Tips on how to land your next Cybersecurity Job


by Mark Aiello, President, CyberSN

Hey Cybersecurity Professional. We’ve got something to share with you. With an estimated 500,000 open cybersecurity jobs, you would expect to be able to find the job of your dreams. You can, although it’s not as easy as you think. You are in demand but you still need to tread carefully. If you want to be in control and Pwn Your Career, take our advice on some of the pitfalls along the way so you end up with a job that you love.

#1 Complacency

You owe it to yourself to love where you work and love what you do. You don’t need to follow Johnny Paycheck’s advice about what to do with your current job. Just make a commitment to yourself that you can be happy and love where you work. There are millions of people who love what they do and where they work. You can be one of them. Avoid complacency by answering these questions: What’s my passion? What drives me? What type of culture and team do I want to be a part of? What type of work will excite me every day? Then take the next step and make a commitment to yourself to begin the job search.

#2 Solely relying on today’s job boards

Today’s job boards are completely inefficient and mostly ineffective. Job descriptions are generally misleading, inaccurate, and poorly written. You’ll receive 20 bad search results for every one that looks promising. Don’t put your trust in secret algorithms that only return what they think you want. Search for companies that appear to be a good fit for you and proactively reach out to their security leaders. Don’t rely on just one method of finding a job. Take control of your career by actively seeking out opportunities that are interesting to you.

#3 Going it alone

Don’t solely rely on job ads. Haven’t you heard about the secret menu items at In-N-Out Burger? Same is true for jobs. There are a lot more job openings than what you can find in a Google search. Look for companies that are growing, just received funding, or in the news (sometimes because of a breach). Many high-growth companies are moving faster than their talent acquisition team can keep up. Connect with their security leaders and let them know you are interested should they find themselves in need of someone with your particular set of skills. Join local security organizations and network with the people you meet. Develop a relationship with a recruiting firm that specializes in cybersecurity and can make you aware of opportunities before they become posted job ads.

#4 Not applying because you can’t check all the boxes

So you skipped numbers 2 and 3 above and you found a job that looks promising. Except for one minor detail – you don’t have all the skills that are listed as required. Don’t let it stop you. Apply anyway. Most job descriptions are an amalgam of previous job descriptions. Nobody likes to write job descriptions and most people do a poor job when they do. Many times it is a group effort with everyone adding their specific requirements. Chances are unicorn-ishly slim that there is a perfect candidate for the role. So take a shot and present yourself as a candidate.

#5 Assuming they have to play by your rules.

Applying for a job can be like running an obstacle course. Some companies throw too many challenges at cybersecurity candidates which can be a turn-off. Multiple interviews (video and in-person), proficiency and personality tests, challenges, and just taking their sweet time. Don’t be fooled to think that you shouldn’t have to follow their process because you are in such demand. Play the game and be prepared. Ask prospective employers about their process. Prepare yourself for it and the new interview experiences that you might encounter. Ask with whom you will be interviewing and do some homework. Chart the uncharted territory and when you get hired, if you want, you can change it from the inside.

Take control of your career. Find and do work that feeds your passion, grows your rewards and satisfaction, and meets your career and personal goals. Educate yourself on career paths, job types, and compensation and industry data. Find jobs that are interesting to you and that you are qualified for and engage the right opportunities at the time you see fit. Empower yourself to let your talent, skills and desires lead the way to your best career and reap the rewards of your profession. Know your worth. Find your fit. Plan your path. Pwn Your Career.


This article first appeared in Cyber Security Magazine - October 21, 2021


As we get into the swing of 2021, we thought it would be pertinent to dig in a little bit and figure out what the top cybersecurity jobs are in the current industry landscape that can lead to a prosperous cybersecurity career. As we all well know, cybersecurity careers are very much on the rise as the demand for skilled cybersecurity professionals continues to outpace the available workforce. This is a strange reality, and with it comes the potential for great opportunity.

Today, there are over 521,600 open cybersecurity jobs nationwide. You read that correctly. Over a half-million available positions… For those already working as a cybersecurity professional, the opportunity for job advancement has never been better. The question is, what is the best line from point A to point B as it relates to your success in a cybersecurity career?

To help facilitate that answer, CyberSN has uncovered the top five cybersecurity jobs in 2021 that are both in-demand and present a great path for a highly-successful career in cybersecurity. As you read on, we will detail the top jobs in the cybersecurity marketplace and where they can take you as your cybersecurity career moves forward.

