Recruiting and retaining cybersecurity talent

As we know, there is an acute shortage of cybersecurity talent available on a global basis. For example, previous ESG research from 2016 reveals that 46 percent of organizations say they have a “problematic shortage” of cybersecurity talent at present.

Unfortunately, the cybersecurity skills shortage goes beyond headcount alone.  According to a recently published report from ESG and the Information Systems Security Association (ISSA)—The State of Cyber Security Professional Careers, Part 1—cybersecurity teams can be in a constant state of flux due to issues with employee satisfaction, a lack of adequate training and staff attrition. 

The report also exposes the fact that 46 percent of cybersecurity professionals are actually recruited to pursue new job opportunities at least once per week! In other words, if your cybersecurity people aren’t happy, they won’t be around long. 

Now, cybersecurity is a discipline that is heavily influenced by staff experience, so a revolving door of staff turnover will have a direct impact on business risk and the ability to prevent, detect and respond to security incidents. As a result, organizations have a vested interest in maintaining job satisfaction in order to retain and motivate the existing cybersecurity staff.

Factors that contribute to cybersecurity job satisfaction

Just what conditions lead to cybersecurity job satisfaction? As part of the ESG/ISSA research project, we asked 437 cybersecurity professionals this very question. Here are some of the results:

• Nearly one-third (32 percent) of respondents said “competitive or industry leading financial compensation.” Yup, money is always important, but it should be viewed as “table stakes” in the big picture. Competitive compensation gets an organization into the discussion, but other incremental factors will ultimately determine job satisfaction.
• Almost one quarter (24 percent) of cybersecurity professionals said “a general organizational culture that promotes and supports strong cybersecurity.” So, cybersecurity has to be included across areas such as software development, HR training and organizational mission statements—not just an afterthought equated with firewalls and antivirus software.
• Nearly as many (23 percent) respondents said “business management’s commitment to cybersecurity.” Thus cybersecurity must be part of business planning and led by enthusiastic participation from executive managers and corporate boards.
• Twenty-two percent of respondents said “the ability to work with a highly skilled and talented cybersecurity staff.” This was especially important for junior staff members looking to expand their skills and grow their careers.
• Twenty-two percent of respondents said “an organization that provides support and financial incentives enabling cybersecurity staff members to participate in training and develop technical skills.” Once again, this requirement goes beyond having a job. Cybersecurity pros want to work for employers committed to continuous cybersecurity education for the staff.

Every organization should do a self-assessment to gauge how well they are doing in all of these areas. Those deficient in one or several categories should develop plans for improvement. Those few organizations that excel in all of these areas should capitalize on these strengths by marketing themselves as cybersecurity centers of excellence in order to attract, recruit and retain top cybersecurity talent.