There’s been a lot of buzz in the media in recent years about a cybersecurity staffing shortage. While it has certainly been a challenge for some companies to fill their cyber teams with great talent, CyberSN President Mark Aiello points out in his recent piece in Forbes, “Four (Self-Inflicted) Roadblocks To Finding Quality Cyber Professionals,” some of the struggles companies have could be of their own making.
“As a longtime veteran in the security recruiting game, I witness the perceived cybersecurity talent shortage affecting the industry broadly,” write Aiello. “At the same time, I also know that many of the biggest hardships organizations experience in building security teams are self-inflicted. There are many leaders who manage to attract and maintain stellar teams year in and year out in spite of the perceived shortage, and it's not due to sorcery.”
In his piece, Aiello discusses four common roadblocks and provides a clear fix for companies who are looking for a clear path to filling their cybersecurity roles. You can read Aiello’s full article in Forbes here and get more tips on how to ace cybersecurity recruitment on the CyberSN blog.
While demand for top flight cyber talent is hotter than ever, top line recruitment is often hindered by outdated and uninspired compensation planning. Let’s go inside the latest report findings from cybersecurity search firm CyberSN.
-This story was featured on HuntScanlon.com on January 3, 2018 –
Authors: Scott A. Scanlon Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Will Schatz, Managing Editor – Hunt Scanlon Media with contributions from Deidre Diamond, Founder and CEO of CyberSN.com and #brainbabe and Veronica Mollica, VP of Cyber Staffing at CyberSN
In order to protect their companies, and in the bigger picture the nation’s national security, organizations must rethink – and raise – salary caps to hire top flight cybersecurity talent, according to a new report just released by CyberSN, a leading search firm in the field. Heightening the issue is an ever-growing threat of security breaches combined with a dearth of information about compensation for cyber roles, the firm reported in ‘The Cybersecurity Hiring Crisis.’
“What many organizations are failing to realize is that by not investing properly in cyber professionals, they’re sending the message that cybersecurity is not a priority,” said Deidre Diamond, founder and CEO of the international cybersecurity recruitment firm. This creates a retention and attrition problem that nearly eclipses the recruiting challenges faced by many companies seeking cyber talent.
“Organizations must be willing to invest in the critical roles that will keep their organizations up and running as the cyber industry continues to evolve,” said Ms. Diamond. “The best way to do this in a highly competitive market is to offer top compensation and benefits to attract and retain talent.”
As cyber threats change and become more complex, cybersecurity professionals are playing an increasingly vital role in their organizations. Their jobs, once considered optional, are now a mandatory part of ensuring that their companies’ critical data and processes are properly protected. Demand for such positions is at a record high – and keeping recruiters across the field loaded up with business. But talent supply lines have failed to keep up. There is, in fact, a projected workforce gap of 1.8 million cybersecurity positions, said CyberSN citing a recent (ISC)2 report.
For their study, CyberSN gathered information from across 53 organizations and 83 cybersecurity positions. The firm also conducted in-depth interviews with chief information security officers (CIOSs) and hiring managers responsible for recruiting cyber professionals into their organizations.
A Lack of Transparent Data
“Many of those we interviewed echoed a common theme – namely, there’s a gaping lack of security talent,” said Ms. Diamond. And, it is a problem that becomes more pronounced when organizations look to recruit more senior talent. “Now, more than ever,” said the report, “companies are competing against the likes of Netflix, Google and Facebook for high quality candidates.” The lack of transparent data around salaries is simply making it more difficult to compete with them. “In order to recruit more effectively for cybersecurity industry positions, there’s a clear demand for accurate information that includes real-time, market-driven compensation data,” according to the report.
A central issue is that many organizations equate cyber jobs to IT positions when it comes to compensation and benefits. Yet the roles are completely different. “Organizations look at cyber like they look at IT, yet cyber salaries are higher based on supply and demand,” said Veronica Mollica, vice president of cybersecurity staffing for CyberSN.
“Oftentimes, IT doesn’t want cyber making more because it becomes an uncomfortable conversation about why one person is worth more than another.” The result is a round and round discussion and no change in the status quo, she said. “The position can then sit open for six months or more before a search firm is engaged to help,” said Ms. Mollica.
In the end, according to CyberSN’s report, more than 50 percent of the companies polled had to increase their initial salary cap in order to hire cybersecurity talent.
Nor does it help that much of the information that companies use about cyber salaries is inaccurate or out of date. “Salaries change every day and HR leaders have had trouble staying current,” said Ms. Mollica. “We see quite often that cyber leaders don’t feel supported when they sit down to have these salary conversations with HR. It’s not a welcoming environment.”
Critical cybersecurity roles, meanwhile, go unfilled for too long. Organizations are reluctant to pay more and candidates tend to refuse to switch jobs for lateral compensation, let alone a lesser amount. “What we see happen is a job goes unfilled over a $10,000 difference,” said Ms. Diamond.
