Friends,
Since I was a young girl I have felt a sense of responsibility to care for others, a responsibility to always help when people are scared, sad or stressed. Today I feel this even greater, as our world and our country faces a major healthcare crisis and as our economy is negatively affected; I am compelled like you to help. Thankfully myself, my team, and those I love have not gotten sick. Those of us who have this luck must do more and so we will.
We are all concerned, we are all affected; and we must stay informed. My team can help support us all to stay informed on the cybersecurity job market. By sharing what CyberSN sees in the cybersecurity job market from week to week we can lower our anxiety together 🙂 Knowledge is power. CyberSN can support the cybersecurity community by offering solutions to the new job challenges we will experience. Today is my first weekly share of knowledge and solutions. CyberSN is here to help. Please read on to learn how and share with our community.
As you read my assessment of the state of the cybersecurity job market, it's good to understand where my data comes from. CyberSN is a national full-service cybersecurity staffing and technology company. We have a high concentration of staffing leaders specifically in New England and the Bay Area. In our almost six years of business we have only staffed cybersecurity roles, no IT, no SW developers. We are the largest solely focused direct hire cybersecurity staffing firm in the US. We speak only cybersecurity.
Over the last four weeks myself and the entire CyberSN team have felt your stress, for your stress is our stress and vice versa. By way of business we are connected by jobs and jobs are the foundation of how we support ourselves and our families. In an economically challenged market, many jobs are at risk and everyone is concerned. At the same time the cybersecurity space was already short 500,000 professionals in the US before the COVID-19 crisis. In theory, this means that there should be no problems for cyber professionals to find work and yet there is more to this story. Unfortunately, our current job searching and matching system is broken, I have spoken about this vulnerability for years. You can see my talk from the RSA Conference 2020 to learn more about our broken job searching system. Now and moving forward through this economic challenge we will feel the impact of this broken job searching system even more. Today amongst all the unknown, we must think strategically about what we are doing and understand the risks upon us. Here is what we are seeing in the market, the problems and solutions included 🙂
As of today April 2, 2020:
70% of businesses put all jobs on hold two weeks ago and these roles are still on hold. These firms are putting all roles on hold, not just cybersecurity positions. Most cyber leaders feel the hold will last two to four more weeks and yet there has been no concrete timeline from those they report to. In addition, companies that are pre-IPO or directly affected by the health crisis directly such as manufacturing, travel, hotels, airlines, restaurants, and staffing services have put all roles on hold indefinitely and beginning layoffs or furloughs. We have not seen cybersecurity professionals being laid off at these firms. We have not seen these layoffs for cybersecurity professionals amount to greater than 1% as of yet.
30% of the market is moving forward, interviewing, hiring and onboarding cybersecurity professionals. These organizations understand that their cybersecurity teams are already overloaded and putting roles on hold would do more harm than good. The challenge for these organizations is the candidate pool is scared to make a move during the health crisis, further diminishing the available pool of talent.
Companies are pushing start dates for new hires that were scheduled for late March or April. We have not seen offers being rescinded from our clients and we have heard from 2% of the market that this has happened to them. Much of the start date push is due to the work from home mandate for non-essential industries. Many companies are not in the cloud and find the remote onboarding process to be too difficult.
Employment Eligibility Verification (Form I-9) seems to be a big challenge since law is that I-9 has to be verified in person. Good news, on March 20, the Department of Homeland Security provided some assistance for I-9 verification by announcing temporary COVID-19 provisions that permit employers to inspect the Section 2 documents remotely, through a video call, email or fax, to onboard remote employees. This knowledge should help leaders through this challenge so they can move forward and onboard remotely.
Exhausted cybersecurity professionals are working even more during the crisis. They have no relief in sight. Their firms have been looking to hire people year over year with little success. Now their already overworked cyber teams are doing more work. What these companies are lacking is a budget to pay for an external recruiting service.
This was a challenge way before the health crisis and now our fellow colleagues feel this pain even more. Already, recruiting departments don’t have the skill to find and match qualified and interested cyber professionals to jobs. This is because they don’t speak cybersecurity and they don’t have access to cybersecurity professionals. As this case study conducted by Chenxi Wang reports, “cybersecurity roles remain unfilled on average eight months; until an outside recruiting firm is brought in”.
Cyber professionals are getting burned out quicker due to working around the clock during this crisis. This bothers me greatly at a time like this when stress is high at home and work. I want to make sure that all cyber professionals affected by this crisis will find well-matched jobs quickly. To do this and help those leaders that don’t have a budget to use an outside staffing resource like CyberSN, I am offering our services at our cost for new job searches.
We are a privately held firm with no outside investments. We care deeply about the health and well-being of our community. I am grateful that we can make this offer. This offering will allow organizations who truly want to fill their roles the ability to do so and at the same time make sure no cyber professional goes unemployed for long. There is no greater stress than that of unemployment. I suspect we will see layoffs and we will feel greater pain. Together we will succeed. I will keep sharing what we are seeing as things change rapidly. Love and safety to you all.
