Seemingly every organization knows these days that cybersecurity is a serious concern. Yet companies are having a hard time attracting and keeping cyber talent, according to surveys and research.
Businesses want to hire cyber talent. According to the “2018 IDG Security Priorities Study,” 54 percent of organizations expect their security staff headcount to increase over the next 12 months. The survey showed 37 percent will hire full-time staff, 26 percent will hire contractors or outsourced workers and 12 percent will increase part-time staff.
On average, organizations had 2.2 open security positions to fill throughout the past year; this increases to 3.3 for enterprise organizations and decreases to 1.3 for small and medium-sized businesses.
Speaking Feb. 26 at the CDW Protect SummIT in Phoenix, three security executives said that businesses need to be creative and IT leaders need to be empathetic to attract and keep qualified IT security talent.
Alyssa Miller, manager of the information security solutions practice at CDW, said the biggest issue is funding the talent. “The talent is out there, there is no doubt about that,” she said. But it is difficult to find experienced cybersecurity pros, and they tend to demand high salaries, she said. Meanwhile, there are a lot of people “who are dying to get into the market” and are doing IT security research on their own, but do not have formal experience. “It’s a little bit of a hill to climb working with human resources to get them in the door,” she said.
Chuck Markarian, CISO of truck manufacturer PACCAR, said there are certain roles for which organizations do need to hire experienced cyber talent, and those people need to be well-compensated. However, he said, if there are less-experienced workers who have passion and curiosity, “we can train them and bring them up.”
Andre Allen, CISO of energy firm ENGIE North America, said another challenge organizations face is turnover — losing cyber talent to competitors. “The security community is kind of small, so everyone knows everyone,” he said. Local industry conferences can turn into breeding grounds for recruiting and poaching of employees, Allen said.
How to Get Creative in Attracting Cybersecurity Workers
Miller, Markarian and Allen sounded similar themes on how to hire and retain cyber talent. They said that organizations and their IT leaders need to make their workplaces attractive places to work, offer perks and cater to their workers’ interests.
“There is a reason why security looks like this super cool place everyone wants to be in,” Miller said. “People see it as fun.” But cyber workers don’t just want a casual workplace where they can wear jeans, Miller said. They want to be able to do research and development work, go to industry conferences and see new exploits being demonstrated. And they want the ability to tinker and play with equipment and replicate such exploits or discover their own — and then share it with their peers.
Allen and Markarian said organizations can look to hire cybersecurity interns from nearby universities that have cybersecurity programs and train them to eventually take full-time jobs.
Organizations should also be open to hiring workers who may not have direct cybersecurity experience, Allen said, but who may have application development and business experience and can learn new skills.
One way to attract talent is to build credibility in the organization’s cybersecurity practice. “If the word is out that that you’ve got good people, good people bring in other good people,” Miller said. Organizations that have their cyber workers speak at conferences and who are seen as knowledgeable will attract other experienced cyber pros, she added.
“How can we network and get in, have some form of credible presence to get connected with experienced people and start to pull in interest when we have an opening?” she said. “That can be tough. It’s something you always have to be working on.”
Another option is managed cybersecurity services, Allen said. Outsourced workers can take care of operational security. That limits how many weekends core employees need to work and allows security architects to focus on new projects and higher-value work instead of answering help desk tickets.
How to Boost Diversity in Cyber Hiring
According to “The 2017 Global Information Security Workforce Study,” only 14 percent of cyber jobs in North America were filled by women. Markarian acknowledged it is “challenging” to hire women, especially if recruiters do not send many female candidates on for review. The he challenged the industry to do better and to be more inclusive, he argued that such inclusivity fosters more creative and productive internal discussions.
Miller agreed and said inclusivity is key, not just for cybersecurity but for business in general. “How do we make people comfortable no matter who they are?” she said.
Miller also said there are still many societal biases that say women cannot perform well in cyber roles, which limits young women’s ability to get opportunities to get started in the industry. She said she is encouraged to see more outreach from organizations that are dedicated to getting girls and women interested in technology into the field. Miller pointed to the Diana Initiative, a conference held alongside the DEF CON conference that aims to attract women into cybersecurity.
Allen said he has tried to make his organization more friendly to women by being flexible about child care needs and work-life balance. In the end, he says, he “picks the best person for the job. I will not exclude anybody,” and he said he has a remarkably diverse team.
Overall, the IT security leaders stressed empathy and open-mindedness as qualities that will attract top cybersecurity talent.
“You need to take care of the people. Be loyal to them and they’ll be loyal to you,” Allen said. “Too often, we are not treating people the way they deserve to be treated. Because I do that, I have had people say they are not going to leave unless I leave.”
Markarian urged IT leaders to “know your people, get out of our office, learn what they like to do and don’t like to do, and let them grow in the areas they like.”
Miller said leaders should not be turned off by cybersecurity workers who have tattoos or bright pink hair.
“Resist that temptation to let that play into your perceptions of them,” she said. “Some of the best people you are going to find are those who, if you just went by your visual impression and what your instincts told you, your instincts would be all wrong.”
Check out our event page for more articles and videos from the CDW Protect SummIT.