Top Five Cybersecurity Jobs Right Now

Job One: Cyber Threat Hunter

Open Nationwide Jobs: 18,400+

General Requirements: Four-year degree in Cybersecurity, some employers require a Master’s Degree

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses. See CrowdStrike for more information.

Currently, there are over 18,000 Threat Hunter jobs open in the US alone. As more and more systems and businesses become fully digital, the potential for security flaws increases. These systems, both in the private sector and public sector, need skilled Threat Hunters to uncover threats and monitor adversary techniques  to avoid data breaches and successful attacks.

Cyber Threat Hunters can expect to advance their careers through a number of paths, many becoming Cybersecurity Engineers creating frameworks to solve for the latest security threats. Others will move past the engineering stage into leadership roles such as Information Security Managers, Information Security Officers, or even a Chief Information Security Officers (CISO).

Job Two: Cloud Security Analyst 

Open Nationwide Jobs: 57,100+

General Requirements: Four-year degree in Cybersecurity, some employers require a Master’s Degree

A Cloud Security Analyst has detailed knowledge of common security threats, security controls, and associated technologies and practices related to securing cloud platforms, cloud services, and associated IT resources based on typical cloud technologies. They monitor and maintain existing cloud security environments, security performance, security testing, and setup.

Cloud Security Analysts generally feature educational backgrounds such as a bachelor’s degree in IT, computer science, or a related field. Previous work experience in computer science and network security systems provides job seekers with the best opportunity to obtain this role. Employers are often looking for 2-4 years of applicable experience in a similar cybersecurity working environment.

Currently, there are in excess of 57,000 Cloud Security Analyst jobs available throughout the United States. Given the times, many organizations have either made the switch, or are in the process of making the switch to a more comprehensive cloud based environment for their core business operations.

A Cloud Security Analyst is a great position to advance your career in cybersecurity with further growth opportunities. Cloud Security Analysts can expect to advance their careers through a number of paths which offer broader security reporting and threat monitoring. Others will move past the engineering stage into leadership roles such as Security Directors and, Chief Information Security Officers (CISO).

Job Three: DevSecOps Engineer

Open Nationwide Jobs: 6,200+

General Requirements: Four-year degree in Cybersecurity, some employers require a Master’s Degree

A DevSecOps engineer has involvement in and appreciation of every stage in the software project lifecycle, from initial design and build to rollout and maintenance. In a continuous integration/continuous delivery (CI/CD) environment. DevSecOps engineers are responsible for securing software deployment, identifying security threats, and the configuration of network infrastructure. DevSecOps engineers must have some knowledge in network protocols like HTTP, DNS, and FTP. They also need to know how to implement threat intelligence and risk assessment techniques and be up to date with the latest security best practices. Previous work experience in computer science and network security systems provides job seekers with the best opportunity to obtain this role.

There are currently over 6,000 DevSecOps Engineer positions open in the United States. Companies with a solid foundation of preventative thinking are employing more DevSecOps Engineers to help assess cybersecurity risk at the beginning stages of launching cyber based initiatives rather than implementing a solution and addressing system threats as they happen.

A DevSecOps Engineer position can move rather quickly through the cybersecurity career ranks and might expect to further their career by becoming an Application Security Engineer who works to combat cybersecurity threats pre and post system initiation. From that post, one can expect to move further up into a role such as a Security Director or Security Product Manager.

Job Four: Application SecOps Engineer 

Open Nationwide Jobs: 1,100+

General Requirements: Four-year degree in Cybersecurity, some employers require a Master’s Degree

From the BMC Blogs: a SecOps engineer is a security professional who is responsible for securing and protecting network systems, applications, and data. In short, a SecOps engineer supports enterprise security operations. SecOps engineers help to design and build all of these different computer networks and put tools into place to secure and protect them. These systems typically require regular maintenance, so SecOps engineers must update, tuning and return operations issues arise. Security engineers are also responsible for deploying new security software and hardware.

There are currently over 1,100 vacancies for applicable SecOps Engineer positions throughout the country. This number is likely one that will continue to grow due in part to the number of different applications organizations are designing and integrating to fulfill unique mission tasks. Thus, there will be an increased interest in having a cybersecurity professional like an SecOps Engineer to “own” these vital application environments and protect them from threats.