Sincerely,
Deidre
Have you heard about the workforce shortage in cybersecurity? Skilled cyber professionals are hard to find and desirable jobs at great companies are left unfilled for months. At least that’s what most tech staffing agencies will tell you. This mindset has infected too many companies, their HR departments, and the staffing agencies they hire, leaving cyber departments understaffed and companies at greater risk.
There is truth to the tight cyber labor market. The latest (ISC)2 report says global IT skills shortages have surpassed 4 million openings. But the lack of professionals is not the only reason companies are struggling to fill cybersecurity roles. The challenge has as much to do with the people doing the hiring as it does the people available for hire.
“I’m calling B.S. on the common belief that it’s a lack of security skills that’s causing these issues,” CyberSN President Mark Aiello wrote in Forbes. “From my professional experience, when I witness security people losing their jobs unexpectedly due to layoffs, restructuring or the like, it can take six months or more for C-level candidates to find a new position.”
In a market where cybersecurity expertise is in high demand, this doesn’t make any sense.
“These folks should be scooped up faster than an unencrypted database full of credit card numbers,” wrote Aiello.
The disconnect between hiring managers and skilled security professionals is at the core of most cybersecurity staffing challenges. The best way to bridge that disconnect is to work with a tech staffing agency that “speaks cyber” and understands the common problems that can derail the cyber hiring process to successfully fill your open positions.
Cybersecurity professionals are passionate about their work tracking down threats. They also know that most people have no idea what their job entails on a day-to-day basis. If you’re posting a job description that wasn’t written by someone within the cyber team, cybersecurity professionals can spot it from a mile away.
Bad job descriptions are not HR’s fault. Most people in human resources lack knowledge of cybersecurity roles and culture, so they use vague language or tech buzzwords that mean different things to different people. The result is a job description that’s nothing more than a long list of technical competencies, educational requirements, certifications, and job titles. When listed as iron-clad requirements, they unfortunately eliminate many talented candidates.
A cybersecurity staffing firm can quickly identify red flags within a job description and work with companies to define requirements, roles, and responsibilities that not only make sense to people in the cybersecurity industry, but also portray the job accurately.
Many IT or tech staffing agencies use the same tactics recruiters in other industries use, especially LinkedIn. They rely on generic IT searches to find cybersecurity specialists, not realizing there is a significant difference in knowledge base and skill set.
When it comes to finding great people, it can be difficult. Cybersecurity professionals are skeptical of social media and job search applications and their ability to protect personal information. When asked how to avoid risk when using social media, Ran Canetti, a Boston University College of Arts & Sciences professor of computer science and director of the BU Center for Reliable Information Systems and Cybersecurity said, the best solution is to not use them at all.
“This might cost a small price, but it’s more than worth it,” Canetti said.
If cyber professionals are not on LinkedIn or job search sites, recruiters who rely on these tools will never find them.
An agency that specializes in cybersecurity staffing knows the players throughout the industry, who is happy in their job and who is not. The recruiters put in the time networking, going to conferences and events, and making connections to develop a rich pool of connections they can tap when trying to fill positions for clients.
With 45 different different cybersecurity job categories, many more job titles, and no industry-accepted definition for any of them, general recruiters are already at a disadvantage before they get past the first line of the job description. Tech staffing agencies that lack cybersecurity industry know-how may not be able to identify talented people right for the role, but who have a slightly different job title elsewhere.
“Many companies get so hung up on finding the perfect candidate that they miss so many qualified individuals who might tick off five, seven or even eight out of the 10 skills listed as requirements for a position,” said Aiello. “In the time it takes to find these unicorn security professionals, a company could have hit the ground running by training someone who was 75% of the way there.”
Your company wants to fill open cybersecurity positions with less effort and in less time. If your internal team needs help and you want to take the search to a staffing agency, it will save your company time, effort and a lot of headaches if you choose a firm that knows the industry and can identify candidates that will fulfill your company’s most essential cybersecurity needs.
It’s no secret that women are underrepresented in cybersecurity. There are plenty of statistics that confirm the lack of gender diversity, including a 2019 survey that showed women make up less than a quarter of the cybersecurity workforce. This number is up from a survey conducted in 2013 that found the cyber workforce was only 11% women.
To change the industry and remove barriers for women, companies need to be proactive in adding more women to their cybersecurity ranks. Higher representation helps dispel the stereotype that tech jobs are for men and encourage more women to enter the field. It’s also an advantage when a company’s workforce is representative of the general population, especially in the security industry. To achieve this, companies need to start by getting better at recruiting female professionals.
Although women represent about 24% of the cybersecurity workforce, there are some encouraging numbers in the latest data. The (ISC)² 2019 Women in Cybersecurity report revealed that 45% of women in cybersecurity are millennials, most of whom are in that important 30-something stage of their careers. With more women in cyber moving from early career to mid-career, there will be more women available to offer mentoring and networking opportunities to younger women looking to get their start and move up in the field.
