Cybersecurity headhunters: recruiting an experienced professional is a challenge
Experienced cybersecurity professionals are difficult to find. And once you manage, they will ask for quite a sum of money that will make you wonder whether you really need to bring a cybersecurity expert onboard.
According to the recent 2021 (ISC)2 Cybersecurity Workforce Study, cybersecurity professionals are satisfied with their jobs and earn as much as $119,00 in North America.
However, despite the job being so satisfactory (a statement that so many people doing the job would strongly disagree) and ‘strongly compensated,’ the field of cybersecurity still lacks about 2,7 million professionals. Although, the cybersecurity skills shortage gap has narrowed over the past year from 3,1 million.
There are approx. 4,2 million professionals in the field right now. So it means we need almost twice as many to satisfy the current needs. Why are cybersecurity experts in such high demand? Well, if you lack them, you are at greater risk of cyberattack, as well as things like slowly patched critical systems, misconfigured systems, rushed deployments, and so on.
Some experts say we will not solve our problems by throwing more people at them and argue we should rely on technology more for protection. Meanwhile, we ask cybersecurity headhunters if cybersecurity professionals are nowhere to be found.
Charles Pritzl and Patricia Field from the ManpowerGroup detailed how they are hunting for cybersecurity specialists and what they are doing to make skills shortage less of a problem.
Cybersecurity lacks millions of professionals. Are they really nowhere to be found?
Charles Pritzl: I would say yes and possibly no. One of the things that I've been seeing is that many companies will say, 'I want a professional that has five to ten years of IT or cybersecurity experience.' That area is complex right now. It is challenging to find them. And if you do find them, they're commanding a pretty good pay rate. What I think companies need to start looking at is, you can't focus on 'give me a four-year education, five to ten years of service.' You have to look at their skills, certifications to some extent, and their ability to fit into your culture. You almost have to grow the professional a little bit in your organization.
Why don't companies then start growing from within? Find the people you have in your organization, train them up, don't sit around and say, 'oh, we are not finding anyone.' Do something about it, find those people internally, skill them, and get them on their way to that cybersecurity space. You can get a very good person who can do the work, has the base knowledge that can come to speed very quickly, and fills those positions. Maybe the high-end ones, yes, you want to focus on those multiple years of education. But looking at it a little differently might help companies until the education system catches up with the demand.
Do you try to convince companies that maybe they don't need a professional with very long experience, but they might do well with a less experienced employee?
Pritzl: We are working with a very large multinational IT organization. One of the focuses that we've been talking about is getting away from this experience as a requirement and looking at the ability and certifications and things like that. I think it is starting to change in the industry recently because the demand is so high. But you still do hear and see the job description where experience is a requirement, not something nice to have.
As you mentioned, sometimes companies really need someone with experience, whether it's a CISO or someone else in charge. How hard is it to find such a person? Can you just put up a job listing and hope that someone will apply, or you have to do a proactive search?
Pritzl: You really have to do a proactive search. You reach out to many people, get a few people responding, and they'll say, 'no, I am not interested, but I might have someone here.' You have to run that gambit to find someone who is available, looking for a job, looking for a change, and interested in career advancement. You cannot put a job posting. You are not at the point of getting ten resumes saying, 'hey, I want this job.' If you do, it might be people that are not ready for that higher-end position. You have to use your network of LinkedIn, other mechanisms, going to people you have worked with and seeing whether they have any contacts, and running that route.
You said that once you find a professional, they usually require quite a high salary. I wonder if companies are ready to satisfy that requirement? Or is it not worth the money?
Pritzl: What I've seen is, there's a little bit of sticker shock initially from companies, going, 'what? They want that much?' But they also understand that the market is tight and that they need to fill those positions. Either they are getting directions from the board or directives from the CEO, saying, 'we have to get this under control.' Because probably they've had an issue, seen a competitor having an issue, read different reports on companies having problems, and they realize that they don't want to be the next one in the press. They are willing to spend a little more after they internalize the price of those resources.
Salary-wise, is it way higher above the national average? Or maybe salaries can be one of the problems why there are not enough people in cybersecurity?
Pritzl: Cyber people are commanding 20-25% above the typical IT individual.
Is that something that companies are willing to give?
Pritzl: You are still seeing smaller, closer to medium size companies going, 'do I need this? Am I going to be a target of a cybersecurity attack?' I think the forward-thinking CEO is saying, 'we have to do this because any company is now a potential target for a cyber attack.' No longer is it that they [threat actors] are just going after financial institutions or places where they can get money. They are going after personal information they can turn around and sell. They are going after intellectual property information. You don't want to be shut due to ransomware, and either have to pay to get out of the problem or stay shut and deal with the shutdown. I think they are willing to pay. Smaller companies are still coming along, going, 'do we want to invest that amount of money in this? Do we have to invest that money in cybersecurity?'
Cybersecurity is a male-dominated industry. Is that an issue for you? Are you considering it when you are hunting for professionals?
Pritzl: I don't know the reason, but there's male dominance in that area. Do I go out and necessarily look for other gender people to fill roles? No. When I look for people to recruit, I typically don't even look at the name until I go through the interview.
Patricia came to our team probably two and a half years ago, and when I was recruiting for that position, I think I had like six men and one woman. And that woman was Patricia.
I know there's a lot of STEM-type (science, technology, engineering, and mathematics) activities going on. I have two young granddaughters, and I am constantly trying to engage them in science and technology because I believe cybersecurity will continue to grow for many years. We need people to engage with it and oversee it as it is only going to grow.
Patricia Field: Cybersecurity has always been a male-dominated field. I entered the world of cybersecurity about 20 years ago and found my niche. As I started working my way up in cybersecurity, I was a keynote speaker in Canada, and I was sitting at the table, getting prepared to do my presentation. A Canadian gentleman approached me and handed me his coat, and asked me to get his coffee. It stunned me. I was sitting there like, 'do what?' And he said, 'sweetie, can you give me a cup of coffee?' And I said, 'ok, I will get it for you.' And I did. But when it was time to introduce the keynote speaker, and he realized that it was me, the look on his face was priceless. I was a female in a room with a majority of men. It was like a rude awakening.
Can women actually do this? Yes. I am a huge STEM advocate working primarily with targeting women and young girls to let them know precisely what STEM is and getting them aware. So awareness is not there. It is up to us, the ones in cybersecurity, to advocate bringing more women and educating them on the possibilities and the jobs within cybersecurity. We've come a long way, but we still have long ways to go.
Patricia, what do women bring to the table?
Patricia Field: We bring a different skill set. Although we are all in the same field, women tend to see things from a different microscope. We are problem solvers. Not to say that men are not problem solvers, but we tend to look for ways to collaborate and play the devil's advocate. Women, we wear so many different hats to where we have learned to be proactive and try to do things in a different way to solve problems. We are known as nurturers and problem solvers. We bring that specific skill set to the job as well.
Is it realistic to fill those approx. 3 million open positions in cybersecurity, or companies will have to rely on technology rather than people to protect the perimeter?
Pritzl: Artificial intelligence is growing in the cybersecurity space. Some of the threat hunting analysis is starting to be taken over by AI-type systems. But you still need that next level which goes in and better understands. AI can hold things together and start giving you some ideas, but you still need that human factor to go ahead and digest those issues. It's going to take quite a while. It goes back to the need to educate from within, continually have organizations, such as STEM and colleges, push for cybersecurity, and companies understanding they don't need a four-year expert. You can do with one year or the entry-level person and skill them quickly. It will take a while to fill those positions, and I don't see it going away anytime soon.
More from CyberNews:
Subscribe to our newsletter