A SecOps Engineer can expect to experience cybersecurity career growth by taking the next step and becoming the organization’s pointed Security Engineer who would oversee the tasks and goals of an applicable team. From there, it’s realistic to expect to become a Security Director or Security Product Manager down the line.

Job Five: Security Engineer

Open Nationwide Jobs: 29,000+

General Requirements: Four-year degree in Cybersecurity, some employers require a Master’s Degree

From Cybrary: A Security Engineer is tasked with the role of protecting the networks and computer systems of a company from any security threats or attacks. A Security Engineer is responsible for establishing and implementing security solutions that can defend a company and its networking assets. This can be accomplished through a variety of ways. Just a few of the essential duties of a Security Engineer include: establishing security standards and best practices that an organization should follow, evaluating an organization’s systems, networks, and data to determine what types of security protocols are necessary, developing proper security measures to meet an organization’s needs, implementing security controls to protect an organization’s infrastructure and digital files, monitoring and upgrading security measures as necessary, and responding to any security breaches or intrusions that may occur

At this moment there are in excess of 29,000 open Security Engineer positions. This is an area that is ripe with opportunity as businesses everywhere move to employ Security Engineers with the skills necessary to design and maintain stout cybersecurity architectures that facilitate business operations without fear of costly data breaches. System Engineers will often be employed to manage and oversee a team of cybersecurity professionals to see to it that the overall digital architecture is armed and operating effectively to diffuse disruption.

As a Security Engineer, you can expect in due time to have a great shot at becoming a Security Director who would oversee the cybersecurity efforts of an organization.

So What’s Next? 

We’ll end this conversation the same way we started it… There’s A LOT of opportunity in the cybersecurity marketplace right now. With over 521,600 open cybersecurity jobs nationwide, there’s no shortage of positions to be had, and if you’re a cyber professional your path to continued or bolstered success in advancing your cybersecurity career is yours to choose. On the flipside, if you’re a hiring manager looking to solicit the help of a qualified cybersecurity professional, you likely already know that the competition is fierce, so consider your pitch, and put some time and energy into making sure it’s worth the pursuit. If you need help, we’re here for you. Programs like CyberSN’s KnowMore platform offer tools and templates to build job descriptions specifically targeted toward people in the cybersecurity industry for free.

Happy New Year. After a year of uncertainty and emotional stresses, I look to 2021 with great optimism. The cybersecurity community is significantly stronger and being counted on now more than ever. The need for cybersecurity talent has grown exponentially.  The importance of cybersecurity professionals is universally understood and appreciated at a much higher level.

We as a community are treating each other better too! It’s wonderful to see our cybersecurity leaders working together the way we all are. Our response to recent breach announcements shows us that we have learned to support each other. I remember when Equifax shared their breach a few years back, the CISO at the time was attacked and ridiculed. Fast forward a few years to the FireEye/SolarWinds breach; the cybersecurity community has been kind and supportive to the cybersecurity leadership victims. It’s awesome to see this advancement in our ability to provide empathy and support vs. blame and shame. We are one team and we all can be breached… We are defending against more attackers than we have defenders and therefore we must work together. Thank you for bringing this empathy and kindness to the cybersecurity community; we will attract and retain more talent, to include diverse talent when we come from a place of empathy and kindness.

Below I have highlighted five contributing factors that we predict will lead to significant growth in the cybersecurity job market in 2021. Please feel free to reach out anytime. CyberSN is 100% focused on solving your cybersecurity talent challenges.

Cloud security roles will have a significant impact on organizations

Cloud computing has provided attackers with a larger set of potential exploitable targets prior to the digitalization shift. Increases in new or past rapidly planned cloud deployments has created additional opportunities for attackers to elevate privileges, add persistence, and breach credentials and data. Managing cloud cybersecurity risks to accelerate business operations, data privacy, and compliance will be critical roles in 2021.

CISO will revisit and revamp strategy

Cybersecurity spending is projected to increase in 2021. CISOs will revisit and revamp cyber strategies addressing potential threats and detection/defense gaps introduced by remote workforces, authentication threats, on-premise office infrastructure, cyber hygiene, supply chain threats, and cyber awareness.

Data will influence cybersecurity roles

Data-driven approaches will begin to solidify threat and incident analysis, threat anticipation, and breach response practices. Data-driven cybersecurity will influence decisions on “normal patterns'' versus anomalies and provide insights from all cybersecurity data, visualizations, and reusable models. All of this will inform adding intelligence, automation, and measurable value.