The (ISC)² study also showed that while women are less represented, they are rising in the ranks and become key decision makers at a greater percentage than men. For example, 7% of women, versus 2% of men in cyber, are chief technology officers and 18% of women versus 14% of men are IT directors. In the report, Jennifer Minella, CISSP, vice president of engineering and security at Carolina Advanced Digital, Inc. and chairperson of the (ISC)2 Board of Directors, said it’s an encouraging sign.
“For many years this hasn’t been the case, and we need to continue to do all we can to make ours a welcoming profession for the most talented and innovative individuals, regardless of gender,” she said.
Despite this good news, pay disparity persists. The report showed 15% of women earn between $100,000 – $499,999, while 20% of men in the field earn at least that much.
Too often, employees will talk about the importance of diversity at company-wide meetings and forget about what it all means by the time they get back to their desks. Unless diversity is a core part of a company’s human resources and hiring strategy, it will be difficult to move the needle toward a more representative workforce.
Priscilla Moriuchi, director of strategic threat development at Recorded Future, told Forbes that diversity is not simply about doing the right thing.
"Diversity in perspectives, leadership, and experience is good for business,” she said, noting this is especially true in cybersecurity. "We need people with disparate backgrounds because the people we are pursuing, (threat actors, hackers, 'bad guys') also have a wide variety of backgrounds and experiences. The wider variety of people and experience we have defending our networks, the better our chances of success."
There are a number of things people look for when pursuing a new job, regardless of gender, including better pay, more flexibility in hours, and a shorter commute. However, there are some things women candidates will be looking for to address their concerns about the gender disparity in the industry.
Demonstrate a real commitment to diversity: What efforts have your company made to create a more diverse workplace? Are those efforts visible to applicants? Women will be looking for signs that all genders, races, and nationalities are welcome at your company, so include images that reflect diversity on the company website and social media. Also, encourage the women at your company to participate in professional organizations like Women in Cybersecurity and Secure Diversity, which foster networking opportunities and provide connections, making it easier to recruit women candidates.
Career development: Women want to work at a company where they have access to opportunities to learn skills that will advance their careers. These opportunities should be encouraged and not treated like a hassle or something that’s taking away from her day-to-day work. Enacting a mentoring program is another great way to foster talent, not just for women but all minorities underrepresented in cybersecurity.
Job security and satisfaction: Because there is a workforce shortage in the cybersecurity sector, many women enter the field for the job security it promises, but job security doesn’t mean much if the work environment is poor. Women want to work at a company where they are treated as a valuable member of the team. With so many cybersecurity jobs available today, your company risks losing female cyber candidates to other companies if your company has a reputation for allowing hostile work attitudes to persist.
Great (and equal) pay: Another reason women get into cybersecurity is because of the high salary they can earn. Average salaries between $100,000 and $200,000 a year are the norm. However, some companies fall into the trap of paying women less than what equal male counterparts make because of a variety of reasons that may go unnoticed by well-intentioned managers. Human Resources is essential in ensuring pay is equitable and suggesting remedies when it is not, especially when making initial offers to candidates.
Looking beyond job titles: The roles and responsibilities assigned to different jobs titles are all over the map in cybersecurity. We’ve identified 45 different job titles and dozens more subtitles in the industry. This can lead to Human Resources departments dismissing talented candidates just because the title doesn’t fit. Before eliminating women candidates, take a hard look at her skills and experiences, not just the job titles she’s held.
Despite the challenges some women face in the cybersecurity industry, men and women share a lot of the same concerns about their jobs. This can range from lack of support from upper management to lack of work/life balance. Many companies have begun to address these concerns, improving the overall work environment for the entire cyber team, which can only help in recruiting more women.
Being proactive about cybersecurity diversity is essential in the evolving cybersecurity industry. It can be as simple as tapping the female employees for references or looking beyond the job title at the skill set. The talent is out there. It’s just about knowing where and how to look for it.
Many of the challenges firms face when filling cybersecurity positions can be traced back to the job description. Cybersecurity job descriptions are notoriously difficult to write, yet they’re often the first impression a potential hire has of what it’s like to work for your company. With a lack of industry-accepted terms for jobs and roles, writing a clear and comprehensive job description can feel like stumbling in the dark.
The tight cybersecurity job market and well-publicized skills gap certainly make cybersecurity hiring more difficult, however, there are small steps companies can make to improve job descriptions and hiring success.
Say for instance your company is looking for a security engineer. Here are some of the subcategories that land within that title.
You can see the difficult situation many managers and HR departments find themselves in when crafting a cybersecurity job description. If you can’t settle on whether you need a security architect, cloud security architect, or information security architect how are you going to find a candidate?