The truth is that money very much matters with these in-demand roles. Few companies outside of Google and Amazon can convince prospects to take a smaller salary by offering enticements like stock options, said Ms. Diamond. Most companies have no interest in paying up, but by denying that it’s a candidate’s market businesses are only hurting themselves, she said. “Why would you want to nickel and dime for the best talent?” she asked. “If candidates are interviewing with you, they are interviewing other places too.”
The cybersecurity salary cap issue is the result of both growth and the departure of employees, said Ms. Mollica, but less about what the previous person in a role was earning. “When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization,” she said, “but the people in the current positions aren’t earning market value. That’s a huge issue because HR sets salary by comparing the role to somebody who is being paid below market. Yet this is security.”
The Value of Breaches
Bad experiences, Ms. Diamond said, will ultimately be the key to change. More intrusions. More money lost. More corporate reputations damaged or destroyed. Sooner or later, businesses will learn that it is more cost effective to take preventive action than to suffer the consequences of a breach or a regulatory fine. “When I think about where we are today, it’s only the breaches that have gotten us the budgets,” she said.
Hunt Scanlon Media recently sat down with Ms. Diamond to talk about the challenges that her firm and its clients face in filling cybersecurity roles.
Deidre, why is recruiting cybersecurity executives so difficult?
Cybersecurity experts are incredibly busy. Not only are their departments frequently understaffed, but their jobs are mission-critical to the success or failure of their organizations. Their roles can often be more similar to that of an emergency first-responder than an IT professional. Because of the fast-paced and high-profile nature of their work, they don’t even have time to spare for recruiters. And that’s an important issue because we have found that HR generalists simply are not equipped to oversee the hiring process for such specialized, in-demand, hard-to-find talent.
“Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success.”
How can the search process be improved?
Executives in search of cyber talent need to use specialized cybersecurity staffing agents. Job seekers are looking for companies committed to a cyber budget, who value career growth and share in their cyber passion. Retention is just as important to hiring and if organizations don’t meet these needs, statistics show that cyber professionals will not hesitate to vote with their feet and change jobs.
Why is the cyber function so important?
Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success. Companies are depending on their cyber resources to detect, protect, innovate, automate and meet compliance standards. Security breaches have significant impact to a company’s reputation, customer confidence and sometimes unpredictable financial impacts. Companies with great hiring and retention plans attract and retain talented and passionate cyber professionals.
Hence the need to pay up for these professionals?
Yes. Our research and experience show us that companies underestimate what it takes to get the right talent in the door. In our research study, over 80 percent of the companies we looked at had to raise their salary cap in order to make the right hire. HR and staffing resources do not have real time salary data available and so they are often not prepared to pay what it takes to hire talent in this market. One thing we are beginning to see is that many companies are getting more creative with their total compensation packages. Equity, paid benefits, telecommuting, relocation assistance and other perks are often included to make offers more attractive to these highly sought after professionals. Often, that outside-the-box thinking pays off!
Quibbling over dollars leaves jobs unfilled and companies at risk
Originally published on Medium [story no longer exists], this interview was conducted in November 2017 to explore the “CyberSN Research Study: The Cyber Security Hiring Crisis” in more detail. Read on to learn more about our findings on if salary caps threaten national security.
In today’s data-driven world, it seems impossible to imagine that among all the information that’s been collected and aggregated there is no repository with real-time cybersecurity salary data.
Yet, in cybersecurity — one of the fastest growing industries in the world — the compensation data across all positions is unreliable or inaccurate according to recently released research from CyberSN.
Analyzing information across 52 organizations and 83 cybersecurity positions, The Cyber Security Hiring Crisis: A Cyber SN Research Study, reveals that the majority of companies needed to raise their salary caps to hire cyber security talent.
For most companies, though, salary caps aren’t getting lifted and positions remain open because “Current HR practices around salary reviews and adjustments fail to meet industry requirements.”
These research results beg lots of questions, particularly if security is a real concern rather than a checkbox for compliance.
In order to better understand how salary caps can be something that stands in the way of enterprise security, I spoke with CyberSN founder and CEO, Deidre Diamond who offered insightful answers to my questions.
Q: With the growing jobs gap looming over the industry, why is salary caps one of the top issues in recruiting cybersecurity talent?
A: Organizations look at cyber like they look at IT, but cyber salaries are higher based on supply and demand. Often times, IT doesn’t want cyber making more than IT because it becomes an uncomfortable conversation about why one person is worth more than another.
As a result, it becomes this round and round discussion that results in nobody wanting to do anything, so the salary caps remain. The position then sits open for an average of six months while they continue to search for someone to fit within their salary cap.
The reality is that even if the data they are using is a month old, it’s old data. Salaries change every day and HR can’t stay current.
We see quite often that cyber leaders don’t feel supported when they go to have these salary conversations with HR. It’s not a welcoming environment.
Q: So is the issue that the data is unreliable data because it is old, or is the data non-existent?
A: For those people who are using old school bureaus, the data is definitely old. Those reports come out once a year, and a lot of times, security as a role isn’t necessarily in that data. The Department of Labor doesn’t even have cyber as a job listing.
