This article first appeared in SC Media on October 21, 2021

Hiring cybersecurity professionals is as challenging now as ever. With a shortage of people actively looking, cyber pros can be picky about where they work and the compensation they earn. Not every company can afford to pay the same level of salary as Google, but that doesn’t mean they don’t offer a rewarding opportunity for cyber professionals.

Fortunately, there are things hiring managers and HR professionals can do to find talented people for those hard to fill cybersecurity jobs, even when the salary you’re offering might be lagging.

Move Quickly

Once someone makes a decision to seek a new opportunity, they’ve mentally left their current employer. When this happens it’s like turning on their radar and they become receptive to the outreach that comes their way, both cold and warm. We know that the average cyber pro receives two job inquiries a day. Every day spent debating a potential hire risks that they’ll speak with a firm willing to pay a lot more money than you. The faster you move someone through your hiring process, the less likely other companies will beat you to making an offer.

Take Stock of Your Stock (and Benefits)

When your salary is low, take inventory of everything else that you offer. Do you have stock options? How about an amazing health care plan? Retirement plans? How about flexible work environments and unlimited PTO? Open door policies or an accelerated career path? We see cybersecurity professionals taking less money when evaluating multiple offers because the compensation package as a whole makes the offer very competitive. Prepare a one-pager that explains all that you offer and make sure that everyone in the process is capable of discussing it with the candidate.

Be Friendly and Sell to the Candidate

You already know your salary offer will most likely be low. Make sure your attitude is high. Seems like common sense, right? Nope. Anecdotally, I estimate that 25% of all first interviews are rejected by the candidate because they didn’t leave with a good feeling. Make sure your words and actions convey that you’re an open and welcoming person and company. Remember that cybersecurity professionals are no different than any other human. They want to work for people who are nice and who value them. Let them know they’ll be valued if they come to work for you.

Send Thank You Notes After the Interview

What? Why should I send a thank you note? They should be sending one to me! Well, hopefully they do send one to you and you should always send one to them. It is a small gesture that makes an enormous statement about who you and your company are. I suggest you go on Amazon where you can buy a pack of 50 cards for $9.99. A thank you card is much more effective than a follow-up email. And there is nothing wrong with doing both. It will have a huge impact on the cybersecurity professional and most likely the first time it has ever happened to them.

Try a Resume Service

Resume services are nothing new, but can be surprisingly effective for relatively little money. We created our Resume Service, which we call Talent Scout, to serve clients who can’t afford a full search placement and that have the internal talent acquisition team who can interview and extend an offer.

Talent Scout takes one of the most difficult stages in the hiring process off your plate by identifying five candidates who are qualified and interested in your opportunity. We make sure each cybersecurity professional’s resume that we send is someone who is qualified and interested in what your company offers. We take the laborious process of identifying interesting candidates away from you and present cyber professionals for you to interview and close.

If your company keeps losing cybersecurity talent to bigger, better funded companies, you still have options. There are many cybersecurity professionals who seek smaller companies, close-knit work environments, and feeling like an important member of the team, not just a number. To secure qualified cyber pros, focus on the unique benefits your company offers, both financial and culturally. And don’t be afraid to ask for help when important cyber roles are going unfilled. The cost of securing some help today could save you the major cost of a data breach down the road.

If you’re looking for more tips on how to find skilled cyber pros, make sure to subscribe to our blog, or reach out to us. We’re happy to answer your cybersecurity hiring questions.

Friends,

In continuing to share up-to-date information about the state of the cybersecurity job market, I am happy to say our profession is proving to be very, very resilient. Companies are still hiring to fill cybersecurity jobs. Unfortunately, we’ve also recorded cybersecurity layoffs over the last two weeks in industries that were affected by Covid-19.

(If you’d like to read my previous “State of the Cybersecurity” reports you can view the last one here.)

Where the Layoffs Are Focused

Companies that focus on gig workers, transportation, and hospitality have recently been hit hard and in turn reduced their security teams. We are seeing the layoffs at these companies concentrated in IR, SOC and Corp/IT Security. We are not seeing layoffs at these same firms for product security or application security. From seeing this data, I can’t help but think that while it seems smarter to let go of your hunters vs your product security professionals, how does one even make that decision?