When deciding on a job title, do some research within the local cyber community. What other titles are companies using for similar jobs and responsibilities? Is your company committed to having unique job titles? It might be time to compromise and use a job title that more accurately portrays the role.
Ascribing to a common language is the foundation of all human relationships. To reach the best candidates and easily communicate your position requires you use the language people within the cyber community are speaking. You’d be surprised how many HR recruiters and hiring managers have no idea what some of the terms in their cybersecurity job descriptions mean, even though they wrote them!
Experienced cyber professionals also know enough to steer clear of poorly conceived job descriptions, especially those in which job requirements don’t track to the title or are a laundry list of job requirements, clearly indicating the new hire will be asked to do two or more jobs. Knowing what you are asking for and having an understanding of the terms being used in the job description will elevate your cybersecurity job description and show your company is serious about cyber.
With so many open positions in today’s job market, the best candidates are oftentimes people who are already employed, but open to a change in employment. These passive job seekers are skilled, but also savvy. If they are going to make the effort to change jobs, there must be benefits, such as higher pay, more remote work from home, or a shorter commute. Here are some ways you can quickly communicate why your job is better than theirs.
We get it. It’s not always easy to ask for help, but when a position has gone unfilled for six, seven, eight months on end, the problem might require outside expertise.
Staffing agencies are a common solution for companies who need to fill a position fast, but this has its drawbacks. Recruiters may return a list of candidates we would categorize as “warm bodies.” Instead of truly talented cybersecurity personnel, they show you resumes from people who are under-qualified or work in an unrelated area of cyber. Many staffing agencies are generalists and have a lack of understanding of the industry. Using a firm without expertise in cybersecurity won’t get you good candidates either.
Look for a history of experience filling cybersecurity positions in your industry. These agencies not only understand the language, but also have developed connections that allow them to locate talented passive job seekers. Understanding the current cybersecurity landscape, which companies are flourishing, who’s happy and who is not is essential.
Another advantage agencies that specialize in cybersecurity bring are tools that help HR personnel and hiring managers find the right match without a recruiter. Programs like CyberSN’s cybersecurity jobs platform offer tools and templates to build job descriptions specifically targeted toward people in the cybersecurity industry for free.
Bottom line: an agency that has expertise in cyber can communicate your job more effectively, resulting in a better slate of candidates and ultimately filling that position faster.
Organizations are taking novel coronavirus (COVID-19) outbreak precautions with employees, travel restrictions are being put in place, and leaders are providing general workplace safety information on outbreak precautions. The chief security officer and your cybersecurity organization have a critical role to play in business continuity and COVID-19 preparations. To remain operational and minimize cyber risk, CSO’s should focus on the following COVID-19 Checklist.
Organizations must be prepared to activate contingency and business continuity plans, including protocols for employees working from home to limit the spread of the COVID-19. The workforce location may shift from on-site to full remote for an extended period of time. Because many of your employees do not typically or have never worked remotely, CSO and cybersecurity organizations should assess remote access systems. Are these devices patched and is redundancy functioning properly? Are there 2FA mechanisms and password reset capabilities? Are remote devices up-to-date and logging for all employees? If your organization has not performed a remote access exercise recently, now is the time to schedule a full “work from home” exercise and evaluate your readiness.
The potential outbreak has created an environment where people are searching for information and may be more susceptible to view a suspicious link or attachment. Malicious actors will leverage the COVID-19 warnings, alerts, and preparations with phishing and malicious attachments. Messages targeting account password resets are also in play as organizations prepare for workforce disruptions. Awareness is critical with people on edge, seeking information, and wanting to help. Work with your organization’s COVID-19 awareness team and include cyber awareness with the messages on preparation and company communications.
The COVID-19 cyber risks go beyond technical controls. Preparing for staff disruptions is as important as ensuring visibility to remote access security events. Cyber leadership must identify critical roles and the individuals on the cybersecurity team who perform them. A plan should be put in place in the event of an extended absence of these key individuals in critical roles. Cyber teams of all sizes must consider cross-training of critical responsibilities or the use of external staffing consultants to bridge the gap in absent critical roles.
Hopefully COVID-19 will have no to minimal impact on your organization. While this can be a stressful time for companies, it does provide an opportunity to review outbreak response protocols and off-site security measures. With any event response, business operations will see less disruption if the CSO and cyber team communicate important security measures as the situation develops.
While the scramble to recruit and retain smart cybersecurity professionals is universal, some companies struggle more than others. If you ever wonder how some competitors managed to perennially field solid cybersecurity teams while your organization can hardly even find enough candidates for your open jobs, it might be time to evaluate the way you market to and interact with cyber job seekers. CyberSN recently spoke with a number of recent applicants and employers on what engages employees most effectively. Things like a decent compensation package are table stakes for drawing great candidates. However, there are often other simple touches that can make all the difference. Here are five tips for attracting cybersecurity professionals to your roles.
