In this blog - the third in our series addressing the cybersecurity career and hiring crisis - we introduce the CyberSN marketplace, the one-stop destination for all cybersecurity career and staffing needs. To learn more about the cybersecurity career crisis and how to solve it, check out our previous blogs.
At CyberSN we recognize that both individuals and organizations need to be matched with the roles and professionals that best fit them, which is why we’ve developed a brand new solution. The CyberSN Marketplace unites confidential public profiles and organizations looking to hire cybersecurity professionals under one platform, providing them with no-cost access to the jobs, tools, information, and professional connections they need.
In the Career Center, professionals create a confidential public profile rather than just uploading a resume, with their critical task and project experience as the main focus. Employers can then find them without the need for any individual to share their identity on a public platform. This allows professionals to connect with their choice of best-fit jobs without fear of reprisal or unconscious hiring biases, helping to promote diversity and inclusive behaviors within the hiring process.
Using their confidential public profiles, professionals can search and apply to jobs on the CyberSN platform, share jobs with their network, and ultimately let jobs apply to them. Employers are able to source individuals based on the unique task and project information in their job description, giving them the opportunity to reach out even to passive job seekers.
As well as increasing the chances of finding a best-fit job, the CyberSN profile is an effective way of assessing: skills to develop, past projects worked on, and potential training opportunities. Professionals can streamline their career development by using their profile for performance reviews, mapping which certifications they require, and negotiating salary increases. By empowering individuals to know their worth, CyberSN profiles give professionals more control over their career development.
The CyberSN Career Center also allows professionals to browse CyberSN’s exclusive Job Taxonomy consisting of ten job categories and 45 functional cybersecurity roles, from executive management to analyst and everything in between. By using this Job Taxonomy, we provide easily searchable access to every cybersecurity job currently posted in the United States (at date of publication, this number was over 65,000 postings), streamlining the job search process for the professional. Our taxonomy also provides us with a common language of role titles to be used across the platform, allowing us to effectively match professionals with roles and streamline communications.
The CyberSN Marketplace enhances CyberSN’s established agency staffing services. From our free job description builder to our full-service staffing offerings, our Hiring Center provides a better way to find and retain the right professionals for every role.
Tailored toward SEO and applicant tracking systems, our free job description builder uses the same common language as our CyberSN professionals’ profiles, categorized within our 10 role categories and 45 functionals roles to ensure quick and easy matching. Organizations can either create and export job descriptions for free or engage with CyberSN’s pool of engaged professionals by posting their jobs to our Marketplace. Professional profiles are then matched to the job based on the tasks and projects that they have completed and those that the role requires.
Our Hiring Center is one of the only providers of comparable cybersecurity salary information, offering up-to-date data that helps organizations understand the market, craft better job descriptions, and communicate successfully with new hires. Certification mapping and career pathing provides the professional development tools needed to carry out annual reviews with existing staff and identify skills gaps within teams. By leveraging the Hiring Center’s resources, organizations are equipped to hire staff that love their job, improving retention and inspiring long-term changes to company culture.
The CyberSN Provider Exchange, part of our Marketplace, offers a directory of relevant training, products, and event resources for both cyber professionals and organizations. Products and services featured on the Provider Exchange range from diversity & inclusion solutions to hands-on training, penetration testing, professional services organizations, and more. Our entire community of cybersecurity professionals and organizations can access CyberSN’s Provider Exchange for free, making it a go-to catalog for any and all cybersecurity career needs.
Joining the Provider Exchange puts your products and services in front of our ecosystem of engaged cybersecurity professionals, allowing us to come together in support of the industry with the resources required to collectively achieve success. You can find more information on joining the provider exchange here.
The crown jewel of the new CyberSN Marketplace is the cybersecurity industry’s first ‘Deep Job Platform’. Our platform goes beyond simple job listings, providing products and features that complement all posted jobs and speak the language of cybersecurity. The platform organizes our 66,000+ jobs and 28,000+ professional profiles based on tasks and projects, classifying them into the ten job categories and 45 functional cybersecurity roles that make up our Job Taxonomy.
As well as making our jobs easily searchable and understandable, using the common language of our Job Taxonomy means that communication is smoother and more accessible. This is particularly important within cybersecurity, as it is a complex and ever-changing field. The CyberSN platform matches professionals to jobs based on their confidential public profile, so individuals are matched to roles based on what really matters - their task and project experience - and nothing else.
Our Marketplace is now the go-to network for jobs, career expertise, and resources for the cybersecurity industry. We see the cybersecurity hiring crisis as a matter of national security and consider it our mission to fix the broken job searching system that exists today.
With the launch of the Marketplace, CyberSN is providing all the tools and connections that are needed for any type of cyber professional to Pwn Their Career and for hiring firms to build their teams fast and to last. This means matching individuals with organizations effectively, ultimately boosting career satisfaction and improving employee retention.
2020 brought many transformations to the cybersecurity community. The key takeaway from our perspective here at CyberSN was the change to the talent seeker and the job seeker as it relates to the hiring process. In short: the roles and expectations of both cybersecurity professionals seeking employment, and hiring managers looking to fill job vacancies have changed forever.