Application security and DevSecOps roles have become critical

Cybersecurity programs will leverage Application Security Engineers and DevSecOps professionals to focus on integrating automation to the development pipeline, rather than detecting software flaws. This proactive approach will enable them to manage risks which lead to security vulnerabilities in APIs, production software, and the overall architecture.

Threat Hunting has become a priority

The rapid shift to digitalization has added data access complexity as well as less visibility and potential blind spots for SOC analysts and Cyber Fusion teams. Recent breaches have reminded the cybersecurity industry that alerts from defense products should not be the time to begin searching for breach indications. Organizations will reinforce their cybersecurity playbooks by enhancing or adding proactive approaches which will include threat hunting and threat awareness.

Lets work together

As the new year unfolds, so too does the unique challenges that present themselves to us. This is especially true in the cybersecurity industry. As quickly as we develop new, bolstered proactive processes and technologies to minimize potential breaches, new threats are born and introduced to challenge those very efforts. Thus, as we stated in our intro here, we must work collaboratively to create success as a collective whole. Cybersecurity isn’t only an industry, it’s a community, and we as cyber pros are each a thread in that ever-growing fabric. When we band together, that fabric becomes stronger, and with that, success is more easily accomplished. CyberSN is dedicated to the successful advancement of the cybersecurity workforce. Let’s work together and make 2021 the best year yet!

Cybersecurity job titles are all over the map. Some companies have their own definition of what a security engineer does, while another company requires a whole other set of skills and experience. Cybersecurity roles and responsibilities for specific job titles can vary from organization to organization, leaving many hiring managers, HR recruiters and job seekers speaking different languages about the same job!

NICE Cybersecurity Workforce Framework attempts to standardize cyber job titles—in a 144 page document. Few companies have HR recruiters who have even heard of NICE, let alone know what any of these job title definitions are. The Bureau of Labor Statistics put most of cybersecurity’s many different roles and responsibilities under the giant umbrella of “information security analyst,” defined as people who “plan and carry out security measures to protect an organization’s computer networks and systems.”

Defining these roles and responsibilities should not be complicated. While there will always be slight differences between different jobs at different organizations, having standardized terms make it easier to search for talented cyber pros. Here you can find a list of 45 Cybersecurity Job Categories and many more subcategories that will help you use the right language to create a job description cybersecurity professionals will want to apply to.

Before you dive into the list, though, let’s go over some of these categories and what they mean.

Cybersecurity Leadership Roles

When it comes to C-level leadership roles, the titles are pretty self-explanatory. Chief Information Security Officer (CISO) and Chief Security Officer (CSO) are the people who oversee all of cybersecurity and then some. When it comes to keeping the company safe from cyber threats, the buck stops there.

Similar to the CISO and CSO are roles like Security Director, which can have different names and areas of focus depending on the type of company and its size. For example, a CISO may have a Cloud Security Director and an Information Security Director reporting to them. Other leadership roles that bring with them more responsibility and higher compensation include Privacy Officer, Compliance and Risk Manager, and Security Product Manager.

For many years, corporate leaders looked at cyber leadership roles as purely technical, but with the speed of today’s attackers and the importance of aligning with the business, Board of Directors and strategies throughout the organization, well-rounded leaders are more important than ever. As Harvard Business Review notes, “Today’s cyber leaders must be able to embed security throughout the company’s operations, rapidly respond to threats, and influence fellow senior leaders. In short, they must be able to lead. And that means companies need to hire and develop security executives who have the skills to do so.”

Wide Range of Technical Cybersecurity Job Titles

Technical roles include both people who configure, maintain and tune the systems for securing information as well as those who defend, detect, and respond to attacks.

Security engineers may build or monitor the environments and protections to minimize attacks before they can happen. Application Security Engineers are focused on securing software applications. Then there are Security Analysts who monitor and may actively hunt for threats and Incident Responders who review and remediate identified threats. There are Penetration Testers who look for vulnerabilities much like an attacker would and Cryptographers who focus on encryption.

As we’ve said before, it’s not just the title that matters. Hiring managers must vet candidates based on whether they have the right skill set for the job. Having the wrong title on your job description could prevent you from finding that person. When people search for potential jobs, they start first with their own title and then run through similar, frequently used titles that closely match their skills. If they aren’t looking for your job title, they may never see the opening at your company.

