Traditional cybersecurity staff retention tactics becoming less effective
The recipe for improving your organization’s ability to hire and retain cybersecurity professionals is relatively straightforward (if not easy): offer an attractive pay, career growth opportunities, and provide a healthy work culture and environment.
Those are the three most important factors motivating cybersecurity professionals to leave their current jobs, followed by flexible work policies and opportunities to work with latest technologies, ISACA has found.
As not all organizations can offer the three most important incentives but need to compensate for the lack of skilled professionals in their cybersecurity teams, 57% of organizations have increased training of staff, 36% have increased usage of contract employees and outside consultants, and 18 percent have increased reliance on AI or automation.
A lack of qualified candidates
For its latest State of Cybersecurity report, released at RSA Conference 2019, ISACA has polled 1,576 cybersecurity managers and practitioners from a variety of industries and countries, most of which work at enterprises with over 1,500 employees.
58 percent of the respondents say that their enterprises have unfilled cybersecurity positions, and 32 percent say that it takes them 6 months or more to fill a cybersecurity position with a qualified candidate.
The majority of survey respondents report that most vacancies are in technical cybersecurity positions. Conversely, few cybersecurity executive or C-suite positions are unfilled.
29 percent of the respondents says that fewer than one-quarter of job candidates are qualified for the cybersecurity position for which they applied, and only 24 percent of the respondents feel that recent university graduates in cybersecurity are well prepared for the cybersecurity challenges in their organization.
“Although some academic institutions are implementing successful technical programs, most are still perceived as training cybersecurity in abstraction, rather than training it as a technical, hands-on field, which, by its very nature, requires some business intelligence,” ISACA pointed out.
The biggest skill gap in the average cybersecurity professional is the ability to understand the business: the ideal cybersecurity professional in today’s environment is a technically proficient cybersecurity professional who is able to “successfully apply his or her technical cybersecurity skillset to effectively enhance business goals” and “articulate that connection to counterparts at multiple organizational levels.”
Gender diversity programs
Cybersecurity is still a male-dominant field. 15 percent of the responders say their organization’s cybersecurity roles are all filled by men, 51% say that there are significantly more men than women in those roles, and 89% say that there are more men than women in cybersecurity roles within their enterprise.
When asked if they believe that women are offered the same opportunities for career advancement as men are offered in the field of cybersecurity in their organization, 51 percent of the respondents who identify as female say no, compared to 12 percent of the male-identifying ones.
While the percentage of respondents who says that their organization has in place specific diversity programs to support women cybersecurity professionals has fallen (44 percent, compared to 51% last year), most (71%) say that their org has not experienced difficulty in retaining women in cybsersecurity roles.
Gregory J. Touhill, ISACA board director and president of Cyxtera Federal Group, noted that for cybersecurity professionals, compensation is more than just making money – it is about being valued.
“It means seeing the organization demonstrate its commitment to its workforce (and its clients) by investing in the right technology and ensuring that its staff receive continuing professional education paid for by the organization. It means assigning leaders who understand and appreciate technology’s role in driving business success and sharing the rewards equitably. The best organizations that I served in made sure staff training was in the budget and that every member of the team knew what we, as an organization, were investing in them.”
He also pointed out that leadership matters when it comes to retention – leaders need to foster an environment where everyone’s contributions are valued.
“I know the value that diversity provides organizations and take notice when I see diversity programs being perceived as on the decline. ISACA’s 2019 State of Cybersecurity findings ought to spur an internal look into your organization. Is your diversity program on-track and meeting your current and future goals? Do you have the right personnel to ensure that you have diversity of experience, thought, culture and perspectives? Is your diversity program training producing the results you need? If the answer is no to any of these questions, it is time for leaders to step in and step up,” he concluded.