It should go without saying, common courtesy can go a long way towards keeping the lines of communication open with good candidates. For example, if you’re recruiting currently employed candidates, try to be flexible about scheduling interviews. And whatever you do, minimize cancelations on your end.
“Meeting during the day is already a challenge because you have to find a way to schedule time off from your current job,” said a Security Engineer who wishes to remain anonymous. “It’s particularly difficult when a potential employer cancels at the last minute, which happens anywhere from 25% to 40% of the time in my experience. For a couple of companies, this happened with, I just declined to reschedule.”
If you’re a hiring manager working with a company with a lot of bureaucracy and red tape to jump through during the interview process, consider either personally reaching out or having a recruiter reach out to prep candidates for what to expect.
“Having insights about the company from the recruiter made a difference,” Robert Burns, Sr. Consultant at Booz Allen Hamilton explained. “Just a little bit of information about who I was meeting with ahead of time, so I could prepare and have a better understanding of what I’d be talking about with different individuals.”
Compensation is obviously important, and so are work-life balance benefits like flex time. But so are relocation benefits. It might seem obvious that the best way to open up a bigger pool of candidates is to widen geographic boundaries. Surprisingly, few companies actually do this. We’re not talking about a huge investment – just $10-15k will make a huge impact.
“Even though there’s a huge gap in the field, it’s very difficult to find organizations that will pay you or give you the flexibility to cross from coast to coast,” says Burns, who worked with CyberSN to get him relocated to a work location that worked for him.
When interviewing, you can’t get hung up on years of experience or even certifications. You need to learn to find candidates who have the right raw materials for training by asking the right interview questions. Make sure you are interviewing for someone’s ability to do the job. Find out what they have been doing and not how for how many years they have been doing it. Years do not equate to capability. Also, make sure your posting avoids using any red flags for job seekers!
“In interviews, we would ask questions around curiosity. Trying to hone in on how an individual thinks can be important,” says Dan Garcia, Sr. Security Engineer at Datto. “Asking questions like, ‘What is the last thing you took apart and why?’ Just trying to get at their intellect. From that, we found some pretty great candidates that had the right mindset.”
Finally, look for ways to be creative in your outreach. Cybersecurity is a creative field, and smart candidates respond to clever employers. Run or participate in events like capture the flag and tabletop exercises. Go to the same places that cyber pros go.
“Datto once took out a billboard where we Base64 encoded the career site URL, and we had a candidate apply to be a software engineer from that,” says Ryan Weeks, Chief Information Security Officer. “He now leads our application security pen-testing team.”
Listening closely to the experience of candidates and gathering feedback from employers gives insight into what mistakes are being made that are easily addressed. What’s working (and not working) in your cybersecurity talent experiences? Did we forget any tips for attracting cyber professionals?
Firms struggling to recruit quality cybersecurity candidates may be a little too quick to blame the security skills gap without looking in the mirror first. In many cases, companies take themselves out of the running for the best available candidates the day the job is posted.
Why?
Experienced cybersecurity professionals run away far and fast the second they see poorly conceived job descriptions and requirements. Poorly written job requirements are a dead giveaway that an employer that doesn’t know much about security. A bad job posting can signal any number of bad omens for good candidates, such as:
For most candidates, these are indicators that lead to immediate disqualification.
“Just like a resume tips the hand of a job seeker, job requirements tip the hand of an employer,” explains a Red Team PenTester placed by CyberSN.
There are a number of ways that job postings turn off cybersecurity candidates.
Let’s dive deeper into the following 3 red flags when it comes job postings.
Red Flag #1: Job Requirements Make No Sense
When job requirements don’t track to the title, or to broad cybersecurity responsibilities, candidates will start giving the employer side-eye. In many cases this is the product of someone who knows very little about cybersecurity. Most likely this is from someone copying job requirements from other cybersecurity job listings.
“It seemed likely that a lot of employers were looking at other job listings and probably copying and pasting those job responsibilities, which I think is typical for companies, because they know that they need cybersecurity to protect their assets, but they don’t necessarily know what that means,” says a Security Engineer, placed by CyberSN, explaining his experiences when running into requirements that weren’t “structured in an organized or sensible manner.”
Red Flag #2: Two Or More Jobs In One Description
Another common problem are listings that rattle off job requirements which clearly show that the person will be asked to do two or more jobs. When candidates hear that an employer wants them to be an appsec guru, a security architect, and a SOC analyst all in one, they’re highly unlikely to put their hats into the ring for consideration.
Red Flag #3: Experience Requirements Don’t Match Job Level
Another common red flag for candidates is when the experience requirements asked of them in no way match up with the level of job being advertised. When entry-level positions (with entry-level wages) require 5-10 years of experience, it’s clear that there are a lot of things wrong with the organization’s expectations and, potentially, company culture. Another corollary to this is when the experience requirements ask for many years of background in brand new technology.