Cyber professionals are in high demand and have experienced different modes of working as the pandemic took hold. Many cyber professionals set up an office at home without affecting their productivity. Cyber professionals who were hiring had to adjust how they were acquiring talent and the changes they needed to make to attract, vet, and retain quality cyber talent.
In support of this, we’ve outlined five ways cybersecurity hiring has changed forever (with one bonus prediction):
This is probably the biggest, most obvious realization that came out of the 2020 pandemic. Remote work is no longer a privilege. It is now expected in every cybersecurity job. Cybersecurity has evolved from the days when cyber professionals rarely were allowed to work offsite to a time where they’re rarely mandated to work on premise. So long as productivity and security remain optimal, this likely will not change. If your company doesn’t have a permanent work from home policy, you will be a much less attractive employer for cyber professionals. Make sure your company is prepared. It’s no longer a request. It’s an expectation.
Remember the days when a cyber professional would dress up, drive to a company, pay inflated parking rates, and be subjected to a series of face-to-face interviews? Many times, they would be subjected to re-answering the same questions over and over. Most of the interviews were conducted secretly so their current employer wouldn’t find out. Cyber pros were forced to make excuses so they could take a day off to interview for a new opportunity. This is no longer the case. CyberSN has not had an in-person interview since early 2020. Everyone on both sides of the interview lens should be prepared for video interviews, which means paying special attention to your surroundings to make sure it’s what you want people to see.
Compensation has been on the rise as the demand for experienced cyber professionals continues to skyrocket. Compensation is typically salary and bonuses, though cyber professionals are also being offered generous stock option packages and other benefits where available. Take inventory of all the good things your company has to offer in addition to money and put it on the table if you want to be competitive in attracting and hiring cyber professionals. Like cyber salaries and applicable benefits packages, demand for cyber pros will only continue to grow, so if you’re not weighing out what you have now and presenting your best offer, you’re not going not going to fare well.
The interview process for cyber professionals is faster than ever. We are seeing offers being presented on the same day of the interviews. We even had one during the interview. If you’re hiring, be prepared to move quickly with an offer. If you’re interviewing, be prepared to field an offer and make a decision quickly, sometimes right on the spot. Those who are prepared to move quickly (and do) will benefit greatly in this hiring market. It’s no longer an option to sit around and wait. If a person feels like a good fit, make a move, or else risk that person moves on to the next readily abundant opportunity.
While we’ve placed most of the focus on the hiring teams to put their best foot forward, there are also developments that lean the other way (towards the cyber professionals seeking new jobs). Make note that almost every new opportunity we are involved with is requiring Cloud/SaaS experience.
There is a greater focus on securing all cloud applications. It’s no longer the responsibility of a few security or IT professionals. It’s now the responsibility of all cyber and IT professionals. Users are geographical spread out these days, and they’re relying on cloud applications and file sharing more than ever. Securing these systems and data has never been so vital to an organization and it’s employees. It’s impossible to rely on a few individuals to be able to protect the vast amount of data that is spread out throughout the U.S. Thus, Cloud/SaaS experience is a must. If you don’t have it as a working piece of your portfolio, it’s time to dive in, else risk being overlooked.
As we mentioned above, remote working is expected by all who are employed within the cyber industry. But that expectation for flexibility will no longer be unique to a cyber professional’s “physical” presence. Soon that flexibility will be associated with time. No longer will work hours fit into the typical 8 a.m. - 5 p.m. window. Different work habits by different people spread out over multiple time zones will require a lot more flexibility.
Households with children require organizations to allow workers flexibility in their workday. Also, it’s become quite commonplace for employees to take pause for a few mental health breaks. So many workers are cooped up in their homes and only leave to get their mail. Organizations will have to be flexible on the specific times that people login, and instead, focus on the work that is produced to make sure the job is being done. Productivity is the key metric here. So long as the work is getting accomplished on time it shouldn’t matter so much when it’s getting done.
It’s pretty incredible to watch an industry grow, and we’ve been lucky enough to play a role in one we’re very passionate about. The changes we’ve outlined above are a direct result of the last 12 months we’ve all experienced. It’s amazing how much things can change in such a short amount of time.
If you need help figuring out the right solutions for your cyber needs, give us a call. We’re here to help!
Whether you’re a start-up or a Fortune 500 company, cybersecurity consulting is a good way to assess the effectiveness of your cybersecurity operations. Having another set of eyes on your security systems, looking for ways attackers could infiltrate, and creating a strategy for addressing any security gaps can save your business time and the disruption of a security breach.
Cybersecurity consulting has another less well-known feature that is arguably more valuable than identifying potential threats: insights on cybersecurity staffing. A cyber team is only as good as the people within it, so hiring is a crucial aspect of keeping your company and customer data secure. By tapping a cybersecurity consultant, you can gain expert knowledge on the industry, where to find skilled cyber pros, and how to market your company to top talent.
When vetting cybersecurity consulting firms, here are some qualifications you should be looking for.