“Cybersecurity threats and privacy risks do not just disappear during the COVID-19 downturn in business. Incidents and breaches will continue,” said Dom Glavach, CyberSN’s Chief Security Officer. “Cyber criminals and adversaries are leveraging all aspects of the pandemic to land and launch attacks, insider threats generally increase with employee reduction actions, and privacy compliance does not have a pandemic waiver.”

The Impacts of Layoffs and Furloughs

The economic reality at these companies and the opportunistic nature of cyber attackers are creating a perfect storm. Business leaders have to find a way to weather the crisis, and that has played out in leaner budgets and layoffs. Right now, this means that cybersecurity professionals are doing more than just cyber operations, and in some cases, layoffs have created disgruntled employees. Worse yet, phishing attacks are up 37 times since January 2020.

Effective cybersecurity is a triad of people, process, and technology, with each dependent on another. Processes will fatigue and technology atrophy will occur without enough people, or the right people, in place. All of this gives the advantage to the attacker.

Cybersecurity Layoffs Can Be Risky

Besides the risk of employee burnout and increased attacks, cyber layoffs have other risks to consider.

1. Contract compliance — Client contracts have security requirements that you must stick to or risk high fiscal costs.
2. Cyber insurance — Does the layoff create a coverage gap in the current insurance policy? Unless you’re holding up your end of the agreement you may not be covered.
3. Reputation — It’s not just the company reputation suffering after a breach, but it could also leave a bad impression with consumers when cyber layoffs hit the front page.
4. Return to normal — Eventually things will get better. Cybersecurity professionals will move on to another company. How long will it take to get back to the staffing you need after layoffs?
5. Business halting attacks — Cyber solutions and technology maintain a certain level of protection, but cannot necessarily prevent data seizure from new ransomware or DoS. Big game hunting and human-operated attacks require a specific kind of cyber professional to fight them off.

While I share all of this, I also know that capitalism makes these risk decisions unbearable and impossible. I feel for those making these decisions and for those who are affected by them; the good news is for all the talented professionals who are laid off, there are wonderful people looking to hire you. Stay strong. Stay kind. Stay inclusive. Seek to learn always. Love will prevail.

Sincerely,

Deidre

Many of the challenges firms face when filling cybersecurity positions can be traced back to the job description. Cybersecurity job descriptions are notoriously difficult to write, yet they’re often the first impression a potential hire has of what it’s like to work for your company. With a lack of industry-accepted terms for jobs and roles, writing a clear and comprehensive job description can feel like stumbling in the dark.

The tight cybersecurity job market and well-publicized skills gap certainly make cybersecurity hiring more difficult, however, there are small steps companies can make to improve job descriptions and hiring success.

1. Get the Right Title

Say for instance your company is looking for a security engineer. Here are some of the subcategories that land within that title.

• Cloud Security Engineer
• Embedded Security Engineer
• Identity Access Management Engineer
• Information Security Engineer
• Network Security Engineer
• SecOps Engineer
• Security Consultant Intrusion Detection Analyst
• Threat Hunter

You can see the difficult situation many managers and HR departments find themselves in when crafting a cybersecurity job description. If you can’t settle on whether you need a security architect, cloud security architect, or information security architect how are you going to find a candidate?

When deciding on a job title, do some research within the local cyber community. What other titles are companies using for similar jobs and responsibilities? Is your company committed to having unique job titles? It might be time to compromise and use a job title that more accurately portrays the role. 

2. Communicate a Realistic Understanding of the Role

Ascribing to a common language is the foundation of all human relationships. To reach the best candidates and easily communicate your position requires you use the language people within the cyber community are speaking. You’d be surprised how many HR recruiters and hiring managers have no idea what some of the terms in their cybersecurity job descriptions mean, even though they wrote them!

Experienced cyber professionals also know enough to steer clear of poorly conceived job descriptions, especially those in which job requirements don’t track to the title or are a laundry list of job requirements, clearly indicating the new hire will be asked to do two or more jobs. Knowing what you are asking for and having an understanding of the terms being used in the job description will elevate your cybersecurity job description and show your company is serious about cyber.

3. Emphasize the Benefits

With so many open positions in today’s job market, the best candidates are oftentimes people who are already employed, but open to a change in employment. These passive job seekers are skilled, but also savvy. If they are going to make the effort to change jobs, there must be benefits, such as higher pay, more remote work from home, or a shorter commute. Here are some ways you can quickly communicate why your job is better than theirs.