*
To be sure, for employers seeking to build out a brand-new security team, it can be tough to craft the perfect job requirements. When they’re on the hunt for the first or second security hire for the organization, they often really do need a renaissance man or woman who can ‘do it all’ until they can scale up the team after a period of time.
This was the exact experience of one client, a Security Engineer from a mid-sized SaaS company, who eventually came to CyberSN for recruiting help.
“I didn’t know how to craft the messaging internally. For a company that has never had good security, telling them you need someone to do disaster recovery, you need someone to do compliance, you need someone to do platform security, application security, security operations, maybe network security and someone to lead all of it, they didn’t really believe me,” this Engineer said. “As a result, I suggested to start with just one. But how do you put together the job posting that says, ‘You’ll be our first security hire, AND you’ll have to do all of it?”
Many of the candidates we work with are passive. Meaning they are not overtly looking but willing to make a switch for the right opportunity. Poorly written job postings will NEVER attract these candidates. A well-crafted job posting will. In a passive job seeker market like the one we are in, this makes all the difference.
It’s a tough situation, and one in which employers need to look to the experts to help them carefully and thoughtfully craft a job description that makes sense. Otherwise, they risk hearing crickets after posting their security jobs. At CyberSN we take great care when assisting our clients draft a job description. We encourage them to take a deliberate approach and circulate it among their network for input before posting.
Friends,
I wanted to share a precursor to my RSAC 2019 talk. Join me Friday, Mar 08 | 11:10 A.M. – 12:00 P.M for Retaining and Growing Cybersecurity Talent: A Proven Model. RSVP to this session here.
As 2019 begins and companies ramp up their Q1 cybersecurity staffing initiatives, hiring data reveals that filling an open position, a process that normally takes between three and six months, is only half the battle. At CyberSN, the leading cybersecurity staffing firm in North America, we have found that retaining cybersecurity talent is even more difficult than finding the “right” candidate.
The intersection of these trends has created an industry-wide problem, where companies invest significant time and capital pursuing, on-boarding and training cybersecurity talent, only to watch new hires leave after a year. Conventional cybersecurity HR practices only ensure that this vicious cycle repeats itself ad infinitum.
With enterprises increasingly under attack from cybercriminals, and hemorrhaging trillions in hacking-related losses, these hiring gaps leave companies exposed to an unacceptable spectrum of risk. In fact, industry research firm Cybersecurity Ventures projects 3.5-million unfilled cybersecurity positions by 2021. In the U.S., it is CyberSN’s view that this talent gap constitutes a national security crisis.
Given these sobering statistics, the development of a strategic framework to ensure long-term talent retention is a New Year’s resolution that every cybersecurity hiring manager should make in 2019.
This blog post will explain the rhyme and reason behind each tactic, and how integrating the three into one cohesive hiring strategy can help organizations achieve better cybersecurity talent retention.
According to trade certification organization (ISC)² only 15 percent of employees have no intention of leaving their current employer. This may be due to the fact that cybersecurity talent are looking for more than a job. They want a career with an organization that invests in their continuing education and rewards their evolving value.
Yet a 2017 survey of 300 cybersecurity professionals conducted by Endgame’s Andrea Little Limbago found that over 50 percent of respondents cited lack of career advancement as the primary reason for ditching their previous employers. These findings dovetail with a 2018 Capgemini survey, which found that lack of career progression was the number-one reason cited by cybersecurity professionals for being dissatisfied with their current job.
Meanwhile, 59 percent of (ISC)² survey respondents cited continuing education and investment in new cybersecurity technologies as the most important factors, when evaluating current job fulfillment.
In 2019, hiring managers must take the hard data into account and invest more in employee training, while staying up to date with the most cutting-edge cybersecurity tools.
This approach will help cybersecurity professionals see a runway that nurtures their professional development and enables them with the resources to grow within the company and beyond. This is especially important for younger cybersecurity professionals. According to the Capgemini study, new entrants into the cybersecurity labor market from Generations Y and Z are more inclined to stay with employers that help them “visualize a career path.”
According to Capgemini, 83 percent of cybersecurity professionals cite work-life balance as the most important consideration when switching jobs. On a related note, Limbago’s 2017 survey found that 38 percent of cybersecurity professionals cited burnout as the main reason for leaving their jobs, while another 28 percent cited stress.
Limbago’s data is not all that surprising, seeing that the topic of an August 2018 Black Hat Conference panel in Las Vegas: “Burnout, Depression and Suicide in the Hacker Community.” This discussion identified burnout as a “monumental mental health crisis” afflicting cybersecurity professionals.
Part of the reason for this pervasive burnout is that organizations often fail to provide clearly defined roles for their hires. As a result, security talent may find themselves juggling multiple responsibilities and tasks that deviate from their initial understanding of the position, for which they were on-boarded. By bombarding personnel with divergent workloads that may not be specific to their expertise, enterprises risk overwhelming cybersecurity talent, pushing them to leave their jobs or worse.