You may think you know what you need, but a skilled cybersecurity consultant can help you drill down into the specific aspects of your needs. By understanding your objectives, the consultant can identify skills gaps and provide a staffing headcount based on current and future initiatives. For example, your company might be evaluating security information and event management tools. A good cybersecurity consultant can offer advice on the availability of certain product skill sets and their respective labor cost.
A cybersecurity consultant should be someone who is able to provide the latest information about solutions and products especially those that are becoming more popular, those that are new to the market and other trends. This could include career and employee development trends and new training resources available.
You are never going to build or keep a great cybersecurity team if you aren’t offering enough compensation. You need a cybersecurity staffing consultant who will be blunt about your salaries and compensation packages. Your company may not be able to offer the same salary as a larger company, but a cybersecurity staffing consultant can help you develop other types of compensation, such as ample paid time off, work-from-home options, and an inclusive company culture that will attract professionals.
At CyberSN, our cybersecurity staffing consultants see a lot of compensation data because companies and professionals give us this data every day through our job search platform KnowMore. One thing we’ve seen is that it’s not just about the money. Professionals are looking for better work-life balance, especially since the lines between work and home have become so blurred. Training opportunities and the ability to work remotely permanently are two of the top requested perks we’re now seeing.
Part of the challenge of building out the right cyber team is that job titles, roles, and responsibilities vary from company to company. Having a cyber consultant who knows the industry, terms, and job titles vastly improves the results of your recruiting efforts.
We identified this problem at CyberSN and developed a common cybersecurity language, not just for those in the information security industry, but for those who hire, too. This included identifying different facets of the industry and defining 45 cybersecurity job titles and more than 100 subtitles.
Here are a few questions you should ask before engaging with a consulting firm on your infosec operations.
Do they work primarily for large corporations or is this a firm that specializes in start-ups? A firm may claim to be generalists, but cyber needs vary depending on the company’s size and industry, whether that’s e-commerce, banking, or health care. Make sure you hire a consultant that understands your industry.
Before working with a firm, it helps to know who you will be working with, their area of expertise, and how many hours they will be available. Are you looking for 24/7 availability or someone to develop a strategy for improving diversity? Whatever your need, ask for specifics about the level of expertise you will be provided.
Companies are striving to create inclusive workplaces, especially when race and gender are such a part of the national conversation in the United States. Whatever your cybersecurity needs, diversity is likely to be part of the conversation. When your team is made up of people with different backgrounds and world views, it will help improve your ability to identify threats from around the globe. Discuss diversity training as well as hiring practices to ensure you are creating a welcoming environment for all employees.
As a woman-owned company, diversity and inclusion are important in all we do, which is why more than half of our placements are diversity hires.
This may seem obvious, but if you’re looking for expertise in cybersecurity, make sure the team you get has experience working in the industry and understands both the employer’s and employee’s side of the job.
Ask your cybersecurity consulting firm what you’re getting from them and hold them accountable throughout for that deliverable. CyberSN, for example, offers hiring strategies for companies struggling to fill cyber roles. After working with one cybersecurity industry expert and one cybersecurity hiring expert, the company will have a clear strategy for recruiting and hiring cyber pros that fit their needs and within the company.
No one wants to hire another consultant who swoops in, offers unrealistic advice, and is only concerned about the paycheck. Before you sign a contract with a cybersecurity consulting firm, clearly define what you’re looking for from the relationship. Make sure the firm is willing to help set goals and create a realistic strategy that works for your type of company. Finally, hiring a firm that understands that it’s not just about the tech. Developing the human side of a cybersecurity team can help protect your company, as well.
The shortage of cybersecurity professionals has been well studied, documented, and publicized. According to ESG Research, 51% of companies say their organization has a problematic shortage of cybersecurity skills. The most well cited study on the cyber workforce shortage, by (ISC)², estimates that an additional 4 million more cybersecurity professionals are needed to defend organizations above the 2.8 million professionals worldwide currently working in the field. It’s an issue we’ve even talked about on this blog. Even in this current economic climate where all industries are facing uncertainty, the need for more cybersecurity professionals still exists.
The painful reality is that companies need skilled cyber professionals to tackle emerging threats efficiently. Companies are planning to spend more in 2020 on cybersecurity than they did last year, according to a recent report from ESG Research.
“Many organizations are in the process of reengineering their entire cybersecurity infrastructure in an attempt to improve efficacy, streamline security operations, and support new technology-driven business processes,” the report said. If your company is investing in its cybersecurity operations, it’s likely you will need to hire more people.
Let’s dive into each step a little deeper.
It’s simple supply and demand. When there are more open positions than people who are able to fill them, professionals can demand higher pay. To get talented cybersecurity professionals to work for you, your company will likely have to pay more.
We understand raising salaries can be an uphill battle at some companies. Wage growth has been sluggish even when there was record unemployment, so why would a company think cybersecurity professionals are any different? Now that the economy is facing an uncertain road ahead, some organizations may falsely believe that they have the salary negotiation advantage.
The truth is, the majority of skilled cybersecurity professionals are currently employed and earning good pay. To get one of them to leave and come work for you, you must offer a better opportunity, and that almost always includes better pay.
