Cybersecurity professionals often speak of feeling stressed out and underappreciated. One HR expert believes that to meet the challenges posed by the growing cyber threat, the industry must mature and do more to nurture and attract talent.
We spoke to Cyber Human Capital recruitment company founder Renee Small for our dedicated YouTube channel. This is a transcript of the edited version of the conversation – to access the original footage, please click on the link at the bottom of this article.
It’s said that top-level cybercriminals can make as much $600,000 a month. Do you think we lack professionals in the cybersecurity industry because it's not paying well enough?
I think there are other explanations. In my experience the compensation typically aligns, especially when they're experienced. Most of the individual contributors that I speak to are typically upwards of $150,000, so I think the challenge with keeping professionals in the field is that leaders and executives don't fully understand what really drives security professionals, and what they can do to retain them.
One of those areas is professional development. When I speak to potential cybersecurity professionals who are looking to leave their organization, the number-one factor that I have gotten over the past ten years has been professional development. They are more concerned about keeping up with current trends. As we are well aware, cybersecurity changes and morphs daily. Staying in touch with what's happening, continuous education… if a company just supported all of those things, they would be able to retain and bring more people into the industry.
I've read that cybersecurity professionals say they are stressed 24/7, does that sound accurate?
Absolutely it does. It is a stressful environment and I don't think it has a level of support. If you think of other stressful roles: the medical profession, pilots, anything where lives are literally in your hands, you're likely stressed out. But because these professions are more seasoned and have been around longer, I'm assuming they have support systems for stress relief and things like that.
Whereas in the security space, it's such a new industry. You have a lot of folks that have come out of technology and gone into this space, and they may not be able to handle the stress or be supported in regards to that neverending pressure. It's like [being] a firefighter [but] it doesn't go out. And that leads to burnout. Having something in place with these professionals can help alleviate this.
You mean mental health professionals, onsite?
Mental health professionals, right. Companies and leaders should be utilizing them at all times. Because I read recently that security professionals are leaving the industry, and it's heartbreaking. It takes so long to get folks into the industry.
And now with the uptick in cyberattacks, it's the worst possible time to see that kind of brain drain…
Exactly. Professional development comes up in almost every single conversation I have. Just working with a great team, like a group of people where you can have camaraderie. You know – humans! (laughs)
Sounds like you're talking about nurturing...
Yeah. Just a really nice environment, not working with people who are, you know, pains in the butt...!
"Mental health professionals - companies and leaders should be utilizing them at all times. Security professionals are leaving the industry, and it's heartbreaking."Renee Small, CEO and founder of Cyber Human Capital
I've heard you described as “a fixer.” Tell me, what does that entail?
Company leaders reach out to me when they need very specific talent that they cannot normally find in the marketplace, and I uncover that and bring interested individuals to that leader and that company.
You wrote a book about this, talk me through that.
The book was Magnetic Hiring, and that honestly was almost like a gift to other HR professionals and recruiters, because when I first came into the industry it was very challenging. And so this book was to give HR professionals and recruiters that were like the former Renee (laughs), and had no idea what anything meant, the nuggets that I learned the hard way. It was funny, because I put the book out there and it was really supposed to be for other recruiters – but then the cybersecurity folks enjoyed it. They started reading it and passing it around.
I'd say that's a ringing endorsement! There seems to be a Catch-22 situation, where the industry needs new people but they don't yet have experience. It's almost like the bar is being raised too high for entry-level candidates – do you think that is improving?
I think there's still a way to go, unfortunately. I believe that it's getting to a tipping point. Especially if people are leaving the industry – there's only so much you can do if you have the same folks circulating around different opportunities. What the manager really needs is that person that already has five years of experience. That's the sweet spot. You can drop a person in, they know what they're doing, there's limited training, it's perfect.
But getting folks from zero to five is such a challenge, and to me it doesn't have to be that way. There are all kinds of programs: you can do it in the military, you can do it in all professions, other areas of IT. It really does not have to be that difficult. That investment really needs to happen. Then we won't have this huge so-called talent gap.
It's not all about hacking. Because hacking gets the flashy lights and everybody sees guys and women in hoodies in dark rooms, with all the code flying around and all that. Most security professionals are not doing that, it's a very small percentage. There are a lot of other areas of security. For example, if you are in healthcare: you're a nurse who then becomes risk management. You have the nursing background, so you understand the clinical component: then you can segue into it.
And, of course, hospitals are a huge target for cybercriminals...
Huge target. I ended up in security because the leader who brought me in from an HR and recruiting background saw a skill that could translate into security. There are so many roles that are non-technical in security. Especially in technology, there are so many roles that are adjacent. Everyone tries to put up this big shadow like it's so scary and difficult – a lot of it is not. You need people to do documentation, operations, and so many different things that your core engineer – that person who wants to be the hacker – doesn’t want to do.
"Different environments - I mean growing up in a city versus the suburbs, poverty versus wealthy, all of those different things - if you mash them into a room, you're going to get your problem solved."Renee Small, founder and CEO of Cyber Human Capital
I've heard it said that cybersecurity is quite a male-dominated industry. Do you think there are more opportunities for women and minorities to get involved, or is that another work in progress?
It's better than it has been – but more needs to be done to bring in people from all different types of perspectives. Because you only get better when you have different perspectives, period. And so that comes from obviously diversity and ethnicity, inclusion, gender, all that stuff. I was talking to the editor of my book, and I said: “Why aren't they bringing in people who've been in prison?” If you think about the FBI, those folks were like: “OK, we've found you – now we want you on our side, because you're the person that gets it.” (laughs) Those are the people that you want on the good side!
They even make movies about that nowadays, don't they!?
Exactly. You should have both. However your mindset works, it's not going to be similar to someone who “grew up with a silver spoon.” It's just different. And different environments – I mean growing up in the city versus the suburbs, poverty versus wealthy, all of those different things – if you mash them into a room, you're going to get your problem solved.
To close out the interview, we asked Renee some more offbeat questions… just to see what she’d say.
Which achievement are you proudest of – your book, or your company?
My company. (laughs)
If you had to give up using one of the following for a month, your mobile phone or your laptop, which would it be?
You have to be in the loop 24/7 in your job, I guess...
Pretty much. And your phone is like a laptop now anyway.
It's pretty much a handheld computer…! You've obviously got facility with both, but what does it for you the most, words or numbers?
If you could have a one-to-one with anyone outside your industry, who would it be and why?
That's a great question... I like to speak to people who are the first generation who've excelled in their field.
You mean like pioneers, that kind of thing?
Thanks very much for taking the time to talk to us, Renee, we'll do our best to help you put the word out there!
Sounds awesome, thank you!
More from Cybernews:
Subscribe to our newsletter