In turn, some great candidates may work at a company that used uncommon or unconventional titles. If your organization vets professionals using resume search software, it may miss highly qualified people.

Non-Technical Cybersecurity Roles

There are a number of cybersecurity roles that focus on the executing and integrating security measures across the organization through policies and programs. Many of these are considered GRC (Governance, Risk and Compliance) roles. This can include Security Auditors, Cybersecurity Attorneys, Cyber Insurance Specialists, Security Awareness Trainers, and Customer Support Representatives.

Attackers depend on human error to infiltrate organizations, which is why it’s so important to have liaisons between human resources and technical roles within cybersecurity. Too often the job of ensuring every employee understands the importance of security practices falls onto the wrong department—IT may be charged with finding cyber insurance or HR may show a short security protocol video during onboarding never to be mentioned again. Non-technical cybersecurity roles are needed to keep large organizations focused on protecting its data.

Using a common language is essential in any profession, whether it’s technical or creative, and cyber is no different. As cyber hiring consultants, we’ve worked to use a common language so that it’s easier for people to find the kinds of jobs they’re looking for, and for companies to understand the skills potential hires would bring. Getting familiar with cybersecurity roles and responsibilities for each job title will help your company do the same as well.

Hi Friends,

Over the past few weeks, I have been sharing what we are seeing during this crisis (which you can find in my first two blogs here and here). In this installment, I am adding a new section that speaks to why people are leaving their current job for another. I believe this information proves the point that the reason why people leave their job is the same regardless of what crisis is going on. Stay well. xo

Jobs on Hold

We are still seeing about 60% of the market keep their jobs to fill on hold. This concerns me greatly considering cybersecurity professionals are being taken off of security tasks so they can support IT, which ISC2 recently documented in a survey on this challenge. Many companies are still working to get on the same page within their organizations and aren’t able to address jobs that were open when COVID-19 crisis began. Until these organizations can get ahead of firefighting, we expect these jobs will remain on hold.

Layoffs continue to be under 5% for cybersecurity professionals; fingers crossed this continues. Unfortunately many organizations are planning for large layoffs or have already started, yet we remain very optimistic for cybersecurity professionals job security.

Organizations Are Hiring

Yes, they are. These companies are not only hiring they are also taking advantage of pipeline development. There is no doubt that organizations that are hiring during this crisis are seen as extremely sound because they are hiring, showing the community that they believe in what they are doing and will keep moving forward.

Start Dates

Unfortunately, we are still dealing with visas taking months to finish sponsorship paperwork when it used to take weeks. This is causing non-US citizens to not get hired because the two to three month start date is a lot for an organization to absorb when they need work done. Many organizations are still hiring people who need sponsorship; just much less during this time or expedition being on hold.

Mental Health

Cybersecurity threats are up even more. With the economy needing us all to go back to work, cybersecurity professionals are just as stressed as anyone. Long months of working from home come with vulnerabilities that add to this stress. Check out our CSO and Strategist’s blog post about key threats from our “new normal.”

CyberSN has real data on the reasons people are leaving their job, based on placements we made in March and April of 2020. Even during this crisis the number 1 reason people leave their jobs is lack of advancement and opportunity. The number 3 reason for leaving, listed below, is certainly a reflection of the times.

What was the reason for leaving your job?

I hope leaders can think powerfully right now; for the future requires us to make good decisions. Everyone who is laid off will have to be hired back and the roles put on hold will need filled in order to succeed again.

Moving Ahead

CyberSN has been closely tracking cybersecurity hiring and staffing levels throughout the country and is a trusted resource for a number of large businesses. Later this spring, we will unveil new service options that can help companies find the talented cybersecurity professionals they’re looking for. Check back on our blog for more updates on this exciting new development, as well as the state of the cybersecurity job market. Stay tuned!


Shifting roles within the cybersecurity industry can be extremely difficult—job seekers are faced with a variety of frustrating hurdles they must overcome in order to find a great career fit. From firms underestimating the importance of cybersecurity roles, to nonsensical job descriptions, to outlandish job requirements, it can take an exhausting amount of effort searching cybersecurity jobs or even find an opening that’s worth applying to. 

As a job seeker, you may have already encountered similar red flags while applying to positions. So the question is, how can you find the right fit in an industry with so many hiring and retention problems? There is a deep disconnect between hiring managers and cybersecurity professionals, and it can be difficult for anyone on their own to bridge that gap. Luckily, that’s where expert recruiters step in and take the lead, helping to match professionals with great job opportunities that allow for personal and career growth. Here are some of the many ways that cybersecurity recruiters function to help you land your dream job. 