Because there are so few cybersecurity professionals out of work, even in the current economic climate, your company must also recruit candidates who are passively looking—that is, currently employed but open to other opportunities. To search for passive job seekers successfully, your company will need help from someone with experience in the cyber industry.
Companies that use internal teams for recruiting and hiring all face the same problem; it hasn’t worked great in the past, yet they keep doing it. Few internal human resources or recruiting professionals know where to look to find those passive candidates. When they do, they approach prospects with poorly written job descriptions that indicate your company communicates poorly or is expecting a new hire to do the role of two or more people.
Hiring an outside recruiter is another option, but competition will remain high and success rates mixed. According to (ISC)², one out of five people surveyed said they receive at least one recruiting contact daily.
Hiring for cyber can be so tricky; you don’t so much need a recruiter as a matchmaker. Hiring a company that specializes in cybersecurity staffing, that speaks the language and understands what you and the job seeker are looking for ensures a swifter and more efficient hiring process.
For example, CyberSN’s Engaged Staffing solution does more of the work for the company—finding interested and qualified candidates, vetting them for skills and qualifications, and prepping them for interviews. We even work with companies pre-interview to help them present the best image of their organization possible, from writing the job descriptions to preparing the hiring team for the interview. Companies that are serious about filling their cyber teams with skilled professionals know it’s key not to waste time on their own and to call for help when needed.
Resume algorithms are killing cybersecurity hiring. Too often the human resources department cuts and pastes requirements into a job description, eliminating dozens of potential hires before the company even posts the job.
People who enter cybersecurity don’t always follow a straight path. Many gain skills beyond certifications and degrees through experience. If possible, look for ways to bypass any systems that cull resumes based on educational qualifications and years of experience. Instead search for essential skills and a record of success. If you need help getting around algorithms, our job searching platform KnowMore can help. By building a professional’s profile that’s better than a resume, it helps companies and job seekers thwart the algorithms.
Attackers are always evolving and so should your cyber team. Without professional development to sharpen skills and understand emerging threats, you are not only leaving your team vulnerable, you are also sending a bad signal to future employees.
Ambitious and hardworking people are always looking for ways to improve themselves and take that next step, whether it’s running one more mile, learning a new language, or moving ahead in their careers. You want those people at your company, but without the incentive of professional development opportunities these talented cyber professionals will look elsewhere.
The cybersecurity workforce shortage poses challenges for companies, but is not insurmountable. Knowing where to look, what cyber professionals are looking for, and how to present your company in the best light will improve success rates. Companies also have to admit when they’re in over their heads. Cybersecurity is an essential part of business. If you’re continuing to search for cyber professionals without success, it might be time to ask for help.
While the scramble to recruit and retain smart cybersecurity professionals is universal, some companies struggle more than others. If you ever wonder how some competitors managed to perennially field solid cybersecurity teams while your organization can hardly even find enough candidates for your open jobs, it might be time to evaluate the way you market to and interact with cyber job seekers. CyberSN recently spoke with a number of recent applicants and employers on what engages employees most effectively. Things like a decent compensation package are table stakes for drawing great candidates. However, there are often other simple touches that can make all the difference. Here are five tips for attracting cybersecurity professionals to your roles.
It should go without saying, common courtesy can go a long way towards keeping the lines of communication open with good candidates. For example, if you’re recruiting currently employed candidates, try to be flexible about scheduling interviews. And whatever you do, minimize cancelations on your end.
“Meeting during the day is already a challenge because you have to find a way to schedule time off from your current job,” said a Security Engineer who wishes to remain anonymous. “It’s particularly difficult when a potential employer cancels at the last minute, which happens anywhere from 25% to 40% of the time in my experience. For a couple of companies, this happened with, I just declined to reschedule.”
If you’re a hiring manager working with a company with a lot of bureaucracy and red tape to jump through during the interview process, consider either personally reaching out or having a recruiter reach out to prep candidates for what to expect.
“Having insights about the company from the recruiter made a difference,” Robert Burns, Sr. Consultant at Booz Allen Hamilton explained. “Just a little bit of information about who I was meeting with ahead of time, so I could prepare and have a better understanding of what I’d be talking about with different individuals.”
Compensation is obviously important, and so are work-life balance benefits like flex time. But so are relocation benefits. It might seem obvious that the best way to open up a bigger pool of candidates is to widen geographic boundaries. Surprisingly, few companies actually do this. We’re not talking about a huge investment – just $10-15k will make a huge impact.
“Even though there’s a huge gap in the field, it’s very difficult to find organizations that will pay you or give you the flexibility to cross from coast to coast,” says Burns, who worked with CyberSN to get him relocated to a work location that worked for him.
When interviewing, you can’t get hung up on years of experience or even certifications. You need to learn to find candidates who have the right raw materials for training by asking the right interview questions. Make sure you are interviewing for someone’s ability to do the job. Find out what they have been doing and not how for how many years they have been doing it. Years do not equate to capability. Also, make sure your posting avoids using any red flags for job seekers!