Beyond creating well-defined responsibilities that are aligned with the skill sets and core capabilities of cybersecurity personnel, organizations must also be receptive to their needs as people.
According to Capgemini, “Flexible work arrangements have become an important factor for employee satisfaction, helping reduce absenteeism, increase productivity, and enhance employee engagement.” As such, hiring managers should be willing to accommodate flexible work schedules and remote working.
According to trade organization Society for Human Resource Management (SHRM) “women and minorities remain significantly underrepresented in the cybersecurity profession.” In fact, 2017 survey data published by SHRM found that women and minorities only make up 11 and 12 percent of the cyber workforce, respectively.
To make matters worse, the cybersecurity community has long been plagued by cultural toxicity that has fomented a hostile environment for talent that is not white and male. In fact, Limbago’s survey found that 85 percent of female respondents reported being discriminated against at professional cybersecurity conferences.
The good news is that the culture is gradually changing, as evidenced by Black Hat, which last summer, invited speakers to discuss gender discrimination – a topic that had never before been addressed in the conference’s 21-year history.
Overcoming these cultural problems is key because research is increasingly demonstrating that a diverse workforce delivers better business results. In fact, research from McKinsey & Company revealed that firms in the top quartile for racial and ethnic diversity are 35-percent more likely to have financial returns above their respective national-industry averages.
The same principle applies to cybersecurity, where increasingly diverse threats demand new approaches and ideas to combat them. Speaking to this point is Javvad Malik, security advocate at AlienVault, who told Information Age, “ Security teams need diversity because of the diversity of challenges that it faces. Cyber/information security isn’t a narrowly-defined field, where one skill set can cover the entire spectrum.”
Therefore, by promoting healthier workplace cultures, companies can prevent the alienation of women and minorities, which has caused many to leave their job or the industry altogether. Cultural progress may require firing a workplace jerk or two, but the end results will yield better employee retention, which ensures better cybersecurity for the organization.
Ultimately, these historically marginalized groups represent an untapped resource that can help enterprises avoid the cybersecurity talent crunch.
With nearly half of all cybersecurity professionals being contacted weekly by recruiters, according to (ISC)², these specialists are some of the most coveted candidates in the job market. The dearth of skilled talent creates a situation, where cybersecurity personnel have no shortage of new job alternatives if their current employers fail to meet their expectations.
CyberSN’s three keys to cybersecurity talent retention can help organizations change this paradigm and create a more strategic human resources framework. While career advancement, work-life balance and diversity are not the only three factors that infosec talent consider when evaluating job fulfillment, together they form a sound foundation for successful retention.
We hope you enjoyed reading this post and be on the lookout for more CyberSN content in 2019. For more information about CyberSN and how we can help your company fulfill its security staffing needs, please visit our website.
#RSAC #RSA2019
Hi friends,
A new year is upon us and many people have been asking for my insight into the 2019 cybersecurity job market. Unfortunately, talent acquisition and retention statistics did not improve in 2018 and I do not see them improving in 2019. Job searching is broken and our industry lacks succession planning. We will not see these statistics change until these two problems are solved. 2019 will bring significant uptick in the types of roles detailed below. Remember to put agency staffing dollars in your budgets, you will not find these people on your own.
Happy New Year and thanks you for all your love and support,
Deidre Diamond aka The Wise Owl
Quibbling over dollars leaves jobs unfilled and companies at risk
Originally published on Medium [story no longer exists], this interview was conducted in November 2017 to explore the “CyberSN Research Study: The Cyber Security Hiring Crisis” in more detail. Read on to learn more about our findings on if salary caps threaten national security.
Author – Kacy Zurkus, Freelance Writer
In today’s data-driven world, it seems impossible to imagine that among all the information that’s been collected and aggregated there is no repository with real-time cybersecurity salary data.
Yet, in cybersecurity — one of the fastest growing industries in the world — the compensation data across all positions is unreliable or inaccurate according to recently released research from CyberSN.
Analyzing information across 52 organizations and 83 cybersecurity positions, The Cyber Security Hiring Crisis: A Cyber SN Research Study, reveals that the majority of companies needed to raise their salary caps to hire cyber security talent.
For most companies, though, salary caps aren’t getting lifted and positions remain open because “Current HR practices around salary reviews and adjustments fail to meet industry requirements.”
These research results beg lots of questions, particularly if security is a real concern rather than a checkbox for compliance.
In order to better understand how salary caps can be something that stands in the way of enterprise security, I spoke with CyberSN founder and CEO, Deidre Diamond who offered insightful answers to my questions.
Q: With the growing jobs gap looming over the industry, why is salary caps one of the top issues in recruiting cybersecurity talent?
A: Organizations look at cyber like they look at IT, but cyber salaries are higher based on supply and demand. Often times, IT doesn’t want cyber making more than IT because it becomes an uncomfortable conversation about why one person is worth more than another.
