Are cybersecurity hiring practices hurting your company?

As cyber threats become ever more complex, cybersecurity professionals are playing a critical role in organizations' overall success fighting back. Cybersecurity is now a mandatory role that all organizations must fill to protect mission-critical data and processes.

Given the current state of cyber threats, you might think that hiring managers are doing all they can to secure top cyber talent when recruiting for these positions. After all, the demand for cybersecurity pros is at an all-time high, supply is failing to keep up: According to projections, according to our research study “The Cyber Security Hiring Crisis." The supply of cybersecurity pros will outpace the number of open positions by 1.8 million.

Nonetheless, many organizations today treat cyber jobs just as they do IT jobs in terms of compensation and benefits, even though the roles are completely different.

That's wrong. Here's why.

State of Security Operations 2018

Inconsistency in job titles and functions, and no common language

Currently, 35 cybersecurity job categories fall under the cyber umbrella, but actual roles don't necessarily carry the same job titles or have the same responsibilities from one organization to another. Roles within cybersecurity vary widely, and each has a unique set of skills.

Hiring managers need to understand the core responsibilities for each position prior to defining the job title, and each job title must be consistent with industry-recognized titles if you expect to attract the attention of job seekers—and optimize for search engines.  

Reliance on unreliable data

Reports from national institutions designed to standardize salaries are often old, and fail to recognize the full range of cyber jobs. For example, the US Bureau of Labor Statistics provides salary data for cyber professionals, but only for the role of “Information Security Analyst.”

In this fast-paced world, the data changes all the time So if a report is even a month old, it will inaccurately reflect industry salaries. This can create misunderstanding about the role and the appropriate compensation.

Cybersecurity is a diverse field with many roles, and the use of outdated data is far from adequate to empower hiring managers and internal recruiting teams to generate competitive offers. Services such as Glassdoor might have more up-to-date information, but their reliance on base salaries leaves a lot of information out, such as bonuses, benefits, stock options, and other creative compensation methods that make many of these jobs attractive to job seekers. Also, niche roles are underrepresented, with very little data available to assist hiring managers. 

Pushback from HR

As the middleman between hiring managers and candidates, HR often possesses a lot of power. The problem is that many HR professionals are uninformed about the special skills cybersecurity practitioners must have. Compounding the difficulty is the fact that most organizations are reluctant to give cyber professionals higher salaries than IT professionals, despite the dearth of talent and the highly specialized skills the role demands.

In our research study, mentioned above, we found that hiring managers are more likely to turn to their own internal networks, social media, and outside staffing firms to source candidates, rather than leave it in the hands of internal recruiters. Cybersecurity practitioners are highly skilled and specialized, and general recruiters often aren't equipped with the networks or the industry specialization needed to attract and retain this unique talent.

Change the mindset, change the game

Many organizations fail to realize that by not offering market rates for cybersecurity positions, they're sending a message that cybersecurity is not a priority in their organizations. In fact,  cybersecurity professionals say that the No. 1 reason they change jobs is that they feel that their profession is not a priority for the organization. Even is you can hire cybersecurity professionals under these circumstances, it creates a retention and attrition problem that nearly eclipses the recruiting challenges. Clearly, this outdated mindset must change.

Checking a compliance box is not enough to prepare for risk. Organizations must be willing to invest in the critical roles that will keep the business up and running as cyber threats continue to evolve. The best way to do this in today's highly competitive market is to offer top compensation and benefits to recruit—and retain—the talent you need to protect the business.


 

State of Security Operations 2018
Topics: Security