“In interviews, we would ask questions around curiosity. Trying to hone in on how an individual thinks can be important,” says Dan Garcia, Sr. Security Engineer at Datto. “Asking questions like, ‘What is the last thing you took apart and why?’ Just trying to get at their intellect. From that, we found some pretty great candidates that had the right mindset.”
Finally, look for ways to be creative in your outreach. Cybersecurity is a creative field, and smart candidates respond to clever employers. Run or participate in events like capture the flag and tabletop exercises. Go to the same places that cyber pros go.
“Datto once took out a billboard where we Base64 encoded the career site URL, and we had a candidate apply to be a software engineer from that,” says Ryan Weeks, Chief Information Security Officer. “He now leads our application security pen-testing team.”
Listening closely to the experience of candidates and gathering feedback from employers gives insight into what mistakes are being made that are easily addressed. What’s working (and not working) in your cybersecurity talent experiences? Did we forget any tips for attracting cyber professionals?
Today’s cybersecurity teams need all the help they can get to keep up with a breakneck pace of work. Threat Actors barrage corporate systems with new and inventive attacks by the minute. And Cybersecurity professionals are committed to protecting information, privacy, and maintaining regulatory compliance. Unfortunately, security hiring managers struggle to hire talent fast enough to fill their needs.
Some claim that it’s a market shortage of security skills that is keeping companies from filling positions in a timely manner. But there’s actually a lot more going on than a simple constraint of skilled labor that’s contributing to today’s cybersecurity staffing crisis.
The uncomfortable truth is that cybersecurity
recruiting today is very broken.
A disconnect exists where even as hiring managers are complaining that there aren’t enough skilled security professionals to go around, the veteran cybersecurity job recruits that are out there are unable to land great jobs in eight months or less. That doesn’t make logical sense from a pure supply-and-demand perspective.
It’s happening because there are a lot of dysfunctional dynamics at play in the security job market today.
As a longtime cybersecurity staffing specialist, I see every stakeholder in the cybersecurity ecosystem contributing to the problem. Here are the many broken faces of the cybersecurity job market.
A recent study from Enterprise Strategy Group found that some 53 percent of security hiring managers today report experiencing a ‘problematic shortage of cybersecurity skills.’
And yet if you dig deeper into the issue you’ll find that many of these same hiring managers are doing very little to proactively develop those skills in-house.
They’re not hiring creatively at the entry level or near entry level. They’re not bringing in new blood with great problem-solving skills or relevant technical skills that can be built upon with the right mix of on-the-job training and professional development classes. That’s probably because they’re also not sending staff to conferences or paying for training to help them learn new skills—or even just to keep up with the latest trends and technologies. Furthermore, they’re not pairing junior staffers with senior staffers, or doing any kind of strategic succession planning.
Instead, they seek to hit the lottery by trying to attract unicorn candidates. They look for impossible candidates who possess an unrealistic combination and depth of experience who’d also be willing to do the work of multiple specialists for a single person’s salary. They tentatively post these nightmare jobs to ‘see what happens’ in lieu of putting a comprehensive team-building strategy in place. Meantime the backlog builds and the overworked staffers already on the team grow more frustrated and discontented by the day.
Now, I don’t want to beat up on security hiring managers too much because their actions (or failure to act) are often a reflection of circumstances completely out of their control. For example, in many larger organizations corporate policy dictates that human resources will take it upon themselves to write job descriptions and market the open role to available candidates.
The trouble is that they don’t ‘speak’ cybersecurity and they’re often intimidated by the technical elements of the job.
So they resort to cutting and pasting job descriptions from ill-advised sources. Completely disconnected from cybersecurity culture or knowledge, HR may do some cursory investigation and utilize vague skills keywords that may mean different things to different organizations or candidates. Or they’ll overly rely on requiring certifications requirements with only passing relevance to the job at hand. Similarly, they might take a wish list of technical competencies from a hiring manager and translate it into an iron-clad requirements checklist for which every box needs to be ticked to even consider someone for an interview
What companies get out of the process is job descriptions and candidate requirements that are unreasonable and inflexible. These are the types of openings that throw up all sorts of red flags to longtime security pros. And so the rock star candidates keep walking, never throwing their hat in the ring.
On top of all of this, overloaded HR departments typically don’t have many resources to actively recruit and even when they do they don’t have deep ties into the very insular cybersecurity community. Most organizations are passively seeking to fill roles in a specialized job market where candidates don’t always openly market themselves (more on that in a moment.)
Disconcertingly, some of the most systemic problems that are causing today’s cybersecurity staffing crisis come from the very top of the corporate food chain. True, many in the C-suite would tout to regulators and customers that they’ve made the commitment to open up a plethora of new security roles in order to bolster their cyber capabilities. What they don’t say is that they’re not providing the necessary support or logistics to reasonably fill those roles.
Hiring managers frequently don’t offer training, can’t send people to conferences, don’t offer flexible work schedules or dress codes, and can’t budge on salary caps because the C-suite won’t approve those necessary enticements. What’s more, neither will the top brass approve outside recruiting support as a matter of course. In many instances I run across organizations where a position must remain open a minimum of six months before they even allow an outside agency to help fill it.
