Have you heard about the workforce shortage in cybersecurity? Skilled cyber professionals are hard to find and desirable jobs at great companies are left unfilled for months. At least that’s what most tech staffing agencies will tell you. This mindset has infected too many companies, their HR departments, and the staffing agencies they hire, leaving cyber departments understaffed and companies at greater risk.

There is truth to the tight cyber labor market. The latest (ISC)2 report says global IT skills shortages have surpassed 4 million openings. But the lack of professionals is not the only reason companies are struggling to fill cybersecurity roles. The challenge has as much to do with the people doing the hiring as it does the people available for hire.

Cybersecurity Staffing Is Broken

“I’m calling B.S. on the common belief that it’s a lack of security skills that’s causing these issues,” CyberSN President Mark Aiello wrote in Forbes. “From my professional experience, when I witness security people losing their jobs unexpectedly due to layoffs, restructuring or the like, it can take six months or more for C-level candidates to find a new position.”

In a market where cybersecurity expertise is in high demand, this doesn’t make any sense.

“These folks should be scooped up faster than an unencrypted database full of credit card numbers,” wrote Aiello.

The disconnect between hiring managers and skilled security professionals is at the core of most cybersecurity staffing challenges. The best way to bridge that disconnect is to work with a tech staffing agency that “speaks cyber” and understands the common problems that can derail the cyber hiring process to successfully fill your open positions.

Your Tech Staffing Agency Doesn’t Know the Language

Cybersecurity professionals are passionate about their work tracking down threats. They also know that most people have no idea what their job entails on a day-to-day basis. If you’re posting a job description that wasn’t written by someone within the cyber team, cybersecurity professionals can spot it from a mile away.

Bad job descriptions are not HR’s fault. Most people in human resources lack knowledge of cybersecurity roles and culture, so they use vague language or tech buzzwords that mean different things to different people. The result is a job description that’s nothing more than a long list of technical competencies, educational requirements, certifications, and job titles. When listed as iron-clad requirements, they unfortunately eliminate many talented candidates.

A cybersecurity staffing firm can quickly identify red flags within a job description and work with companies to define requirements, roles, and responsibilities that not only make sense to people in the cybersecurity industry, but also portray the job accurately.

Your Tech Staffing Agency Doesn’t Know the Players

Many IT or tech staffing agencies use the same tactics recruiters in other industries use, especially LinkedIn. They rely on generic IT searches to find cybersecurity specialists, not realizing there is a significant difference in knowledge base and skill set.

When it comes to finding great people, it can be difficult. Cybersecurity professionals are skeptical of social media and job search applications and their ability to protect personal information. When asked how to avoid risk when using social media, Ran Canetti, a Boston University College of Arts & Sciences professor of computer science and director of the BU Center for Reliable Information Systems and Cybersecurity said, the best solution is to not use them at all.

“This might cost a small price, but it’s more than worth it,” Canetti said.

If cyber professionals are not on LinkedIn or job search sites, recruiters who rely on these tools will never find them.

An agency that specializes in cybersecurity staffing knows the players throughout the industry, who is happy in their job and who is not. The recruiters put in the time networking, going to conferences and events, and making connections to develop a rich pool of connections they can tap when trying to fill positions for clients.

Your Tech Staffing Agency Doesn’t Understand Roles

With 45 different different cybersecurity job categories, many more job titles, and no industry-accepted definition for any of them, general recruiters are already at a disadvantage before they get past the first line of the job description. Tech staffing agencies that lack cybersecurity industry know-how may not be able to identify talented people right for the role, but who have a slightly different job title elsewhere.

“Many companies get so hung up on finding the perfect candidate that they miss so many qualified individuals who might tick off five, seven or even eight out of the 10 skills listed as requirements for a position,” said Aiello. “In the time it takes to find these unicorn security professionals, a company could have hit the ground running by training someone who was 75% of the way there.”

Your company wants to fill open cybersecurity positions with less effort and in less time. If your internal team needs help and you want to take the search to a staffing agency, it will save your company time, effort and a lot of headaches if you choose a firm that knows the industry and can identify candidates that will fulfill your company’s most essential cybersecurity needs.

While demand for top flight cyber talent is hotter than ever, top line recruitment is often hindered by outdated and uninspired compensation planning. Let’s go inside the latest report findings from cybersecurity search firm CyberSN.

-This story was featured on HuntScanlon.com on January 3, 2018 –

Authors: Scott A. Scanlon Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Will Schatz, Managing Editor – Hunt Scanlon Media with contributions from Deidre Diamond, Founder and CEO of CyberSN.com and #brainbabe and Veronica Mollica, VP of Cyber Staffing at CyberSN

In order to protect their companies, and in the bigger picture the nation’s national security, organizations must rethink – and raise – salary caps to hire top flight cybersecurity talent, according to a new report just released by CyberSN, a leading search firm in the field. Heightening the issue is an ever-growing threat of security breaches combined with a dearth of information about compensation for cyber roles, the firm reported in ‘The Cybersecurity Hiring Crisis.’

“What many organizations are failing to realize is that by not investing properly in cyber professionals, they’re sending the message that cybersecurity is not a priority,” said Deidre Diamond, founder and CEO of the international cybersecurity recruitment firm. This creates a retention and attrition problem that nearly eclipses the recruiting challenges faced by many companies seeking cyber talent.

“Organizations must be willing to invest in the critical roles that will keep their organizations up and running as the cyber industry continues to evolve,” said Ms. Diamond. “The best way to do this in a highly competitive market is to offer top compensation and benefits to attract and retain talent.”

