The Battle for Cybersecurity Talent Must Include Retention Emphasis

Written by

Oftentimes, when thinking of competitive workplaces, people consider competition between existing employees. This perspective focuses on the struggles that individuals face when trying to separate themselves from the herd of other career and employment aspirants, viewing other job applicants and certain coworkers as threats to overcome, all vying for the attention of corporate management in order to further their goals.

In the field of cybersecurity, the dynamic has switched; the competition now exists most acutely at organizational and corporate levels. With the cybersecurity talent and skills gap widening each year and the demand for qualified talent vastly outstripping the supply, organizations are now leveraging more creative poaching mechanisms to fill their cyber ranks.  

However, as organizations continue to leverage traditional retention strategies, they are finding it hard to keep those valued professionals. This is reinforced from findings revealed in ISACA’s recent State of Cybersecurity 2019 research, which indicates that serious understaffing requires creative solutions from the organizations in need.

Analysis of that report reflects the extreme nature of the need for qualified cybersecurity professionals. Specifically, it identifies that the majority of respondents’ organizations currently have unfilled cybersecurity positions.

Further exacerbating the issue, when asked, most respondents revealed that it takes at least three months to fill an open position, with more than 30% indicating that it takes six months or more. Clearly, the need for cybersecurity professionals is great and organizations are suffering from the small talent pool from which to pull.

As a result, all bets are off when trying to fill these positions, as organizations bring to bear every capability available to fill these openings, including poaching.

As companies compete over these valuable cybersecurity professionals, retention becomes difficult.  Specifically, 64% of respondents indicated that they have trouble retaining qualified cybersecurity professionals. As such, hunting and poaching for key talent becomes one of the most successful tools in obtaining qualified professionals, with the most successful lure being increased salaries.

More than 80% of respondents identified better financial incentives as a factor in causing cybersecurity professionals to leave their jobs. While an argument could be made that increased pay is a universal lure, not specific to cybersecurity, the second and third most commonly identified factors may provide a more unique insight.

Specifically, the second most commonly identified factor for a cybersecurity professional leaving their position was to obtain a promotion or better development opportunities, with the third most common factor being a “better work culture/environment.”

While analysis of the respondent data clearly identifies why individuals are leaving their cybersecurity positions, it is unclear as to why organizations are not diversifying their retention strategies. Specifically, when asked what strategies are in place to retain cybersecurity staff, over half of the respondents indicated that “increased training” was used as an incentive. While this may prove successful in other industries, it does not appear to address the root cause of individual departure, specifically that departing cybersecurity professionals do not feel that they are compensated adequately or have a room to grow.

In order for organizations to stay competitive in the cybersecurity field, introspective analysis and assessment of retention policies and strategies are necessary. Simply providing more training and more certifications are proving insufficient to retain skilled professionals. These traditional tactics should be viewed as a starting point, not a comprehensive solution.

It’s a jungle out there for cybersecurity organizations! The competition is fierce and the prizes – skilled cybersecurity professionals – are highly coveted. However, simply filling an open billet does not mean that the fight is over for these companies.

It is important to remember that just because a company lands a valuable worker, that doesn’t end the competition. Successful cybersecurity organizations are those that realize a happy worker is one that feels appropriately compensated, sees a future at the organization, and enjoys the work environment. In that respect, the cybersecurity field isn’t so different from others, after all.

What’s hot on Infosecurity Magazine?