Even when companies do turn to technical recruiters and staffing agencies, many a pitfall lies ahead. Too many organizations rely on general purpose technical recruiters with very little expertise in the cybersecurity market. As a result, even though they’re more aggressive about going out to find potential candidates they still have a difficult time effectively matching the right skilled candidates to the appropriate role. These generalists often run a volume game, and will do anything to bring in anybody that breathes to consider an interview in order to make their numbers—sometimes to the point of outright dishonesty to job candidates. What’s more, these generalists are usually still armed with poorly written job descriptions that are still based on free text writing and keywords, never really controlled with the taxonomy or structured language that breaks down specific cybersecurity professional tasks or projects and matches them to candidates with those experiences. And so there’s lots of room for misinterpretation during the recruitment process.
The final difficulty is not necessarily the fault of job seekers, but just a byproduct of the cybersecurity profession. It’s the fact that by necessity and experience, security people are skeptical about sharing information about themselves that can be used against them by cybercriminals. As a result, there’s only a small percentage of security pros that are on LinkedIn and many of them are leery of putting themselves out there for passive job searching. Thus, when they’re let go due to an unexpected layoff or merger or some other event like that they’re left flat-footed—even though there are plenty of companies that would love to have their expertise to fill an open role.
All of these factors contribute to a broken security job market. Organizations are not able to effectively match up with the talent they need. Skilled security job seekers have no visibility into the opportunities afforded to them. And teams are left outgunned and overworked as a result.
There’s no magic wand that will fix all of these dysfunctional dynamics, but my team at CyberSN has been working hard to help bridge some of the gaps that currently exist. In particular, we’re working on rolling out the structured platform we use internally to match recruits to job openings. Both passive and active job seekers will be able to anonymously create and update profiles using a standardized taxonomy of skills and experiences that hiring companies can use to match candidates to their jobs. If you are curious about how we are solving the cybersecurity hiring crisis, check out KnowMore at www.CyberSN.com. KnowMore is drastically altering the way cybersecurity professionals and employers find each other.
While demand for top flight cyber talent is hotter than ever, top line recruitment is often hindered by outdated and uninspired compensation planning. Let’s go inside the latest report findings from cybersecurity search firm CyberSN.
-This story was featured on HuntScanlon.com on January 3, 2018 –
Authors: Scott A. Scanlon Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Will Schatz, Managing Editor – Hunt Scanlon Media with contributions from Deidre Diamond, Founder and CEO of CyberSN.com and #brainbabe and Veronica Mollica, VP of Cyber Staffing at CyberSN
In order to protect their companies, and in the bigger picture the nation’s national security, organizations must rethink – and raise – salary caps to hire top flight cybersecurity talent, according to a new report just released by CyberSN, a leading search firm in the field. Heightening the issue is an ever-growing threat of security breaches combined with a dearth of information about compensation for cyber roles, the firm reported in ‘The Cybersecurity Hiring Crisis.’
“What many organizations are failing to realize is that by not investing properly in cyber professionals, they’re sending the message that cybersecurity is not a priority,” said Deidre Diamond, founder and CEO of the international cybersecurity recruitment firm. This creates a retention and attrition problem that nearly eclipses the recruiting challenges faced by many companies seeking cyber talent.
“Organizations must be willing to invest in the critical roles that will keep their organizations up and running as the cyber industry continues to evolve,” said Ms. Diamond. “The best way to do this in a highly competitive market is to offer top compensation and benefits to attract and retain talent.”
As cyber threats change and become more complex, cybersecurity professionals are playing an increasingly vital role in their organizations. Their jobs, once considered optional, are now a mandatory part of ensuring that their companies’ critical data and processes are properly protected. Demand for such positions is at a record high – and keeping recruiters across the field loaded up with business. But talent supply lines have failed to keep up. There is, in fact, a projected workforce gap of 1.8 million cybersecurity positions, said CyberSN citing a recent (ISC)2 report.
For their study, CyberSN gathered information from across 53 organizations and 83 cybersecurity positions. The firm also conducted in-depth interviews with chief information security officers (CIOSs) and hiring managers responsible for recruiting cyber professionals into their organizations.
A Lack of Transparent Data
“Many of those we interviewed echoed a common theme – namely, there’s a gaping lack of security talent,” said Ms. Diamond. And, it is a problem that becomes more pronounced when organizations look to recruit more senior talent. “Now, more than ever,” said the report, “companies are competing against the likes of Netflix, Google and Facebook for high quality candidates.” The lack of transparent data around salaries is simply making it more difficult to compete with them. “In order to recruit more effectively for cybersecurity industry positions, there’s a clear demand for accurate information that includes real-time, market-driven compensation data,” according to the report.
A central issue is that many organizations equate cyber jobs to IT positions when it comes to compensation and benefits. Yet the roles are completely different. “Organizations look at cyber like they look at IT, yet cyber salaries are higher based on supply and demand,” said Veronica Mollica, vice president of cybersecurity staffing for CyberSN.