• Pay: Make sure any salary band listed in the job description is in line with the marketplace.
• Work-Life Balance: Highlight remote work options, flex hours, pet-friendly offices, and parental leave benefits.
• Culture: Job descriptions that use keywords like love, happy, fun, team, respectful, flexible, and considerate are more attractive to candidates.
• Professional Development: Your company wants cyber personnel who are eager to learn and adapt. Mention any training opportunities, conferences they will attend, or other professional development available.

4. Don’t Go It Alone

We get it. It’s not always easy to ask for help, but when a position has gone unfilled for six, seven, eight months on end, the problem might require outside expertise. 

Staffing agencies are a common solution for companies who need to fill a position fast, but this has its drawbacks. Recruiters may return a list of candidates we would categorize as “warm bodies.” Instead of truly talented cybersecurity personnel, they show you resumes from people who are under-qualified or work in an unrelated area of cyber. Many staffing agencies are generalists and have a lack of understanding of the industry. Using a firm without expertise in cybersecurity won’t get you good candidates either. 

Look for a history of experience filling cybersecurity positions in your industry. These agencies not only understand the language, but also have developed connections that allow them to locate talented passive job seekers. Understanding the current cybersecurity landscape, which companies are flourishing, who’s happy and who is not is essential. 

Another advantage agencies that specialize in cybersecurity bring are tools that help HR personnel and hiring managers find the right match without a recruiter. Programs like CyberSN’s cybersecurity jobs platform offer tools and templates to build job descriptions specifically targeted toward people in the cybersecurity industry for free.

Bottom line: an agency that has expertise in cyber can communicate your job more effectively, resulting in a better slate of candidates and ultimately filling that position faster.

Friends,

I wanted to share a precursor to my RSAC 2019 talk. Join me Friday, Mar 08 | 11:10 A.M. – 12:00 P.M for Retaining and Growing Cybersecurity Talent: A Proven Model. RSVP to this session here.

Don’t Chase Your Tail! Hire AND Retain Cybersecurity Talent

As 2019 begins and companies ramp up their Q1 cybersecurity staffing initiatives, hiring data reveals that filling an open position, a process that normally takes between three and six months, is only half the battle. At CyberSN, the leading cybersecurity staffing firm in North America, we have found that retaining cybersecurity talent is even more difficult than finding the “right” candidate.

The intersection of these trends has created an industry-wide problem, where companies invest significant time and capital pursuing, on-boarding and training cybersecurity talent, only to watch new hires leave after a year. Conventional cybersecurity HR practices only ensure that this vicious cycle repeats itself ad infinitum.

With enterprises increasingly under attack from cybercriminals, and hemorrhaging trillions in hacking-related losses, these hiring gaps leave companies exposed to an unacceptable spectrum of risk. In fact, industry research firm Cybersecurity Ventures projects 3.5-million unfilled cybersecurity positions by 2021. In the U.S., it is CyberSN’s view that this talent gap constitutes a national security crisis.

Given these sobering statistics, the development of a strategic framework to ensure long-term talent retention is a New Year’s resolution that every cybersecurity hiring manager should make in 2019.

To execute a successful cybersecurity talent retention strategy, hiring managers should prioritize the following three best practices:

• Present candidates with a clear view of career advancement and incentives
• Promote work-life balance
• Embrace inclusivity as the cornerstone of corporate culture

This blog post will explain the rhyme and reason behind each tactic, and how integrating the three into one cohesive hiring strategy can help organizations achieve better cybersecurity talent retention.

Offer a Vision of the Future

According to trade certification organization (ISC)² only 15 percent of employees have no intention of leaving their current employer. This may be due to the fact that cybersecurity talent are looking for more than a job. They want a career with an organization that invests in their continuing education and rewards their evolving value.

Yet a 2017 survey of 300 cybersecurity professionals conducted by Endgame’s Andrea Little Limbago found that over 50 percent of respondents cited lack of career advancement as the primary reason for ditching their previous employers. These findings dovetail with a 2018 Capgemini survey, which found that lack of career progression was the number-one reason cited by cybersecurity professionals for being dissatisfied with their current job.

Meanwhile, 59 percent of (ISC)² survey respondents cited continuing education and investment in new cybersecurity technologies as the most important factors, when evaluating current job fulfillment.