Recruiters Understand the Importance of Quality Cybersecurity Job Descriptions

Too often, hiring managers in charge of adding cybersecurity professionals to their team have no real understanding or insight into the job openings they’re posting about. As a result, you’ll find plenty of work experience requirements that do not match the role described in a listing. Other times you might come across a job description very clearly written by someone with zero knowledge of cybersecurity. Recruiters at CyberSN, however, take the time to work with hiring managers to ensure that job descriptions are as accurate as possible, so you know exactly what you’re applying for.  

Recruiters Help Companies Build Diverse and Highly Effective Teams

While there are cybersecurity hiring and retention issues in nearly every single department of businesses, the most glaring problem is created inadvertently by hiring managers. Rather than focus their energy on building an effective team of cybersecurity professionals with diverse experience and expertise, they instead spend all their time looking for one single candidate who can fill the shoes of multiple people. We all know that this is an impossible task, but still happens all the time. CyberSN aims to reduce this crisis by helping hiring managers understand what talent their team needs to be as effective and efficient as possible. 

Recruiters Know How Much Talent Should be Paid Based on Job Role

There’s a lot more to salary than just a number on a piece of paper. Besides an annual salary, cybersecurity professionals also want to know how they’ll be compensated with bonuses, annual raises, stock options, health benefits, retirement savings, paid time off, and everything else that we need to support ourselves. Recruiters can help you understand what your total compensation will be for a specific job role, and encourage you to vouch for yourself to get the best possible deal. 

Recruiters Can Help You Find the Right Match Faster

For many cybersecurity professionals, job hunting can become a part-time job in itself. Between trying to sift through the nonsensical postings to fruitless interviews, you could end up spending months searching for a new job only to be unsuccessful. CyberSN’s professional recruiters understand that your time is valuable, especially when you’re looking for a job. Our expertise in the recruiting field combined with our knowledge of cybersecurity puts us in a unique position to cut through the noise and present you with openings that best match your abilities and values. 

When it comes time to explore a new career, your first thought should be to work with a recruiter to help you find the perfect job. A good fit is the difference between a successful, rewarding career and a job that you leave after only several months. Recruiters can take the guessing games out of the application process and steer you toward the best roles for you. 

Quibbling over dollars leaves jobs unfilled and companies at risk

Originally published on Medium [story no longer exists], this interview was conducted in November 2017 to explore the “CyberSN Research Study: The Cyber Security Hiring Crisis” in more detail. Read on to learn more about our findings on if salary caps threaten national security.

Author – Kacy Zurkus, Freelance Writer 

In today’s data-driven world, it seems impossible to imagine that among all the information that’s been collected and aggregated there is no repository with real-time cybersecurity salary data.

Yet, in cybersecurity — one of the fastest growing industries in the world — the compensation data across all positions is unreliable or inaccurate according to recently released research from CyberSN.

Analyzing information across 52 organizations and 83 cybersecurity positions, The Cyber Security Hiring Crisis: A Cyber SN Research Study, reveals that the majority of companies needed to raise their salary caps to hire cyber security talent.

Click here to read the full report

For most companies, though, salary caps aren’t getting lifted and positions remain open because “Current HR practices around salary reviews and adjustments fail to meet industry requirements.”

These research results beg lots of questions, particularly if security is a real concern rather than a checkbox for compliance.

In order to better understand how salary caps can be something that stands in the way of enterprise security, I spoke with CyberSN founder and CEODeidre Diamond who offered insightful answers to my questions.

Q: With the growing jobs gap looming over the industry, why is salary caps one of the top issues in recruiting cybersecurity talent?

A: Organizations look at cyber like they look at IT, but cyber salaries are higher based on supply and demand. Often times, IT doesn’t want cyber making more than IT because it becomes an uncomfortable conversation about why one person is worth more than another.

As a result, it becomes this round and round discussion that results in nobody wanting to do anything, so the salary caps remain. The position then sits open for an average of six months while they continue to search for someone to fit within their salary cap.

The reality is that even if the data they are using is a month old, it’s old data. Salaries change every day and HR can’t stay current.

We see quite often that cyber leaders don’t feel supported when they go to have these salary conversations with HR. It’s not a welcoming environment.

Q: So is the issue that the data is unreliable data because it is old, or is the data non-existent?

