4 ways COVID-19 has changed security hiring forever

One year in, the COVID-19 pandemic has had significant, and likely permanent, impacts on information security hiring. Here are the changes that experts say are here to stay.

A woman extends her hand in greeting / agreement / partnership / teamwork / hiring
PeopleImages / Getty Images

On March 13, 2020 the COVID-19 virus was declared a national emergency. Since that time, there have been approximately 28.5 million confirmed U.S. cases of the virus, resulting in over 517,000 deaths, and in December the disease rose to be the leading cause of death for Americans.

This month, the country welcomed a third vaccine in the fight against the COVID-19 pandemic, and the race is now on to get all U.S. adults vaccinated by the end of May. This is certainly great news for companies eager to get employees back in the workplace—and for workers who have found it challenging to do their jobs remotely.

While it remains to be seen  how work and life will play out in a post-pandemic world, many organizations have already experienced the future when it comes to hiring and managing information security professionals. The results have been both good and bad for all concerned, but collectively they have changed the hiring game permanently.

Here are the top trends reshaping the recruitment and management of information security pros, and what those workers want and need from a job.

Remote work increases the odds of a perfect-fit hire

Despite many obvious impacts of COVID-19, the basic process for finding information security professionals hasn’t changed that much. Security leaders or hiring managers post their openings on an organization’s career page or job boards, they review the incoming applications, narrow down the list to acceptable candidates, and evaluate those candidates based on internal selection criteria, says Jean-Paul Philippe, cyber security recruiter and founder at Baxter Talent, in Knoxville, TN.

“The biggest change we've seen due to COVID is the abundance of remote opportunities now available,” Philippe says. “With many organizations swiftly transitioning into a remote workforce, security leaders recognize that highly skilled security professionals are more than capable of working remotely.  Organizations that are open to remote hires are reaping the benefits of a considerably larger talent pool, thus resulting in hiring the best person for the job.”

“The downside of a larger applicant pool is the additional workload of screening more applications and candidates,” Philippe acknowledges. “Additionally, organizations that move more slowly in their hiring decisions may miss out on their top candidates because strong security professionals usually receive very attractive offers from multiple companies at the same time.  As a result, many strong security leaders realize a sense of urgency and a speedy hiring process leads to a successful hire.”

On the flip side, organizations that don’t tap this wider talent pool are at a distinct disadvantage, something Dorothy Dodenhoff, senior technical recruiter – enterprise information security at Wells Fargo in Charlotte, NC, knows all too well.

“Wells Fargo decided two years ago to eliminate 100% telecommute hires,” Dodenhoff explains. “The goal is to have employees work out of hub cities. This decision has caused us to lose a lot of extremely qualified prospects, as they are used to working remote and do not want to work on site. We are starting a new critical project, and there is discussion as to whether or not to allow for telecommute hires which, if approved, will greatly expand our ability to reach highly-skilled talent.”

In fact, this hub-and-spoke model that Dodenhoff describes is exactly the business model that many organizations now aspire to. Rather than have all employees come to a central workplace, the ‘office of the future’ concept is to have smaller facilities, but more of them, and all inter-connected digitally. This allows organizations to downsize their real estate investments, enables workers to safely spread out, and eases the commute for workers that don’t have to go to one central location.

Wanted: Highly skilled candidates with superior communications skills

Not surprisingly, the greatest demand is for information security professionals that already have the right stuff—and that includes both technical expertise and soft skills.

“The hiring managers we're working with are seeking experienced security professionals with cloud, application security and risk management skills,” Philippe says. “Specifically, skills and experience with AWS, Azure, and GCP, as well as experience with identity and access management (IAM), security information and event management (SIEM), incident response (IR), and intrusion detection and prevention systems (IDS/IPS) are commonly required by our clients.”

On the soft skills side, “communication and influence appear to the number one skill in demand,” Philippe adds. This is in part because of the particular communication demands of working remotely, but also “security professionals are extending beyond their business unit and collaborating across their organization,” Philippe says. In addition, working remotely has made written and verbal communications skills of paramount importance.

“The reason COVID emphasized these skills so heavily is that security teams had to rapidly begin collaborating with other teams such as IT to help secure employee devices and networks," Philippe says. "And given that this basically happened overnight, security teams needed to rely on strong problem solving, attention to detail, and teamwork skills to make it all happen.”

Hiring security talent with these skills and experience can be very difficult for many organizations. “Most of these folks are currently employed and thus not looking to make a change,” Wells Fargo's Dodenhoff says. In fact, “many candidates we reach out to are not comfortable making a change in employment during this pandemic. Our hiring cycle has been roughly 70 days, however, some jobs have been open for over six months.”

Remote work may slow the growth of cybersecurity salaries

It remains to be seen what the long-term impact of the pandemic and the remote workforce will be on information security salaries. Many hiring managers say base salaries haven’t changed much, but the ability to work remotely has risen to the top of the desired benefits list.

“For the organizations that I have been associated with, I have not encountered a significant impact on salaries,” says Joshua Scott, head of information security and IT at Postman, and a member of the Information Security Leadership Foundation. “I have seen additions to benefits and workplace elements to cater to the remote workers. For example, more use of official group video chats or common discussion channels to replace the typical group scenarios that happened in the office.”

Where salary offerings are having the most impact is with job candidates competing amongst themselves.

“One impact we noticed during the pandemic was that many security professionals living in smaller cities were now looking for new opportunities with much larger employers outside of their commutable geography,” Philippe says. “These individuals realized that remote opportunities with larger organizations generally equated to larger compensation packages, better benefits, and greater future employment opportunities.”

On the flip side, Philippe notes that security pros living in higher-earning areas now have to compete with equally strong talent open to less attractive compensation packages.

“For example, a security engineer in the South East may have a base annual salary of $120,000, whereas a security engineer in the North East may be seeking at least $150,000 just to maintain the same standard of living,” Philippe stresses.

Remote workers will need to fight harder for recognition and reward

Assuming that the country can meet President Biden’s goal of seeing all adults in the U.S. vaccinated by the end of May, one might expect the economy, and the workforce, to go back to the way they were before 2020. Not so fast, say workforce experts.

Organizations and workers alike have learned that remote work is totally doable for many jobs. Many employees have gotten used to the arrangement and don’t want to return to the workplace. That includes the majority of information security professionals.

“Ninety percent of the security professionals we speak with desire and prefer remote opportunities,” Philippe says. “The organizations that have responded positively to these wants tend to hire many of the industry’s most talented security professionals.”

But as with most things in life, there is a trade-off here.

“I believe some security professionals may face promotional limitations depending on their organization’s remote, hybrid, or in-office requirements,” Philippe emphasizes. “If employees are given the opportunity to choose to work 100% virtually or go into the office, I feel that employees who chose to work 100% virtually may see a slight decrease in promotional opportunities because of the reduced social interactions that happen when working alongside colleagues in a physical space.”

“Security professionals should be aware of these potential downsides of working fully remote and be mindful that they may need to put in extra effort to build strong relationships and trust among their colleagues and supervisors since they’ll be potentially missing out on the random social interactions that happen with physical proximity,” Philippe concludes.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline