In April, Deidre Diamond, Founder & CEO of CyberSN and Founder of Secure Diversity, joined National Cyber Director, Harry Cooker and representatives from more than 30 companies to discuss the commitments of the Federal Government and private sector to demonstrate progress building the nation’s cybersecurity workforce. Reflecting on the experience, Deidre said, "My trip to The White House was an incredible experience as an American, a sociologist, and a business owner who cares tremendously about the cybersecurity community."
During the visit, the Biden Administration made a groundbreaking announcement: the removal of degree requirements for federal cybersecurity jobs. This initiative aims to make these roles more accessible by focusing on specialized training rather than traditional four-year degrees. Deidre emphasized, "The administration is focused on creating well-paying jobs, particularly in middle America, and this move is a significant step in the right direction."
The visit also marked the launch of the 2024 SANS | GIAC Cyber Workforce Research Report, unveiled at The White House. CyberSN played a pivotal role in this study, contributing to the development of key questions that help understand workforce challenges in cybersecurity. “Knowledge is power. Partnering with SANS to bring powerful data to us all is imperative to us defending ourselves," Deidre noted.
The SANS Workforce Report identified critical roles in cybersecurity, such as Forensics Analyst, Information Systems Security Manager, and Security Architect. It also highlighted significant hiring challenges, including salary competitiveness and the lack of defined career paths. CyberSN’s Job Posting Data Report corroborates these findings, showing consistent top roles in cyber across different sources.
Cybersecurity managers were asked to select their top three challenges for hiring mid-level cybersecurity staff. According to the SANS Report, salary competitiveness (26%) was the number one challenge identified among respondents, followed by a lack of defined career paths (14%). CyberSN's Salary Report supports these findings, showing that management salaries have decreased, indicating dissatisfaction. "First time we have seen a decrease of salary going down for cyber roles," Deidre highlighted.
One of the primary challenges identified in the SANS Report is the inefficiency of traditional hiring methods. CyberSN's Platform and Taxonomy helps improve communication between recruiters and hiring managers. Deidre pointed out, "Communicating better with your recruiters about your jobs gives them consumable content so they can immediately assess if it is the right fit or not."
The SANS Report revealed that 46% of HR managers emphasized the need for enhanced collaboration between HR and Cybersecurity managers. Notably, they are also keen on maintaining standardization, as indicated by 31% of the responses, which makes the case for wider adoption of the NICE Framework. However, only 14% of respondents in the SANS Workforce Report reported using the NICE Framework for cybersecurity work roles and job applications. "Absolutely agree having a framework makes communication productive. CyberSN’s Taxonomy that our platform leverages for our solutions is aligned and extended upon the NICE Framework so you can acquire, retain, develop, and diversify cyber talent," Deidre added.
Creating a job description utilizing CyberSN’s job builder and cybersecurity taxonomy gives HR managers a tool to determine whether candidates are qualified and interested. For example, jobs posted on CyberSN will typically see 800 views and only 4 applications as professionals can easily tell if they are qualified and interested compared to other job platforms. Posting on CyberSN ensures that anyone who applies is easy to match. This removes unqualified applicants. CyberSN jobs are specific and easy to understand because of our matching criteria: job responsibilities, compensation expectations, location, citizenship status, degrees, and certifications.
The SANS Report also emphasized the critical role of non-salary benefits in retaining cybersecurity professionals. Deidre reflected, “People often move jobs for more money; it's a known risk. They'd rather tell their current employer, 'I got the money you wouldn’t pay me,' instead of discussing the real problems. It's not really what opened the door—it's just easier to say it was the money."
With 68% of the industry citing insufficient training and development opportunities as a significant issue, CyberSN's strategy involves creating growth opportunities before hiring. "Every job we take at CyberSN includes a growth story. This is what people want, and if they don't have one, we create that strategy so that you can build and develop before you hire them," Deidre explained.