“Oftentimes, IT doesn’t want cyber making more because it becomes an uncomfortable conversation about why one person is worth more than another.” The result is a round and round discussion and no change in the status quo, she said. “The position can then sit open for six months or more before a search firm is engaged to help,” said Ms. Mollica.
In the end, according to CyberSN’s report, more than 50 percent of the companies polled had to increase their initial salary cap in order to hire cybersecurity talent.
Nor does it help that much of the information that companies use about cyber salaries is inaccurate or out of date. “Salaries change every day and HR leaders have had trouble staying current,” said Ms. Mollica. “We see quite often that cyber leaders don’t feel supported when they sit down to have these salary conversations with HR. It’s not a welcoming environment.”
Salary Matters
Critical cybersecurity roles, meanwhile, go unfilled for too long. Organizations are reluctant to pay more and candidates tend to refuse to switch jobs for lateral compensation, let alone a lesser amount. “What we see happen is a job goes unfilled over a $10,000 difference,” said Ms. Diamond.
The truth is that money very much matters with these in-demand roles. Few companies outside of Google and Amazon can convince prospects to take a smaller salary by offering enticements like stock options, said Ms. Diamond. Most companies have no interest in paying up, but by denying that it’s a candidate’s market businesses are only hurting themselves, she said. “Why would you want to nickel and dime for the best talent?” she asked. “If candidates are interviewing with you, they are interviewing other places too.”
The cybersecurity salary cap issue is the result of both growth and the departure of employees, said Ms. Mollica, but less about what the previous person in a role was earning. “When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization,” she said, “but the people in the current positions aren’t earning market value. That’s a huge issue because HR sets salary by comparing the role to somebody who is being paid below market. Yet this is security.”
The Value of Breaches
Bad experiences, Ms. Diamond said, will ultimately be the key to change. More intrusions. More money lost. More corporate reputations damaged or destroyed. Sooner or later, businesses will learn that it is more cost effective to take preventive action than to suffer the consequences of a breach or a regulatory fine. “When I think about where we are today, it’s only the breaches that have gotten us the budgets,” she said.
Hunt Scanlon Media recently sat down with Ms. Diamond to talk about the challenges that her firm and its clients face in filling cybersecurity roles.
Deidre, why is recruiting cybersecurity executives so difficult?
Cybersecurity experts are incredibly busy. Not only are their departments frequently understaffed, but their jobs are mission-critical to the success or failure of their organizations. Their roles can often be more similar to that of an emergency first-responder than an IT professional. Because of the fast-paced and high-profile nature of their work, they don’t even have time to spare for recruiters. And that’s an important issue because we have found that HR generalists simply are not equipped to oversee the hiring process for such specialized, in-demand, hard-to-find talent.
“Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success.”
How can the search process be improved?
Executives in search of cyber talent need to use specialized cybersecurity staffing agents. Job seekers are looking for companies committed to a cyber budget, who value career growth and share in their cyber passion. Retention is just as important to hiring and if organizations don’t meet these needs, statistics show that cyber professionals will not hesitate to vote with their feet and change jobs.
Why is the cyber function so important?
Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success. Companies are depending on their cyber resources to detect, protect, innovate, automate and meet compliance standards. Security breaches have significant impact to a company’s reputation, customer confidence and sometimes unpredictable financial impacts. Companies with great hiring and retention plans attract and retain talented and passionate cyber professionals.
Hence the need to pay up for these professionals?
Yes. Our research and experience show us that companies underestimate what it takes to get the right talent in the door. In our research study, over 80 percent of the companies we looked at had to raise their salary cap in order to make the right hire. HR and staffing resources do not have real time salary data available and so they are often not prepared to pay what it takes to hire talent in this market. One thing we are beginning to see is that many companies are getting more creative with their total compensation packages. Equity, paid benefits, telecommuting, relocation assistance and other perks are often included to make offers more attractive to these highly sought after professionals. Often, that outside-the-box thinking pays off!
Friends, our lack of real-time salary data and our poor hiring practices are causing unnecessary stress and productivity breakdown. The cybersecurity talent shortage is not an excuse for unfilled positions. CyberSN has performed thousands of searches and compiled valuable data that shows why jobs go unfilled for reasons beyond the talent shortage. We commissioned a research study focused on hiring challenges in cybersecurity, conducted by Dr. Chenxi Wang, PhD. of the The Jane Bond Project.
For over 20 years, I have worked side-by-side with technologists and cybersecurity professionals. I have consistently felt the pain that occurs when a team is overworked and understaffed. I commissioned this study to empower organizations that want to hire and retain cyber talent regardless of the talent shortage.
Spread the word: you and your teams no longer have to suffer!
When Gary Hayslip, the CISO for Webroot, Co-Author of The CISO Desk Reference Guide, and a highly valued and trusted leader in the security industry asked for my input on his article, I told him I would be more than happy to share my thoughts. I have a lot to say on this subject after 19 years in the recruiting profession, 14 of those years running my own firm, and the last 2.5 years exclusively focused on cyber! No one has this type of time on their hands, so I will break this down into several articles over the next couple of months!
