peshkova - Fotolia
The cybersecurity staffing shortage is a continuing problem in the industry because finding good candidates with cybersecurity skills is a challenge. What are some good ways to find and recruit cybersecurity talent? Should companies look at hiring people from competitors?
In February 2016, security researcher CyberEdge Group released the 2016 Cyberthreat Defense Report that surveyed 1,000 IT security professionals in 10 countries. It stated that the lack of skilled personnel increased in 2014, 2015 and 2016 from 2.92, 3.05 and 3.42, respectively, on a scale of 1 to 5, with 5 being highest. There are many reasons why finding good candidates with cybersecurity skills is a challenge, including:
- Consulting firms hire away highly skilled talent from industry, competitors, and government with significant pay increases and perks;
- Large metropolitan regions attract more skilled talent than smaller, rural areas;
- CISOs and skilled staff tend to average short tenures, as five years or more with a single company is considered high;
- Hiring companies may be looking in the wrong places for skilled resources;
- Hiring companies may not be attracting skilled resources due to their industry, salary, technology complexity, learning potential, management support or reporting structure;
- Higher education is not producing enough cybersecurity professionals;
- Large institutions with over 50 cybersecurity professionals over time will depreciate the talent they claim to excel. The reason is because these professionals will be assigned focused work that prevents them growing into higher technical or management positions; and
- Companies will grow their staff to become highly skilled but fail to compensate them for what they are worth in industry.
There are two options for resources with cybersecurity skills: organizations can either hire them from outside or they can grow them. Qualified staff will jump from one company to another that will offer them better compensation packages and the original employer will likely have to pay a higher salary for skills it lost to another company. That is what some companies do to attract skilled staff from competitors. They come skilled, trained and know the business. Cybersecurity recruiting firms who profit from the movement of skilled staff between companies can be useful. Or, you can look to universities that have mature cybersecurity programs for viable candidates. Professional organizations, such as ISSA, OWASP and ISACA are also good sources. They typically allow job postings to be forwarded to their membership. The key is to know what cybersecurity skills your organization needs and how many employees. That said, organizations should always work on developing their staff with the focus on retention, productivity and coverage.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn why millennials might be the saviors of the security staffing shortage
Find out if internal up-skilling is the key to the security skills shortage
Discover why recent breaches highlight the need to solve the security skills gap
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading