Big salaries alone are not enough to hire good cybersecurity talent: What else can companies do?
Amid the severe and ongoing cyber skills shortages, both cybersecurity firms and in-house IT and cybersecurity departments are struggling to hire enough talented and qualified individuals.
This is sometimes due to budgets, as many organizations have not placed a high enough priority on cybersecurity, despite the growing number of high-profile attacks. But even those who are paying high salaries are finding that generous compensation is still not enough to hire and retain talent in this field. While 33% of CISOs surveyed by ISSA said that salary was the reason they left one organization for another, that doesn’t explain most departures or job switches.
Meanwhile, despite high salaries, many currently employed cybersecurity professionals are feeling overwhelmed and under intense pressure, both because they are often short on manpower and because the stakes of their jobs are even higher now with the increased number and severity of attacks. The ISSA survey showed that 62% of cybersecurity employees face a heavier workload due to their organizations not being able to hire enough workers, and 38% say they feel burnt out.
If money isn’t enough, what else can companies do to attract and keep cybersecurity talent?
Write job descriptions that show off the skills employees will gain, not just what skills they need to apply. Cybersecurity is a rapidly growing and dynamic field offering many opportunities. But the field, by its very nature, requires that the best professionals are constantly learning on the job to keep up with the latest technologies and the latest types of threats and attacks. By letting candidates know what types of things they will learn on the job and what experiences they will gain, a company can set itself apart and offer the added value of professional growth, giving it an advantage in the recruitment process.
Look beyond academic education. Academic degrees in cybersecurity and related fields are no doubt helpful, but they are not the only way to become qualified for a job in the sector. If someone does not have a degree, it does not mean that they will not be an excellent candidate, especially if they have the relevant experience. This includes those coming from military or government backgrounds. In fact, with the rise in state-backed cyberattacks, any level of cybersecurity experience in government or military organizations is a considerable advantage and may be more valuable than those with academic degrees or years of corporate experience. A number of new programs, including one backed by Microsoft, also promise to offer training without necessarily granting degrees; these are also worthwhile credentials for candidates.
Teach and mentor on the job. Organizations should realize that current employees in their IT and related departments may be able, with the right training, to learn cybersecurity skills. This can be a way to build up a cybersecurity team internally. Those receiving training in-house should also be assigned mentors who can help them along the way. Building a team internally gives employees opportunities to grow, which can also lead to increased job satisfaction and retention.
Integrate cybersecurity into the overall business strategy, and let recruits know this. Companies should involve the cybersecurity team in all steps of their business, from product development to marketing, and not just relegate them to being on call for incident responses, or when something goes wrong.
Organizations should also encourage cybersecurity employees to bring in new ideas and strategies that will help protect the company. Let them create change, where needed, rather than just act as an enforcer or follower of protocols. In addition, cybersecurity progress should be recognized on an organizational level, and communicated to all levels of the organization. This recognition will allow cybersecurity employees to really make their mark, and result in high job satisfaction.
One aspect at the heart of all these steps is seeing cybersecurity as integral to any organization and giving cybersecurity professionals the opportunity to really help businesses grow and succeed.
Many organizations tend to see cybersecurity as something isolated from the rest of what they do; changing this attitude will not only help an organization better protect itself, but it will also make it a more appealing place for sought-after and talented cybersecurity professionals to work.