There are so many moving parts to this issue, and as Bill Bonney, Gary’s Co-Author of the CISO Desk Reference Guide, so eloquently and accurately breaks down in his response to Gary’s piece, How We Want Recruiting and Hiring Managers to Behave, this is a problem that needs to be addressed by recruiters, hiring organizations and all the stakeholders involved in the hiring process, and job seekers together.
I appreciate Gary and Bill recognizing CyberSN as a company that is dedicated to solving the challenges associated with hiring security professionals and the frustrations they experience on the job search front. We are on a mission to dramatically decrease the frustration, time, and cost associated with job searching for IT Security and Cyber Sales professionals. You can read more about our Founder & CEO, Deidre Diamond’s Mission and Vision here.
Deidre and I met at the RSA Conference in 2015 when I was still running Indigo Partners, and we connected instantly. Rather than seeing each other as competitors in this small cyber recruiting niche, we bonded in discovering how perplexed and disheartened we each were by our very own recruiting profession and the bad, but deserving rap, that our industry has earned as a result of the very behavior Gary discusses in his article, which is what led us to found our own firms in the first place, and ultimately unite.
The commoditized, keyword search approach to recruiting, that I believe emerged in recruiting in the ‘90s as a result of the job boards’ arrivals, was already a problem when we were each placing IT and software professionals; it’s just further exacerbated in InfoSec as Gary, Bill, and so many of you have experienced in this noisy marketplace.
This is unfortunate for the job seekers who get bombarded by LinkedIn requests, emails, and calls about unrelated, mismatched jobs. It wastes their time and leads them no closer to identifying their next opportunity. It’s bad for the hiring organization, who engages several agencies expecting candidates to be properly vetted, but ends up creating more work for themselves by fielding untargeted, sub-par resumes from multiple sources that don’t get them any closer to filling their jobs. It’s a colossal waste of money, time, and energy that companies are expecting to avoid by turning to an external firm in the first place.
Contingency search is an outdated, broken model that needs to be re-examined by both hiring companies and recruiting agencies to determine the true cost of doing business this way for both parties. You can read an article I wrote about the lunacy of contingent search “Would You Work for Free?” here.
On the surface contingency search seems to make sense, most especially for the hiring organization. Give the open position to several agencies and may the best man or woman win. There is perceived little risk to the company, who only pays a fee to the recruiter if their candidate gets hired.
The hiring organization thinks more is better, meaning, they believe they are maximizing coverage of their job and increasing the probability of a successful hire, when in reality, it’s the exact opposite. The more agencies a hiring organization gives the opening to, the less the contingent recruiter works on it because of the inherent risk involved, thus the unskilled, low-cost provider behavior that ensues. The feeding frenzy (or as my security friend Chris Olive calls it, “The Hunger Games of Recruiting”) kicks in as soon as they receive the job order. The risk and cost is too high for most contingent firms to invest the time, energy and resources to conduct a search the way a hiring organization truly needs it to be executed.
While the contingent recruiter is often competing against other agencies that vary widely in skill, process and integrity, they are also competing against their internal recruiters, hiring managers’ networks, employee referrals, company website job posting, and external paid job board postings. This is all in the hopes they will beat the odds that are stacked against them to “earn” their fee and get paid for the quite hard and time consuming work involved with sourcing, engaging attracting, and securing exceptional talent, WHEN it’s done properly.
And the ultimate hope, of course, is that the company will NOT end up not having to pay a fee due to their own sourcing efforts, even though they really appreciate the efforts of the “good” contingent recruiters who actually do due their due diligence and do the job the way it’s meant to be done.
It puts both the “good” and “bad” recruiters in a position of assuming all the risk and working literally for free with companies while demanding that the specialized, experienced and adept recruiters lower their fees to the same below-market fees that the aforementioned under-skilled, under-performing and sometimes unethical recruiters agree to!
Contingency search doesn’t make sense for the highly-skilled, professional, seasoned recruiters who have spent their entire careers building genuine long-term relationships with their clients and candidates making true matches. All recruiters are not created equally, as we have all experienced, and companies have to stop lumping them into the same bucket, expecting to pay the same price across the board for their services. The old adage, you get what you pay for, certainly applies here.
Just because the recruiting industry and hiring organizations have always done things a certain way doesn’t mean that’s the most efficient or effective way to do business, as we have all painfully experienced over the years. A paradigm shift is required for how companies go about securing security talent and how recruiting firms operate in order to remain profitable and relevant, and we at CyberSN are in the process of breaking the rules of our industry in order to fix what’s broken and make job search simpler.
In my next post, I will share how our “Engaged Model” is a no-brainer if you have a critical opening that needs to be filled quickly and efficiently and the budget to pay an external niche recruiter. If you are mentally and physically prepared to pay an agency fee, then engaging one firm who specializes in the area you are hiring for just makes good business sense.
“The real cost of your jobs remaining open” series on the subject of cyber staffing and recruiting challenges is also forthcoming. We will peek behind the curtain to see how companies create their own roadblocks with their current recruiting strategies and how to remove the barriers that are getting in the way of hiring the best security talent. Hint: It is not based on the cyber talent shortage!