In 2019, hiring managers must take the hard data into account and invest more in employee training, while staying up to date with the most cutting-edge cybersecurity tools.

This approach will help cybersecurity professionals see a runway that nurtures their professional development and enables them with the resources to grow within the company and beyond. This is especially important for younger cybersecurity professionals. According to the Capgemini study, new entrants into the cybersecurity labor market from Generations Y and Z are more inclined to stay with employers that help them “visualize a career path.”

Healthier Work-Life Balance

According to Capgemini, 83 percent of cybersecurity professionals cite work-life balance as the most important consideration when switching jobs. On a related note, Limbago’s 2017 survey found that 38 percent of cybersecurity professionals cited burnout as the main reason for leaving their jobs, while another 28 percent cited stress.

Limbago’s data is not all that surprising, seeing that the topic of an August 2018 Black Hat Conference panel in Las Vegas: “Burnout, Depression and Suicide in the Hacker Community.” This discussion identified burnout as a “monumental mental health crisis” afflicting cybersecurity professionals.

Part of the reason for this pervasive burnout is that organizations often fail to provide clearly defined roles for their hires. As a result, security talent may find themselves juggling multiple responsibilities and tasks that deviate from their initial understanding of the position, for which they were on-boarded. By bombarding personnel with divergent workloads that may not be specific to their expertise, enterprises risk overwhelming cybersecurity talent, pushing them to leave their jobs or worse.

Beyond creating well-defined responsibilities that are aligned with the skill sets and core capabilities of cybersecurity personnel, organizations must also be receptive to their needs as people.

According to Capgemini, “Flexible work arrangements have become an important factor for employee satisfaction, helping reduce absenteeism, increase productivity, and enhance employee engagement.” As such, hiring managers should be willing to accommodate flexible work schedules and remote working.

Inclusivity Drives Continuity

According to trade organization Society for Human Resource Management (SHRM) “women and minorities remain significantly underrepresented in the cybersecurity profession.” In fact, 2017 survey data published by SHRM found that women and minorities only make up 11 and 12 percent of the cyber workforce, respectively.

To make matters worse, the cybersecurity community has long been plagued by cultural toxicity that has fomented a hostile environment for talent that is not white and male. In fact, Limbago’s survey found that 85 percent of female respondents reported being discriminated against at professional cybersecurity conferences.

The good news is that the culture is gradually changing, as evidenced by Black Hat, which last summer, invited speakers to discuss gender discrimination – a topic that had never before been addressed in the conference’s 21-year history.

Overcoming these cultural problems is key because research is increasingly demonstrating that a diverse workforce delivers better business results. In fact, research from McKinsey & Company revealed that firms in the top quartile for racial and ethnic diversity are 35-percent more likely to have financial returns above their respective national-industry averages.

The same principle applies to cybersecurity, where increasingly diverse threats demand new approaches and ideas to combat them. Speaking to this point is Javvad Malik, security advocate at AlienVault, who told Information Age, “ Security teams need diversity because of the diversity of challenges that it faces. Cyber/information security isn’t a narrowly-defined field, where one skill set can cover the entire spectrum.”

Therefore, by promoting healthier workplace cultures, companies can prevent the alienation of women and minorities, which has caused many to leave their job or the industry altogether. Cultural progress may require firing a workplace jerk or two, but the end results will yield better employee retention, which ensures better cybersecurity for the organization.

Ultimately, these historically marginalized groups represent an untapped resource that can help enterprises avoid the cybersecurity talent crunch.

Conclusion

With nearly half of all cybersecurity professionals being contacted weekly by recruiters, according to (ISC)², these specialists are some of the most coveted candidates in the job market. The dearth of skilled talent creates a situation, where cybersecurity personnel have no shortage of new job alternatives if their current employers fail to meet their expectations.

CyberSN’s three keys to cybersecurity talent retention can help organizations change this paradigm and create a more strategic human resources framework. While career advancement, work-life balance and diversity are not the only three factors that infosec talent consider when evaluating job fulfillment, together they form a sound foundation for successful retention.

We hope you enjoyed reading this post and be on the lookout for more CyberSN content in 2019. For more information about CyberSN and how we can help your company fulfill its security staffing needs, please visit our website.

#RSAC #RSA2019