The following is a guest article from Wesley Simpson, (ISC)² COO.
Today’s cybersecurity professionals are in high demand. Millions of jobs need to be filled, yet most companies can’t keep the talent that they have. Why? Because employees want to know that they are valued and that the organizations they work for take security seriously.
Current cybersecurity professionals are spoiled for choice, which means that the organizations looking to fill these critical positions need to offer more than a competitive salary both to keep the professionals they have and woo new candidates.
Yes, it’s two-fold. Even if current employees aren’t looking to switch jobs, one call from a recruiter could lure them into giving a new position some serious thought. And recruiters are reaching out, multiple times a day, every day.
In addition, the 2018 (ISC)2 Hiring and Retaining Top Cybersecurity Talent report found that most currently employed cybersecurity professionals (70%) are open to a change despite having no plans to begin a job search in 2018.
That means that the majority of cybersecurity employees have a price. But for cybersecurity professionals who are willing to be swept away by a recruiter, money most likely won’t buy their favor.
What do they want, then? Not surprisingly, there’s a great deal of value placed on some of the softer skills. Current professionals are more attracted to companies that demonstrate a willingness to listen to cybersecurity employees’ views. But to even get those people in for an interview, you need to first have clearly defined job responsibilities.
A word of caution — a lack of clarity in a job description implies the organization doesn’t understand security. When hiring managers use vague language to craft descriptions that don’t seem to accurately reflect the job, that’s a red flag for job seekers.
Whether you are looking for someone well versed in cybersecurity strategy, cybersecurity management, user education, risk assessment or security operations, be clear about the skills needed and avoid ambiguity about the role.
Value the everyday skills
Our research also found that most professionals seem to be struggling to find the time for user awareness training, so one way to woo the best cybersecurity professionals to your team is to value the importance of having a quality user awareness training program. Don’t stop there, though.
Here are a few more ways that you can avoid turning off a seasoned cybersecurity jobseeker.
- Be clear. Write incredibly clear and specific job descriptions. Make sure that the required skills match the actual role. But, keep in mind that not all candidates can deliver every skill. Additionally, jobseekers want to see that responsibility for cybersecurity is clearly defined among the CIO, CISO or other offices.
- Be realistic. Recognize the limitations of what a single candidate can bring to the table and be smart about building a well-rounded cybersecurity team across skillsets and disciplines.
- Go beyond technology. Jobseekers want to protect people and their data. In order to attract them to your organization, you need to view cybersecurity more broadly than just technology. Those who invest in training and certification for cybersecurity employees will reap the rewards when candidates make the final decisions of where to set their roots.
- Be real. Don’t just talk about valuing security. Be real about your security goals and invest in the people and technology that will bring those goals to fruition. Professionals are looking to see how quickly you’ve responded to incidents, how efficiently you’ve handled remediation and how high employee awareness levels are. You can’t fake that data.