How much of the cybersecurity talent shortage is self-inflicted?
Money matters when it comes to recruiting cybersecurity staffers. But, beyond salary, a combination of factors have contributed to the widespread skills shortage, and some issues are worsened by the industry itself.
Various studies suggest the shortage of qualified cybersecurity candidates is set to hit 3.4 million unfilled positions by 2021, up from the current level of 2.93 million, with 500,000 of those empty seats located in North America. It’s the kind of existential problem that makes other headaches worse, resulting in possible data breaches not being investigated and the rise of untested security vendors hawking artificial intelligence tools that promise to help corporate security teams run with fewer humans.
And yet, while enterprise executives and recruiters agree there is a significant dearth of skilled security professionals, there is a surge of momentum behind the argument that the industry’s staffing shortage is self-inflicted. The lack of qualified job candidates isn’t just a supply-and-demand issue, according to a Forrester report published in July, but also a deeper failure of bias, expectation, compensation and commitment to effective recruiting and retention, analysts argue.
Too many hiring managers “expect to hire MacGyver but pay like McDonalds,” says the report.
“Job postings will require a bachelor’s degree with five to seven years of experience with all kinds of technology, and a master’s degree preferred, but by the way we only want to pay you $85,000 a year,” said Chase Cunningham, one of the Forrester analysts who authored the findings.
“That’s an alignment problem where hiring people are looking through the lens of software development, and it’s ‘If you know how to build an app or use Java or Python, your worth is this,’” he added. “That’s not how it works with cyber.”
CISOs want a C-suite role
Security leaders at big banks and influential Fortune 100 corporations now are commanding annual salaries of anywhere between $600,000 and, in rare cases, up to $1 million, according to two executive recruiters who specialize in filling security positions. Mid-market firms — defined roughly as companies with revenue of between $100 million and $5 billion — offer less, typically within the $200,000 to $400,000 range.
After spending an average of 17 months in a single position, CISOs typically move on, either to find a new company where the C-Suite and board of directors are willing to invest in security, or to get a raise.
If a company isn’t investing in new security tools, prioritizing patching, making the cyber boss part of high-level conversations or otherwise committing to security within that time frame, a hack could be likely, in which case it’s time to find a new position, the logic goes.
“It’s a regular thing for a Fortune 100 CISO to tell me they have to go somewhere else because they’re not taken seriously,” said Deidre Diamond, founder and CEO of the job placement firm CyberSN.
Budgeting toward physical security, continuity of operations, crisis management and authorizing forensic data analysis, as well as an incident response contract prior to a breach, goes a long way toward proving to a CISO that data protection actually is a priority.
“If a company isn’t focused on the right things and people aren’t buying in then…we’ve seen examples where there needs to be a scapegoat, and the CISO rarely survives that,” said Chris Braden, vice president of global channels at eSentire, a managed response vendor which authored a white paper on the topic.
“The number of people who are still talking about Target or Starwood or Equifax, those conversations aren’t going away as soon as those brands would like, and there is some risk for that for the CISO,” he added.
How hiring is impacted
The salary and culture dynamics result in a rush of applicants for top positions while other opportunities are unexplored.
At a large firm, there might be as many as 12 security-related positions beneath the CISO with job titles like an information security officer, information security manager, threat hunters, engineers and then, at the entry level, a security analyst. That plays out in different ways throughout the private sector — Wells Fargo has 3,000 security staffers while Starbucks has 62 — but a lack of positions sends an implicit message to potential candidates that there’s limited room for growth.
A reluctance to spend money also becomes an issue in other ways, such as when companies offer jobs to candidates who live outside of a major metropolitan area. Instead of offering higher salaries, many firms offer a lower salary and justify it by saying the cost of living in a smaller city is lower than in tech hubs like San Francisco or New York, says CyberSN’s Diamond.
“Companies don’t want to spend on security, so they’re getting people to do three jobs in one, but you’re not going to retain people because there is a high demand and there are other places they can go,” she added.
Even if top security executives flock to larger companies with higher budgets and more opportunities for advancement, mid-market firms still need to find ways to protect themselves. The choice is to either outsource to a consultancy firm, hire a security operations center or get creative. Emphasizing vacation time, internal training, remote work, flexible hours and a focus on quality of life all are possibilities, the Forrester report notes.
Instead of relying on hiring managers who view information security roles only as an offshoot of traditional IT, some security bosses are experimenting with new avenues to find highly skilled personnel. Jim Motes, chief information security officer at GameStop, has been working with a Texas nonprofit that aims to start autistic adults in security monitoring.
By training autistic people to recognize patterns and flag anomalies, Motes believes GameStop can tap into a new talent pool while students can improve their earning potential. He is even exploring using that talent to build a security operations center for the company.
“We’re all a bit quirky, and companies that look only for people in a certain mold miss out on a lot of security talent,” Motes said. “I had a guy once [on the Autism spectrum], he saw code fly across the screen and could immediately see it wasn’t normal. It turned out to be a breach of customer information.”
The idea of abandoning traditional requirements like industry certifications and college degrees is gaining steam. Instead, analysts are advising clients to identify candidates that demonstrate an interest in security and willingness to learn the issues.
“Organizations are using virtual sandbox scenarios and giving them hypothetical situations and letting them solve problems on their own,” said Chase Cunningham, the Forrester analyst. “Look, I joined the Navy as a diesel mechanic and now cybersecurity is my thing…We have a lack of talent that’s available, but there’s also talent that’s just not apparent.”