peshkova - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cybersecurity skills: What is the best way to find staff that has them?

Finding and keeping employees with the right cybersecurity skills is a challenge all organizations face. Expert Mike O. Villegas explains the skills shortage.

The cybersecurity staffing shortage is a continuing problem in the industry because finding good candidates with cybersecurity skills is a challenge. What are some good ways to find and recruit cybersecurity talent? Should companies look at hiring people from competitors?

In February 2016, security researcher CyberEdge Group released the 2016 Cyberthreat Defense Report that surveyed 1,000 IT security professionals in 10 countries. It stated that the lack of skilled personnel increased in 2014, 2015 and 2016 from 2.92, 3.05 and 3.42, respectively, on a scale of 1 to 5, with 5 being highest. There are many reasons why finding good candidates with cybersecurity skills is a challenge, including:

  • Consulting firms hire away highly skilled talent from industry, competitors, and government with significant pay increases and perks;
  • Large metropolitan regions attract more skilled talent than smaller, rural areas;
  • CISOs and skilled staff tend to average short tenures, as five years or more with a single company is considered high;
  • Hiring companies may be looking in the wrong places for skilled resources;
  • Hiring companies may not be attracting skilled resources due to their industry, salary, technology complexity, learning potential, management support or reporting structure;
  • Higher education is not producing enough cybersecurity professionals;
  • Large institutions with over 50 cybersecurity professionals over time will depreciate the talent they claim to excel. The reason is because these professionals will be assigned focused work that prevents them growing into higher technical or management positions; and
  • Companies will grow their staff to become highly skilled but fail to compensate them for what they are worth in industry.

There are two options for resources with cybersecurity skills: organizations can either hire them from outside or they can grow them. Qualified staff will jump from one company to another that will offer them better compensation packages and the original employer will likely have to pay a higher salary for skills it lost to another company. That is what some companies do to attract skilled staff from competitors. They come skilled, trained and know the business. Cybersecurity recruiting firms who profit from the movement of skilled staff between companies can be useful. Or, you can look to universities that have mature cybersecurity programs for viable candidates. Professional organizations, such as ISSA, OWASP and ISACA are also good sources. They typically allow job postings to be forwarded to their membership. The key is to know what cybersecurity skills your organization needs and how many employees. That said, organizations should always work on developing their staff with the focus on retention, productivity and coverage.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn why millennials might be the saviors of the security staffing shortage

Find out if internal up-skilling is the key to the security skills shortage

Discover why recent breaches highlight the need to solve the security skills gap

This was last published in August 2016

Dig Deeper on Information security program management