As cyber threats change and become more complex, cybersecurity professionals are playing an increasingly vital role in their organizations. Their jobs, once considered optional, are now a mandatory part of ensuring that their companies’ critical data and processes are properly protected. Demand for such positions is at a record high – and keeping recruiters across the field loaded up with business. But talent supply lines have failed to keep up. There is, in fact, a projected workforce gap of 1.8 million cybersecurity positions, said CyberSN citing a recent (ISC)2 report.

For their study, CyberSN gathered information from across 53 organizations and 83 cybersecurity positions. The firm also conducted in-depth interviews with chief information security officers (CIOSs) and hiring managers responsible for recruiting cyber professionals into their organizations.

A Lack of Transparent Data

“Many of those we interviewed echoed a common theme – namely, there’s a gaping lack of security talent,” said Ms. Diamond. And, it is a problem that becomes more pronounced when organizations look to recruit more senior talent. “Now, more than ever,” said the report, “companies are competing against the likes of Netflix, Google and Facebook for high quality candidates.” The lack of transparent data around salaries is simply making it more difficult to compete with them. “In order to recruit more effectively for cybersecurity industry positions, there’s a clear demand for accurate information that includes real-time, market-driven compensation data,” according to the report.

A central issue is that many organizations equate cyber jobs to IT positions when it comes to compensation and benefits. Yet the roles are completely different. “Organizations look at cyber like they look at IT, yet cyber salaries are higher based on supply and demand,” said Veronica Mollica, vice president of cybersecurity staffing for CyberSN.

Veronica Mollica, vice president of cybersecurity staffing for CyberSN.

“Oftentimes, IT doesn’t want cyber making more because it becomes an uncomfortable conversation about why one person is worth more than another.” The result is a round and round discussion and no change in the status quo, she said. “The position can then sit open for six months or more before a search firm is engaged to help,” said Ms. Mollica.

In the end, according to CyberSN’s report, more than 50 percent of the companies polled had to increase their initial salary cap in order to hire cybersecurity talent.

Nor does it help that much of the information that companies use about cyber salaries is inaccurate or out of date. “Salaries change every day and HR leaders have had trouble staying current,” said Ms. Mollica. “We see quite often that cyber leaders don’t feel supported when they sit down to have these salary conversations with HR. It’s not a welcoming environment.”

Salary Matters

Critical cybersecurity roles, meanwhile, go unfilled for too long. Organizations are reluctant to pay more and candidates tend to refuse to switch jobs for lateral compensation, let alone a lesser amount. “What we see happen is a job goes unfilled over a $10,000 difference,” said Ms. Diamond.

The truth is that money very much matters with these in-demand roles. Few companies outside of Google and Amazon can convince prospects to take a smaller salary by offering enticements like stock options, said Ms. Diamond. Most companies have no interest in paying up, but by denying that it’s a candidate’s market businesses are only hurting themselves, she said. “Why would you want to nickel and dime for the best talent?” she asked. “If candidates are interviewing with you, they are interviewing other places too.”

The cybersecurity salary cap issue is the result of both growth and the departure of employees, said Ms. Mollica, but less about what the previous person in a role was earning. “When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization,” she said, “but the people in the current positions aren’t earning market value. That’s a huge issue because HR sets salary by comparing the role to somebody who is being paid below market. Yet this is security.”

The Value of Breaches

Bad experiences, Ms. Diamond said, will ultimately be the key to change. More intrusions. More money lost. More corporate reputations damaged or destroyed. Sooner or later, businesses will learn that it is more cost effective to take preventive action than to suffer the consequences of a breach or a regulatory fine. “When I think about where we are today, it’s only the breaches that have gotten us the budgets,” she said.

Hunt Scanlon Media recently sat down with Ms. Diamond to talk about the challenges that her firm and its clients face in filling cybersecurity roles.

CyberSN CEO and Founder, Deidre Diamond

Deidre, why is recruiting cybersecurity executives so difficult?

Cybersecurity experts are incredibly busy. Not only are their departments frequently understaffed, but their jobs are mission-critical to the success or failure of their organizations. Their roles can often be more similar to that of an emergency first-responder than an IT professional. Because of the fast-paced and high-profile nature of their work, they don’t even have time to spare for recruiters. And that’s an important issue because we have found that HR generalists simply are not equipped to oversee the hiring process for such specialized, in-demand, hard-to-find talent.

“Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success.”

How can the search process be improved?

Executives in search of cyber talent need to use specialized cybersecurity staffing agents. Job seekers are looking for companies committed to a cyber budget, who value career growth and share in their cyber passion. Retention is just as important to hiring and if organizations don’t meet these needs, statistics show that cyber professionals will not hesitate to vote with their feet and change jobs.

Why is the cyber function so important?

Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success. Companies are depending on their cyber resources to detect, protect, innovate, automate and meet compliance standards. Security breaches have significant impact to a company’s reputation, customer confidence and sometimes unpredictable financial impacts. Companies with great hiring and retention plans attract and retain talented and passionate cyber professionals.

Hence the need to pay up for these professionals?

Yes. Our research and experience show us that companies underestimate what it takes to get the right talent in the door. In our research study, over 80 percent of the companies we looked at had to raise their salary cap in order to make the right hire. HR and staffing resources do not have real time salary data available and so they are often not prepared to pay what it takes to hire talent in this market. One thing we are beginning to see is that many companies are getting more creative with their total compensation packages. Equity, paid benefits, telecommuting, relocation assistance and other perks are often included to make offers more attractive to these highly sought after professionals. Often, that outside-the-box thinking pays off!