A: For those people who are using old school bureaus, the data is definitely old. Those reports come out once a year, and a lot of times, security as a role isn’t necessarily in that data. The Department of Labor doesn’t even have cyber as a job listing.

If there is cyber, it is usually one role around information security. But, there are 45 different job categories in cyber, and most security people are doing three jobs in one even though the person is paid based on a title. That isn’t going to work.

The data they are using is not concise, but most often the people in HR think it’s legitimate and helpful. The reality is, the cyber industry is so different from IT and software.

Q: Are the salary caps a recruiting issue depending on job level?

A: It’s across the board. It doesn’t matter. Everybody wants to pay what people are already making, but the candidates aren’t going to take the risk of moving based on a lateral compensation.

We don’t see entry level positions. People don’t hire entry level because they are already understaffed. Among the masses, nobody has the budget to take an entry level person and train them. They don’t want to do it, but how do we bridge the gap?

Only 20% of the marketplace is picking up entry level people to train because the majority can’t afford it.

What we see happen is a job goes unfilled over a $10,000 difference. So often they don’t hire a person because internally companies see raising the cap — even $10,000-as a bad move.

Changes to the Equal Pay Act are going to change all of this. We can’t ask for information about somebody’s base salary. So, will people then be guessing at the offers? Right now they start with base salary and go from there, but the EPA changes are going to create more churn.

Q: What are some creative tactics companies are using to make the full compensation package more attractive?

A: Total compensation absolutely matters, and it is a part of the entire conversation. But who wants to take less money? In our four years of being in business, we have only see two people take a lesser salary for an opportunity.

Most people won’t even move for lateral compensation. Very few companies can pull off a lesser salary by offering a better total compensation package. If you are Google or Amazon, you can maybe get away with replacing the base salary with stock options, but people aren’t leaving because of money.

So why would you want to nickel and dime? If they are interviewing with you, they are interviewing other places too. Put your best offer out there because you don’t want to end up in a place where they didn’t take the position and you could’ve done more.

Click here to read the full report

Q: Are the salary caps the result of growth or is it that people are leaving? If it’s turnover, is the salary capped at what the previous person was earning?

A: It’s 50/50 replacement and growth, but less about what the person was previously making. When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization, but the people in the current positions aren’t earning market value.

That’s a huge issue because HR gets sets salary by comparing the role to somebody who is being paid below market. Yet this is security.

Q: Are salary caps an issue across all sectors? Which silos are willing to raise the caps in order to hire talent?

A: We offer sales staffing for security companies, and the issue is the exact opposite. You never run into this issue of salary. For most cyber roles, it’s six months before they decide to outsource. In sales, it’s day one. Companies don’t care about security, they care about revenue.

Yet, the number one reason people want to leave is because the company doesn’t really care about security. What’s heartbreaking in that these people are problem solvers — protectors who really understand how everything works, but they are under utilized which makes the job satisfaction minimal.

The best salaries come from software companies, particularly for positions in sales and anything to do with the customer success process. Then consulting firms — managed service providers. Anyone that’s closest to revenue.

Q: Companies are starting to invest in cybersecurity insurance. Looking at the reasons we have talked about, why do they need to raise caps if they can get away with security as a check box and buy insurance coverage?

A: As a CEO, I can answer that for myself. When we talk about these insurance companies, we don’t know the future of what the policies will look like. The reality is that no breach costs the same for any one company. There’s so much that is unknown. Policies are going to be basic, so it really Isn’t a way to avoid investing in security.

It comes down to the question, “How much risk are people willing to take?” I’m seeing that people’s risk tolerance is still pretty high.

Q: What will be the impetus for change?

A: More breaches. When I think about where we are at today, it’s only the breaches that have gotten us the budgets. More and more people need to feel the pain through breaches or penalties, and we are seeing more regulations coming out.

It’s highly unfair that according to the PCI standards, companies can be fined by the bank for not securing customer data, but how about Equifax getting my personal information stolen? There’s no consequence.

PCI was the first time we saw fines and that’s when we saw changes, then HIPAA. When we see regulations that fine people, we start to see cyber budgets.

The Equifax breach had no consequences, but the laws are now being put in place.

Companies that are not investing in recruiting and retaining for cyber security jobs will pay with a breach.

Click here to read the full report


We love you, cybersecurity community. Please reach out if we can help you with your search or hiring needs! Email us: