As part of a regular series featuring content from BRINK, Tom Jacob and Karen Shellenback of Mercer discuss the need for companies to invest in cybersecurity talent to maintain competitiveness.
The rise of the Internet, data and communication technologies in concert with the proliferation of mobile and interconnected ecosystems has revolutionized every aspect of modern society. However, our never-ending reliance on technology has also created new vulnerabilities and avenues for harm for those who wish to capitalize on financial and otherwise nefarious schemes. The cyber vulnerabilities that organizations face today are pervasive and formidable. But to view the challenges through only a technological lens is missing half of the equation.
Fundamentally, cybersecurity remains a human problem, and the solution to that problem lies with human beings. Thus, understanding the role of human capital is critical in the development of innovative security solutions. In 2015, competition for talent in this field is a make-or-break factor for organizational resiliency and competitiveness.
A Convergence of Challenging Factors: The Cybersecurity Labor Pool
The cybersecurity field is growing exponentially, and the demand for skilled tech workers exceeds the supply. The supply of talent, however, is hampered by a convergence of factors that have placed an unintentional stranglehold on the workforce. Consider the following challenges organizations face in hiring cybersecurity talent in 2015:
- Exponential growth: Cybersecurity jobs postings have grown 74 percent between 2007 and 2013. This growth rate is more than two times faster than all other IT jobs. In particular, cloud computing and mobile connectivity are experiencing exceedingly rapid growth trajectories. These new globally adopted technologies are driving the need to address a new set of security concerns and are propelling cybersecurity job growth in the professional services, public administration, manufacturing, defense and retail sectors.
- Demand exceeds supply: Although the cybersecurity field is growing rapidly and offers very competitive pay, demand for these IT specialists exceeds the supply of credentialed, experienced professionals. Research at Cisco Systems Inc. in 2014 linked recent high-profile security breaches to the shortage of nearly one million skilled cybersecurity professionals.
- Supply is hampered by multiple interwoven challenges: There are many educational and experiential barriers for those interested in moving into cybersecurity roles, including the need for four years of education and four to five years of work experience or certification. Yet, only 186 institutions offer cybersecurity coursework, which account forless than 5 percent of all American colleges and universities. These requirements effectively eliminate new graduates and create a dearth of entry-level positions, which are necessary for building a robust pipeline. Finally, cybersecurity leadership requires a focus on the people issues, calling for executive communication skills, negotiation skills and gravitas along with operational, legal or line-of-business exposure. Finding talent with the right mix of these skills is extremely difficult.
The Unintended Consequences – Labor Market Results
The unintended consequences of the above educational, experiential and hiring requirements have, in part, resulted in the following:
Building your cybersecurity talent pool takes longer than other IT positions: According to Burning Glass, cybersecurity job postings take, on average, 24 percent longer to fill than other IT job postings and 36 percent longer to fill than all other job postings. Senior level cybersecurity positions take even longer to fill: On average, filling a cybersecurity position at the senior level takes 9.2 months.
Cybersecurity talent costs more than other IT positions: Cybersecurity jobs pay approximately $10,000 to $20,000 more annually than comparable IT jobs and salaries are increasing at a faster rate than the average IT position. In addition, 83 percent of cybersecurity new hires are receiving more-than-average pay increases.
Companies that have a hard time attracting and retaining cybersecurity talent risk falling behind in terms of competiveness and add more uncertainty to the ever-growing equation of holistic organizational risk. So, what can organizations do to increase the flow of cybersecurity talent into their organization? Like any other job category with hard-to-find skills, companies must create a comprehensive talent strategy and action plan.
11 Ways to Attract and Retain Cybersecurity Talent
In the 2015 marketplace, where demand is high and supply is low and cybersecurity professionals are poached daily, a well-executed talent strategy with progressive attraction and retention incentives is a must. A strategic cybersecurity talent action plan should include the following elements:
- Evaluate your company brand. What is it that makes the organization stand out from the rest and how is the company perceived in the larger arena of social media and the crowd-sourced blogosphere? If your organizational presence is nonexistent or negative, it is time to dedicate resources (financial and otherwise) to change that image.
- Understand current engagement levels. Engage cybersecurity staff in brainstorming solutions and action planning, so as to increase the excitement and engagement of your critical team members.
- Harness strategic workforce planning and metrics. Using data analytics and workforce planning applications, the human resources (HR) function must work with cybersecurity leadership to create a plan that lays out the anticipated ebbs and flows of talent streams, patterns of attrition, bench strength, career path mapping and avenues for bringing critical talent in the door.
- Partner with universities to develop emerging curriculums and open up access to potential new hires. Providing real-world curriculum challenges as well as on-site job rotations, networking opportunities, co-ops and internship opportunities allows young workers the development experience they need and the exposure hiring organizations require.
- Provide training and more training. Companies must make the most out of the talent already in place. Providing specific training opportunities to current staff on emerging technologies is a requirement that cannot be overlooked.
- Create enticing career path trajectories. In a field where talent is in short supply and one can jump ship for added responsibilities and pay, having a visible, enticing, attainable and tangible internal career map is essential.
- Focus on creative career growth opportunities. Create opportunities to highlight significant accomplishments and provide a clear line of sight and accelerated growth paths that align with career goals, passions and personal aspirations.
- Improve processes, communication and productivity. Increase the productivity among the cybersecurity team by using new technologies to manage day-to-day workflow processes and efficiencies.
- Increase the use of open-source collaboration and external networks. Consider the use of community collaboration models, including design challenges, hackathons and open-source community platforms to tap into external networks and locate potential talent.
- Build line-of-business experience. Provide training opportunities to IT staff on business strategy, negotiation, legal considerations and communications, along with stronger ties to senior management, to enable cybersecurity leaders to translate corporate business strategy into risk and cybersecurity resource plans.
- Open the door to all talent. Increase talent acquisition channels to look beyond what HR and recruiters may deem as the appropriate experiential requirements (B.S. degree, four years of experience and certifications).
The cybersecurity field is growing by leaps and bounds. The need to stay in front of a rapid and exponential technological landscape with astounding opportunities and vulnerabilities is simply … daunting.
The demand is exceedingly high and the pressure to find critically specialized talent to address the inherent challenges and vulnerabilities is not about to go away. Organizations that want to remain competitive and reduce substantial organizational risk must invest in cybersecurity talent practices to open up, energize and direct the flow of essential talent into and within the organization.
(Top image: Courtesy of Patrick Lux/Getty Images)
This piece first appeared in BRINK.
Tom Jacob is a Senior Partner in the Information Solutions group of Mercer’s Talent Division. He joined Mercer in 2003 and is based in Philadelphia. Tom has served in a number of roles at Mercer all having in common the innovation and launch of new products and services. He presently serves as the global leader of Research & Insights products which includes Mercer’s industries, research publications and metrics information products.
Karen Shellenback, Principal, Mercer Research and Insights, is responsible for conceiving, developing and delivering innovative insights products and services based on rigorous research using Mercer and non-Mercer data. Karen is a human capital leader focused on strategic research and evaluation, human capital analytics and impact metrics. She has partnered with executive clients in numerous Fortune 500 and Global 2000 companies, as well as government, non-profits and academia, harnessing “driver” data to improve client organizational performance.