As a result, it becomes this round and round discussion that results in nobody wanting to do anything, so the salary caps remain. The position then sits open for an average of six months while they continue to search for someone to fit within their salary cap.
The reality is that even if the data they are using is a month old, it’s old data. Salaries change every day and HR can’t stay current.
We see quite often that cyber leaders don’t feel supported when they go to have these salary conversations with HR. It’s not a welcoming environment.
Q: So is the issue that the data is unreliable data because it is old, or is the data non-existent?
A: For those people who are using old school bureaus, the data is definitely old. Those reports come out once a year, and a lot of times, security as a role isn’t necessarily in that data. The Department of Labor doesn’t even have cyber as a job listing.
If there is cyber, it is usually one role around information security. But, there are 45 different job categories in cyber, and most security people are doing three jobs in one even though the person is paid based on a title. That isn’t going to work.
The data they are using is not concise, but most often the people in HR think it’s legitimate and helpful. The reality is, the cyber industry is so different from IT and software.
Q: Are the salary caps a recruiting issue depending on job level?
A: It’s across the board. It doesn’t matter. Everybody wants to pay what people are already making, but the candidates aren’t going to take the risk of moving based on a lateral compensation.
We don’t see entry level positions. People don’t hire entry level because they are already understaffed. Among the masses, nobody has the budget to take an entry level person and train them. They don’t want to do it, but how do we bridge the gap?
Only 20% of the marketplace is picking up entry level people to train because the majority can’t afford it.
What we see happen is a job goes unfilled over a $10,000 difference. So often they don’t hire a person because internally companies see raising the cap — even $10,000-as a bad move.
Changes to the Equal Pay Act are going to change all of this. We can’t ask for information about somebody’s base salary. So, will people then be guessing at the offers? Right now they start with base salary and go from there, but the EPA changes are going to create more churn.
Q: What are some creative tactics companies are using to make the full compensation package more attractive?
A: Total compensation absolutely matters, and it is a part of the entire conversation. But who wants to take less money? In our four years of being in business, we have only see two people take a lesser salary for an opportunity.
Most people won’t even move for lateral compensation. Very few companies can pull off a lesser salary by offering a better total compensation package. If you are Google or Amazon, you can maybe get away with replacing the base salary with stock options, but people aren’t leaving because of money.
So why would you want to nickel and dime? If they are interviewing with you, they are interviewing other places too. Put your best offer out there because you don’t want to end up in a place where they didn’t take the position and you could’ve done more.
Q: Are the salary caps the result of growth or is it that people are leaving? If it’s turnover, is the salary capped at what the previous person was earning?
A: It’s 50/50 replacement and growth, but less about what the person was previously making. When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization, but the people in the current positions aren’t earning market value.
That’s a huge issue because HR gets sets salary by comparing the role to somebody who is being paid below market. Yet this is security.
Q: Are salary caps an issue across all sectors? Which silos are willing to raise the caps in order to hire talent?
A: We offer sales staffing for security companies, and the issue is the exact opposite. You never run into this issue of salary. For most cyber roles, it’s six months before they decide to outsource. In sales, it’s day one. Companies don’t care about security, they care about revenue.
Yet, the number one reason people want to leave is because the company doesn’t really care about security. What’s heartbreaking in that these people are problem solvers — protectors who really understand how everything works, but they are under utilized which makes the job satisfaction minimal.
The best salaries come from software companies, particularly for positions in sales and anything to do with the customer success process. Then consulting firms — managed service providers. Anyone that’s closest to revenue.
Q: Companies are starting to invest in cybersecurity insurance. Looking at the reasons we have talked about, why do they need to raise caps if they can get away with security as a check box and buy insurance coverage?
A: As a CEO, I can answer that for myself. When we talk about these insurance companies, we don’t know the future of what the policies will look like. The reality is that no breach costs the same for any one company. There’s so much that is unknown. Policies are going to be basic, so it really Isn’t a way to avoid investing in security.
It comes down to the question, “How much risk are people willing to take?” I’m seeing that people’s risk tolerance is still pretty high.
Q: What will be the impetus for change?
A: More breaches. When I think about where we are at today, it’s only the breaches that have gotten us the budgets. More and more people need to feel the pain through breaches or penalties, and we are seeing more regulations coming out.
It’s highly unfair that according to the PCI standards, companies can be fined by the bank for not securing customer data, but how about Equifax getting my personal information stolen? There’s no consequence.
PCI was the first time we saw fines and that’s when we saw changes, then HIPAA. When we see regulations that fine people, we start to see cyber budgets.
The Equifax breach had no consequences, but the laws are now being put in place.
Companies that are not investing in recruiting and retaining for cyber security jobs will pay with a breach.
———————————————————————————————————-
We love you, cybersecurity community. Please reach out if we can help you with your search or hiring needs! Email us: info@cybersn.com
Deidre