Storage, Networking

Recruiting and Retaining Cybersecurity Talent


New ESG/ISSA research indicates that cybersecurity professionals value competitive compensation, a strong cybersecurity culture, and business management commitment to cybersecurity.

As we know, there is an acute shortage of cybersecurity talent available on a global basis. For example, previous ESG research from 2016 reveals that 46% of organizations say they have a “problematic shortage” of cybersecurity talent at present.

Unfortunately, the cybersecurity skills shortage goes beyond headcount alone. According to a recently published report from ESG and the Information Systems Security Association (ISSA), cybersecurity teams can be in a constant state of flux due to issues with employee satisfaction, a lack of adequate training, and staff attrition. The report also exposes the fact that 46% of cybersecurity professionals are actually recruited to pursue new job opportunities at least once per week! In other words, if your cybersecurity people aren’t happy, they won’t be around long.

Now cybersecurity is a discipline that is heavily influenced by staff experience so a revolving door of staff turnover will have a direct impact on business risk and the ability to prevent, detect, and respond to security incidents. As a result, organizations have a vested interest in maintaining job satisfaction in order to retain and motivate the existing cybersecurity staff.

Just what conditions lead to cybersecurity job satisfaction? As part of the ESG/ISSA research project, we asked 437 cybersecurity professionals this very question. Here are some of the results:

  • Nearly one-third (32%) of respondents said “competitive or industry leading financial compensation.” Yup, money is always important but it should be viewed as “table stakes” in the big picture. Competitive compensation gets an organization into the discussion but other incremental factors will ultimately determine job satisfaction.
  • Almost one-quarter (24%) of cybersecurity professionals said, “a general organizational culture that promotes and supports strong cybersecurity.” So cybersecurity has to be included across areas like software development, HR training, and organizational mission statements – not just an afterthought equated with firewalls and antivirus software.
  • Nearly as many (23%) respondents said, “business management’s commitment to cybersecurity.” Thus, cybersecurity must be part of business planning and led by enthusiastic participation from executive managers and corporate boards.
  • Twenty-two percent of respondents said, “the ability to work with a highly-skilled and talented cybersecurity staff.” This was especially important for junior staff members looking to expand their skills and grow their careers.
  • Twenty-two percent of respondents said, “an organization that provides support and financial incentives enabling cybersecurity staff members to participate in training and develop technical skills.” Once again, this requirement goes beyond having a job. Cybersecurity pros want to work for employers committed to continuous cybersecurity education for the staff.

Every organization should do a self-assessment to gauge how well they are doing in all of these areas. Those deficient in one or several categories should develop plans for improvement. Those few organizations that excel in all of these areas should capitalize on these strengths by marketing themselves as cybersecurity centers of excellence in order to attract, recruit, and retain top cybersecurity talent.

Jon Oltsik is a senior principal analyst at ESG, an integrated IT research, analyst, strategy and validation firm. Read more ESG blogs here.