When asked what hurdles they face when it comes to training mid-level cybersecurity professionals, cybersecurity managers in the SANS Report revealed that 40% stated the lack of a cybersecurity training budget, followed by 38% citing the lack of time/staff to get training. Deidre shared, “Understaffed and under budgeted are creating national security issues around talent. Therefore we need to have compliance control. Security leaders need to be able to speak risk in order to get the appropriate budget for training and development.”
The SANS Report also highlighted the growing importance of Diversity, Equity, and Inclusion (DEI) within organizations. Nearly 80% of respondents indicated that DEI is becoming an integral part of their organizational culture. Deidre commented, "It's great to see this focus on diversity, especially during a time when DEI has been a target of political debate."
According to the SANS Workforce Report, HR managers primarily rely on straightforward online postings, notably on platforms like LinkedIn (32%) and job posting websites (30%). These platforms tend to be saturated with candidates, making it crucial to employ specific keywords and filtering parameters effectively to sift through the vast pool of applicants. Deidre noted, "The amount of time to go through 800 resumes to find 4 matches can be months worth of work. Internal talent teams don’t speak the language as they aren’t in cyber. We have a taxonomy that is a shared cyber language and a Talent Matching Solution that is half the cost of staffing fees, empower internal talent teams, and is 100% money-back guaranteed delivering qualified and interested candidates that match your role in 45 days or less."
Time to hire by role takes from 81-98 days for key roles, according to the SANS Workforce Report. CyberSN fills roles in 45 days or less, half the time it takes for HR to hire. "It illustrates how hard it is to match even when 85% of cyber professionals are willing to take a job opportunity call and are open to opportunities," Deidre explained.
The process efficiency is not just about the duration it takes to fill the role but also about the resources expended. For example, in a case study with Zions Bancorporation, hiring managers saved approximately 90 hours on interviews alone, not to mention an additional 10-20 hours previously spent on resume screening by the internal talent team. "It's not just about how long the role is open; it's about how much time searching for these people or talking to these people that were the wrong fit," Deidre emphasized.
In the context of cybersecurity talent retention, managers identified salary (23%), lack of a defined career path, and inadequacy of progressive training (31%) as top challenges, according to the SANS Workforce Report. "Money being number 1 is a mask to the real problem. While everyone wants to make more money, happy people don’t answer recruiting calls that get more money. It is typically due to career development, recognition, and how they are treated," Deidre reflected.
Additionally, the study found that only 32% of respondents acknowledged that cybersecurity turnover poses a significant challenge. Companies with 101-500 employees experience a slightly higher turnover rate of 39%. Deidre explained, "These companies typically don’t have growth opportunities for mid-senior level employees. A lot of these mid-senior professionals move to enterprise in order to get to the next seat. Share what you have to offer them over the next 2-5 years and be clear so that you develop someone's career to the level they want to have or have them help you replace them when the time is for them to go.”
CyberSN’s Cyber Workforce Risk Management Solution addresses these challenges by providing salary alignment recommendations, resource gap identification, custom career development plans, organizational capabilities and functional structure, and a diversity strategy for your entire security team.
Approximately one-third of respondents in the SANS Workforce Report believe that the cybersecurity gap is skills-based, while two-thirds see it as a headcount gap. This points to a healthy job market with high annual turnover.
Deidre provided further insights, "Talent optimization and utilization needs to be a program because of under-budgeted and undertrained resources. Organizations need to work strategically around full-time employees (FTEs) and contractors to avoid the headcount gap versus skill gap and to avoid retention challenges. They may have headcount but lack the necessary skills. They may have needed those skills at one point but now require something else. Instead of hiring an FTE, they actually need an 8-month contractor. CyberSN has staff augmentation solutions that can help you with your capex opex work gap analysis.”
Deidre Diamond's visit to The White House and CyberSN's contribution to the SANS Workforce Report highlight the critical steps being taken to address cybersecurity workforce challenges. By removing degree requirements, promoting specialized training, and emphasizing the importance of non-salary benefits and DEI, The White House, CyberSN, and other industry leaders are working together to create a more inclusive and effective cybersecurity workforce.
Learn more about how CyberSN's Cyber Workforce Solutions can help empower leaders to attract, retain, develop, and diversify their cybersecurity teams.