Companies all over the world are facing a huge challenge. Despite good salaries, they can’t hire enough cybersecurity professionals. And most of the cybersecurity professionals they already employ are looking for a new job somewhere else. There are also too few people in the pipeline to become future cyber professionals. Not to mention all the workers who are nearing retirement. But hiring more staff is not the only solution available to meet your organization’s security needs. Creative solutions to good security and maintaining a loyal, long-term workforce are possible.
Covering all of the world’s cybersecurity needs is a real problem. In late 2018, there were roughly 3 million unfilled cybersecurity jobs worldwide. A half million of those open jobs were in North America. Hiring managers report positions open for 3 to 6 months in IT security. And some jobs are never filled.
Hiring problems will not be solved by simply allocating more money for salaries. In the U.S., IT security salaries are high, ranging from $60,000 to $200,000 depending on role, location, and seniority level. The average information security analyst salary in the U.S. in 2018 was $98,350. Mean CISO salary is around $220,000.
Hiring problems in cybersecurity are caused by a variety of factors. Understaffing puts increased pressure on existing staff and yields low morale. Cybersecurity is already a thankless task in many ways. Individuals shoulder much of the blame when something goes wrong but receive little acclaim when things run smoothly. Surveys also show that cyber professionals are disheartened by a lack of resources and time. And many view their departments’ budgets are inadequate to the increasing threats they must address.
Unfortunately, staffing problems are also aggravated by a high churn rate and a lack of new talent in the pipeline. A 2018 survey revealed that 84% of current cyber professionals were open to or actively pursuing new roles. Cybersecurity is a relatively new field of computer science and awareness among the next generation is low. As more universities add programs or concentrations, there is hope that more students will pursue the field. However, millennials are not taking up the profession in big numbers. Only 7% of current cyber professionals are under 29 and a large portion of the workforce will soon start to retire.
Despite the calamitous implications of the above statistics, creative solutions for meeting companies’ cybersecurity needs are possible.
Addressing the diminishing pipeline of cybersecurity professionals must start now. A large portion of the next generation of computer scientists must be persuaded to concentrate their college or trade school education in cybersecurity. Academic programs and certifying entities should market to women and minorities who have not traditionally seen themselves represented in these roles. (Women only make up 24% of the current cybersecurity workforce.) Companies should also consider nontraditional new hires in entry-level security roles. (Something like 87% of current cybersecurity professionals started in different fields.)
To address current hiring shortages, companies should begin to think creatively. Employing the services of outside firms can meet some or all of their security needs while also improving morale among existing employees.
The International Information System Security Certification Consortium (or (ISC²)) surveyed current cybersecurity professionals about their jobs. Their report suggests that engaging employees in developing cyber security strategy and automating or hiring out routine tasks leads to a much happier workforce. Imagine lifting an employee out of the daily grind of boring, repetitive work and asking them to contribute to something big, something long term. The employee feels valued for their input. And they also want to stay on staff for long enough to see their ideas come to fruition.
Employees are also more satisfied when management recognizes their contributions. Consider hiring an expert outside firm to train management on cybersecurity. An educated management team sees security as a vital part of the overall organization. When your C suite has a deep understanding of the threat environment of your business vertical, budgets for security will improve and so will your reputation as an employer.
Maintaining a consulting or risk management relationship with an expertise on demand vendor also acts as a backstop to your full time staff. The consistent presence of a trusted partner will lower your employee churn rate. New employees will be onboarded more quickly, with less disruption. The inevitable ebbs and flows of employee leave time can be managed, not with additional work from your already stretched staff, but by your outside partner.
If you are frightened by the glaring statistics about cybersecurity staffing, take a deep breath and remind yourself that these numbers don’t have to be so scary. There are creative ways to cover your cybersecurity needs. If you’re curious about hiring an outside vendor with great customer service and a high level of expertise, please reach out to us at Asylas. We want to link arms with you as a component of your larger security strategy, at any level of involvement. Our services include awareness training, risk management, security assessments, vCISO, and much more.
Email us at firstname.lastname@example.org or call 615-622-4591.