How to Hire and Retain Cybersecurity Talent

Cybersecurity Talent Shortage 

Cybersecurity threats and breaches have increased in number over the last decade, and a consequence of that is a heavy demand for cybersecurity professionals. However, this demand has not been met by a corresponding supply. In fact, labor market research from Emsi indicates: 

• At the time of this writing, there are, only 48 qualified candidates available for every 100 jobs in the cybersecurity space. 
• Washington, D.C. is the tightest market in the country, primarily because of the national security-related demand from government organizations and defense contractors. 
• However, similar issues exist in  major markets across the country, including Dallas, Atlanta, Boston, New York, San Jose and Chicago. 

Because of this supply/demand gap, some sectors, like fintechs and healthcare, tend to get very competitive, which compounds the severity of this issue for smaller organizations and other sectors because of their limited resources. In addition, work-from-home, online schooling and a shift to online shopping as a result of the COVID-19 pandemic have driven the demand for cybersecurity professionals even further. 

However, as new talent in cybersecurity continues to enter the marketplace, organizations can deploy several creative strategies to meet the needs of the enterprise and acquire and retain top cybersecurity talent.

READ: How to Structure the Information Security Function

Cybersecurity Talent and the Board

A strong cybersecurity program requires appropriate funding, not just for the tools but also for the talent. We recommend CISOs include a big picture view of the enterprise talent situation in  metric-driven briefings to the board of directors that can include: 

• The current staffing situation, including key challenges and the remediation plan. 
• A five-year talent plan. 
• Staffing requests when budget is under consideration. 

This visibility provides a level of commitment to the security program from a staffing perspective, particularly from the finance arm of the enterprise. A board sign-off or approval also helps with the almost inevitable downstream staffing or budgeting pressures. 

Retaining and Hiring Cybersecurity Talent   

An un-empowered security organization will struggle with cybersecurity talent attraction and retention. To raise the stature of the infosec program and help team members feel that they are making a difference consider the following: 

• Include CISO briefings in every all-hands meeting: In these sessions, the CISO should focus on the strategic program and the difference the infosec team makes to the success of the enterprise. For example, it may be interesting for the enterprise to see metrics related to the number of security alerts investigated by the security team or the number of phishing alerts reported by the enterprise. Have the CISO share the program’s overall goals and ask for help from the entire enterprise. 
• Enlist security ambassadors or champions from different areas of the enterprise. This will reduce the routine friction encountered by security team members, which can cause frustration. 
• Foster full-company recognition of the team: Many enterprises have programs in place to recognize and reward key employees. Security team members should be nominated and selected for these rewards as well. 
• Communicate issues clearly and effectively: Security leadership should communicate with the enterprise in an open, transparent fashion and ask for help where necessary. This can include emails to all team members and announcements via communications channels like Slack or Teams. 

READ: Secure Coding Basics for Software Developers

Hiring Cybersecurity Talent 

Cybersecurity’s staffing challenges require innovative talent acquisition strategies. To ensure your talent pool is large enough to surface the right people, consider: 

• Re-skilling and/or transferring talent. One alternative to publishing postings that don’t seem to attract the right candidates is to focus on transferring and/or re-skilling existing employees. Some functions of the enterprise are well suited for this purpose. For example, with interest and training, developers can make great infrastructure-as-code (IaaC) or SOAR engineers. Similarly, network engineers can make for great web application firewall (WAF) engineers. 
• Mentoring recent graduates. Most enterprises go for the same talent pool – security engineers with at least some experience – and that leaves recent graduates as a significantly untapped resource. Individuals with computer science and engineering degrees can do well in cybersecurity, as long as they are paired with more experienced individuals within the organization. This serves a dual purpose – it allows the graduates to grow rapidly, and it also allows the more experienced individuals within the team to grow through coaching, training and mentoring. You should also consider focusing your recruitment efforts on smaller universities and community colleges, both because it’s harder to compete for talent in large, well-known universities and because the best talent in smaller universities and colleges is often just as good. 
• Creating a core of expert practitioners. While not everyone on the team needs to be an expert, every team requires a core of experts who can take accountability for initiatives and act as subject matter experts (SMEs) for the more junior members of the team. This may be expensive to build, but it is important to sustain the rest of the team. 

READ: The BISO Role: Where Business Meets Security

Niche Hires in Cybersecurity 

Talent related to cloud, SaaS, DevOps and SOAR is an extremely hard-to-fill niche of cybersecurity. Many enterprises are rapidly onboarding these innovations, which creates the interesting challenge of how to staff up for their security-related aspects. Skipping the obvious suggestion of paying top dollar, organizations should consider instead focusing on interesting approaches, such as: 

• Training up what you need. Training possibilities have increased dramatically over the years. Consider purchasing great training, although hunting for the right training can be an issue simply because of the volume of training offered in some platforms.  
• Using consultants and contractors for knowledge transfer. When implementing new tools, build in some expert consulting arrangements. Pair these expert consultants and contractors with employees from within your organization. They will get a chance to learn from the best and can own this discipline once the contract is over. 
• Establishing educational partnerships. Partner with appropriate educational institutions to explore possibilities related to curricular practical training (CPT) or co-op arrangements. These students are prospective future employees. Another angle can be to influence course curriculum so professors teach the aspects of technology that will be applicable within the enterprise (e.g., DevOps, SOAR, cloud or SaaS). 

READ: Guidance to Overcome the Cybersecurity Talent Shortage

Staffing a Strong Cybersecurity Program

A well-designed information security program and strategy inspires and deeply motivates those who want to do great work and make a profound difference to the fortunes of the company. Examine your strategy with a fine-tooth comb, ensure it aligns with the needs of the enterprise and push the limits in a way that keeps your top talent engaged, challenged and energized. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.