January 3, 2018 – In order to protect their companies, and in the bigger picture the nation’s national security, organizations must rethink – and raise – salary caps to hire top flight cybersecurity talent, according to a new report just released by CyberSN, a leading search firm in the field. Heightening the issue is an ever-growing threat of security breaches combined with a dearth of information about compensation for cyber roles, the firm reported in ‘The Cybersecurity Hiring Crisis.’
“What many organizations are failing to realize is that by not investing properly in cyber professionals, they’re sending the message that cybersecurity is not a priority,” said Deidre Diamond, founder and CEO of the international cybersecurity recruitment firm. This creates a retention and attrition problem that nearly eclipses the recruiting challenges faced by many companies seeking cyber talent.
“Organizations must be willing to invest in the critical roles that will keep their organizations up and running as the cyber industry continues to evolve,” said Ms. Diamond. “The best way to do this in a highly competitive market is to offer top compensation and benefits to attract and retain talent.”
As cyber threats change and become more complex, cybersecurity professionals are playing an increasingly vital role in their organizations. Their jobs, once considered optional, are now a mandatory part of ensuring that their companies’ critical data and processes are properly protected. Demand for such positions is at a record high – and keeping recruiters across the field loaded up with business. But talent supply lines have failed to keep up. There is, in fact, a projected workforce gap of 1.8 million cybersecurity positions, said CyberSN citing a recent (ISC)2 report.
For their study, CyberSN gathered information from across 53 organizations and 83 cybersecurity positions. The firm also conducted in-depth interviews with chief information security officers (CIOSs) and hiring managers responsible for recruiting cyber professionals into their organizations.
A Lack of Transparent Data
“Many of those we interviewed echoed a common theme – namely, there’s a gaping lack of security talent,” said Ms. Diamond. And, it is a problem that becomes more pronounced when organizations look to recruit more senior talent. “Now, more than ever,” said the report, “companies are competing against the likes of Netflix, Google and Facebook for high quality candidates.” The lack of transparent data around salaries is simply making it more difficult to compete with them. “In order to recruit more effectively for cybersecurity industry positions, there’s a clear demand for accurate information that includes real-time, market-driven compensation data,” according to the report.x`
A central issue is that many organizations equate cyber jobs to IT positions when it comes to compensation and benefits. Yet the roles are completely different. “Organizations look at cyber like they look at IT, yet cyber salaries are higher based on supply and demand,” said Veronica Mollica, vice president of cybersecurity staffing for CyberSN. “Oftentimes, IT doesn’t want cyber making more because it becomes an uncomfortable conversation about why one person is worth more than another.” The result is a round and round discussion and no change in the status quo, she said. “The position can then sit open for six months or more before a search firm is engaged to help,” said Ms. Mollica.
In the end, according to CyberSN’s report, more than 50 percent of the companies polled had to increase their initial salary cap in order to hire cybersecurity talent.
Cybersecurity Leadership Role Evolves to Meet New Threats
Increasingly, organizations of all sizes are awakening to the perils posed by cyber attacks. For years, many groups tried to ignore the problem, dismissing cybersecurity as a concern only for the biggest, most high-profile entities, be they government or corporate.
Nor does it help that much of the information that companies use about cyber salaries is inaccurate or out of date. “Salaries change every day and HR leaders have had trouble staying current,” said Ms. Mollica. “We see quite often that cyber leaders don’t feel supported when they sit down to have these salary conversations with HR. It’s not a welcoming environment.”
Critical cybersecurity roles, meanwhile, go unfilled for too long. Organizations are reluctant to pay more and candidates tend to refuse to switch jobs for lateral compensation, let alone a lesser amount. “What we see happen is a job goes unfilled over a $10,000 difference,” said Ms. Diamond.
The truth is that money very much matters with these in-demand roles. Few companies outside of Google and Amazon can convince prospects to take a smaller salary by offering enticements like stock options, said Ms. Diamond. Most companies have no interest in paying up, but by denying that it’s a candidate’s market businesses are only hurting themselves, she said. “Why would you want to nickel and dime for the best talent?” she asked. “If candidates are interviewing with you, they are interviewing other places too.”
The cybersecurity salary cap issue is the result of both growth and the departure of employees, said Ms. Mollica, but less about what the previous person in a role was earning. “When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization,” she said, “but the people in the current positions aren’t earning market value. That’s a huge issue because HR sets salary by comparing the role to somebody who is being paid below market. Yet this is security.”
Security Threats Create Talent Challenges, Opportunities
Cybersecurity might well be the greatest challenge facing corporate America today. The threat to reputation, private information and dollars — both from immediate theft and the cost of repairing the damage of a cyber-attack — can be staggering.
The Value of Breaches
Bad experiences, Ms. Diamond said, will ultimately be the key to change. More intrusions. More money lost. More corporate reputations damaged or destroyed. Sooner or later, businesses will learn that it is more cost effective to take preventive action than to suffer the consequences of a breach or a regulatory fine. “When I think about where we are today, it’s only the breaches that have gotten us the budgets,” she said.
Hunt Scanlon Media recently sat down with Ms. Diamond to talk about the challenges that her firm and its clients face in filling cybersecurity roles.
Deidre, why is recruiting cybersecurity executives so difficult?
Cybersecurity experts are incredibly busy. Not only are their departments frequently understaffed, but their jobs are mission-critical to the success or failure of their organizations. Their roles can often be more similar to that of an emergency first-responder than an IT professional. Because of the fast-paced and high-profile nature of their work, they don’t even have time to spare for recruiters. And that’s an important issue because we have found that HR generalists simply are not equipped to oversee the hiring process for such specialized, in-demand, hard-to-find talent.
“Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success.”
How can the search process be improved?
Executives in search of cyber talent need to use specialized cybersecurity staffing agents. Job seekers are looking for companies committed to a cyber budget, who value career growth and share in their cyber passion. Retention is just as important to hiring and if organizations don’t meet these needs, statistics show that cyber professionals will not hesitate to vote with their feet and change jobs.
Why is the cyber function so important?
Cybersecurity is no longer just a technology issue. It is a business enabler, and cybersecurity professionals are the key to success. Companies are depending on their cyber resources to detect, protect, innovate, automate and meet compliance standards. Security breaches have significant impact to a company’s reputation, customer confidence and sometimes unpredictable financial impacts. Companies with great hiring and retention plans attract and retain talented and passionate cyber professionals.
Hence the need to pay up for these professionals?
Yes. Our research and experience show us that companies underestimate what it takes to get the right talent in the door. In our research study, over 80 percent of the companies we looked at had to raise their salary cap in order to make the right hire. HR and staffing resources do not have real time salary data available and so they are often not prepared to pay what it takes to hire talent in this market. One thing we are beginning to see is that many companies are getting more creative with their total compensation packages. Equity, paid benefits, telecommuting, relocation assistance and other perks are often included to make offers more attractive to these highly sought after professionals. Often, that outside-the-box thinking pays off!
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Will Schatz, Managing Editor – Hunt Scanlon Media