If there is cyber, it is usually one role around information security. But, there are 45 different job categories in cyber, and most security people are doing three jobs in one even though the person is paid based on a title. That isn’t going to work.
The data they are using is not concise, but most often the people in HR think it’s legitimate and helpful. The reality is, the cyber industry is so different from IT and software.
Q: Are the salary caps a recruiting issue depending on job level?
A: It’s across the board. It doesn’t matter. Everybody wants to pay what people are already making, but the candidates aren’t going to take the risk of moving based on a lateral compensation.
We don’t see entry level positions. People don’t hire entry level because they are already understaffed. Among the masses, nobody has the budget to take an entry level person and train them. They don’t want to do it, but how do we bridge the gap?
Only 20% of the marketplace is picking up entry level people to train because the majority can’t afford it.
What we see happen is a job goes unfilled over a $10,000 difference. So often they don’t hire a person because internally companies see raising the cap — even $10,000-as a bad move.
Changes to the Equal Pay Act are going to change all of this. We can’t ask for information about somebody’s base salary. So, will people then be guessing at the offers? Right now they start with base salary and go from there, but the EPA changes are going to create more churn.
Q: What are some creative tactics companies are using to make the full compensation package more attractive?
A: Total compensation absolutely matters, and it is a part of the entire conversation. But who wants to take less money? In our four years of being in business, we have only see two people take a lesser salary for an opportunity.
Most people won’t even move for lateral compensation. Very few companies can pull off a lesser salary by offering a better total compensation package. If you are Google or Amazon, you can maybe get away with replacing the base salary with stock options, but people aren’t leaving because of money.
So why would you want to nickel and dime? If they are interviewing with you, they are interviewing other places too. Put your best offer out there because you don’t want to end up in a place where they didn’t take the position and you could’ve done more.
Q: Are the salary caps the result of growth or is it that people are leaving? If it’s turnover, is the salary capped at what the previous person was earning?
A: It’s 50/50 replacement and growth, but less about what the person was previously making. When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization, but the people in the current positions aren’t earning market value.
That’s a huge issue because HR gets sets salary by comparing the role to somebody who is being paid below market. Yet this is security.
Q: Are salary caps an issue across all sectors? Which silos are willing to raise the caps in order to hire talent?
A: We offer sales staffing for security companies, and the issue is the exact opposite. You never run into this issue of salary. For most cyber roles, it’s six months before they decide to outsource. In sales, it’s day one. Companies don’t care about security, they care about revenue.
Yet, the number one reason people want to leave is because the company doesn’t really care about security. What’s heartbreaking in that these people are problem solvers — protectors who really understand how everything works, but they are under utilized which makes the job satisfaction minimal.
The best salaries come from software companies, particularly for positions in sales and anything to do with the customer success process. Then consulting firms — managed service providers. Anyone that’s closest to revenue.
Q: Companies are starting to invest in cybersecurity insurance. Looking at the reasons we have talked about, why do they need to raise caps if they can get away with security as a check box and buy insurance coverage?
A: As a CEO, I can answer that for myself. When we talk about these insurance companies, we don’t know the future of what the policies will look like. The reality is that no breach costs the same for any one company. There’s so much that is unknown. Policies are going to be basic, so it really Isn’t a way to avoid investing in security.
It comes down to the question, “How much risk are people willing to take?” I’m seeing that people’s risk tolerance is still pretty high.
Q: What will be the impetus for change?
A: More breaches. When I think about where we are at today, it’s only the breaches that have gotten us the budgets. More and more people need to feel the pain through breaches or penalties, and we are seeing more regulations coming out.
It’s highly unfair that according to the PCI standards, companies can be fined by the bank for not securing customer data, but how about Equifax getting my personal information stolen? There’s no consequence.
PCI was the first time we saw fines and that’s when we saw changes, then HIPAA. When we see regulations that fine people, we start to see cyber budgets.
The Equifax breach had no consequences, but the laws are now being put in place.
Companies that are not investing in recruiting and retaining for cyber security jobs will pay with a breach.
We love you, cybersecurity community. Please reach out if we can help you with your search or hiring needs! Email us: firstname.lastname@example.org
Friends, our lack of real-time salary data and our poor hiring practices are causing unnecessary stress and productivity breakdown. The cybersecurity talent shortage is not an excuse for unfilled positions. CyberSN has performed thousands of searches and compiled valuable data that shows why jobs go unfilled for reasons beyond the talent shortage. We commissioned a research study focused on hiring challenges in cybersecurity, conducted by Dr. Chenxi Wang, PhD. of the The Jane Bond Project.
For over 20 years, I have worked side-by-side with technologists and cybersecurity professionals. I have consistently felt the pain that occurs when a team is overworked and understaffed. I commissioned this study to empower organizations that want to hire and retain cyber talent regardless of the talent shortage.
Spread the word: you and your teams no longer have to suffer!