity teams are understaffed.
The talent challenges do not stop with recruitment difficulties. In fact, job #1 should be to prioritize keeping top performers, which also has proven tricky. Losing workers and then having to rehire those roles – possibly including paying recruiter fees – is expensive and inefficient. This is especially true when companies lose senior personnel whose experience is extremely difficult to replace. And in the cybersecurity realm, practitioners with excellent soft skills or specific technical aptitude – such as cloud computing knowledge – are especially hard to come by, as the State of Cybersecurity research attests.
The trouble is, other companies want your top performers and will be aggressive about luring them away. According to the ISACA survey data, being recruited by other companies is the top reason cybersecurity professionals are leaving their job these days, more than 10 points higher than factors such as salary, limited promotion opportunities and high-stress levels. Of course, some of those factors are intertwined – competitors are more likely to successfully poach employees who are not satisfied with how their current employers are treating them when it comes to pay and career development.
So, what should companies do? It’s time to go bold. With The Great Resignation in full effect and inflation wreaking economic havoc, this isn’t a ‘normal’ time period, so normal compensation practices are unlikely to cut it. That means it’s probably time to review compensation on more than an annual basis, at least for top performers. True, it usually won’t be easy for companies to find the extra dollars to re-reward employees during the year. If companies cannot expand market-share, they will likely need to pass extra costs on to their customers to increase revenue or find other areas to cut costs. In some instances, that could lead to a smaller overall workforce, which is only a realistic option if the retained employees are invested in better tools and training. Yet, in many cases, properly investing in a slightly smaller pool of high-caliber employees can be more effective than spreading the budget around thinly to a few additional people.
"In many cases, properly investing in a slightly smaller pool of high-caliber employees can be more effective than spreading the budget around thinly to a few additional people"
I like to imagine if I could only have a handful of my employees, who would they be? Think about who your top 10% of must-have employees are, and figure out how to hold onto them. Especially in this climate, it’s amazing how often companies are blindsided by one of their top employees telling them they’ve just received a job offer for much more money, and now you’re scrambling to gain approvals to match or exceed the external offer on top of having to re-sell that employee about why they should stick around. Leaders would be wise to get in front of this dynamic now in this hyper-competitive landscape. In many cases, once an employee has fielded a strong job offer from a competitor, it might be too late to keep them on board, even if they don’t leave immediately. You might prevent them from going out the door for the moment, but the seed has been planted in their mind.
In addition to being flexible about adjusting compensation more frequently, companies looking to stave off defections can also show their employees how valued they are by investing in their career development. Imagine a choice between Employer A, which offers a competitive salary, and Employer B, which also offers a strong salary, but will send that employee to courses and conferences to stay current and also invest in training and coaching to grow that person’s leadership and communication skills.
I’ve lost track of how many cybersecurity practitioners I’ve spoken with who lament their employers’ stinginess about sending them to leading industry events such as the Black Hat, RSA, Infosecurity and ISACA conferences. Most cybersecurity employees I know take great pride in their work and continuously want to learn and improve. Employers need to embrace investing in employees to help them grow their careers or risk giving them another reason to head elsewhere. Additionally, today’s practitioners – particularly younger employees – want their companies to stand for something, so companies should understand and prioritize the growing trend of Environmental, Social and Governance (ESG).
The need for companies to be more open-minded extends to sharpening hiring practices. That includes being more receptive to hiring workers right out of university – sure, there will be a growing curve, but within a year, recent graduates who are quick and curious learners could be some of your best performers. Let’s go a step further. Companies should also consider candidates who might not have their college degree but are willing to pursue relevant industry credentials and training to catch up. In many cases, small-and-medium organizations have adopted this approach. Still, larger-company HR departments often remain rigid about experience and education requirements that aren’t reasonable or realistic in the current hiring landscape.
It’s incumbent upon CISOs and other security leaders to have proactive conversations with HR teams and hiring managers about not being overly prescriptive about experience and education requirements. Additionally, the industry needs to be intentional about creating job descriptions that appeal to a wide pool of candidates, including women and other groups that are traditionally underrepresented in security. If we’re posting for a position, we’re selling. Let’s make the job appealing and get the applications streaming in, rather than scaring people off.
From both recruitment and retention standpoints, there is much companies can do to calibrate their approaches for current realities. The bottom line, though, is let’s not be reactive to the Great Resignation. If we find ourselves in a reactive mode, that’s a red flag that we’re going to lose too many good employees and struggle to bring in the needed reinforcements. It will require stretching beyond companies’ traditional comfort zones, but by being flexible about compensation, investing generously in employees’ upskilling and helping workers see the meaning and societal value in their work, many victories can be won in the increasingly competitive battle for cybersecurity talent.