According to RH-ISAC’s 2021 CISO Benchmark Report, 67% of retail and hospitality organizations expect their full-time employee count to be higher in 2022 than in 2021. Similarly, 70% expect their budget in 2022 to be higher than the previous year. This is good news for cybersecurity professionals racing to secure the digital-first world, but will organizations be able to find the staff qualified to fill these positions?
A skill shortage has existed within infosec for years now, pre-dating the pandemic. Many organizations have traditionally viewed cybersecurity as an expense and have been reluctant to invest in competitive compensation and continued professional development needed to retain qualified staff. However, this is slowly beginning to change, as cybersecurity has become a high-profile risk. Executives have seen the devastating impact of ransomware attacks and the business costs associated with failing to prevent a breach. This, coupled with the increased digitalization of business functions for consumers and workers during the pandemic, has required businesses to evaluate and strengthen their investment in infosec departments.
One of these significant investments is the implementation of hybrid cloud architecture, which allows businesses to cost-effectively scale up their networks as needed. In the recent Benchmark Survey, CISOs ranked security for these environments as one of the most popular initiatives for 2022, but according to a recent study by the Information Systems Security Association, 39% of organizations are having difficulty filling cloud computing security roles. It’s not just specialized positions, however. This trend rings true for roles throughout the sector, with 76% of organizations experiencing difficulty hiring cybersecurity staff.
Recruitment and Retention with Diversity in Mind
A panel at the 2021 RH-ISAC Cyber Intelligence Summit that focused on diversity, equity, and inclusion discussed problems in cloud security recruiting and how individuals and organizations within the cybersecurity sector can work to mitigate these issues. For long-term success, cyber defenders need to invest in educating kids about the careers available and encouraging participation in STEM activities, but there are also actions that companies can take in the short term to fill open positions. One of those is working in conjunction with HR departments to ensure realistic job descriptions. Often the barrier to entry can be set too high — for example, requiring 1-3 years of experience with a CSSP certification, which requires five years of experience to obtain. Organizations that want to successfully retain talent need to invest in helping staff develop skills to remain relevant. Assisting employees with career planning and providing a clear path for advancement is essential for creating a pipeline to fill higher-level positions. Another key to retention is compensation. According to ThreatConnect’s 2022 Cybersecurity Under Stress Report, 67% of respondents have seen staff turnover increase in the past 12 months. The most popular reason employees left? Finding a better salary somewhere else. As staff develop their skills and take on additional responsibilities, employers need to consider salary increases and retention bonuses to match. Organizations that may not have the resources for salary increases can instead focus on other key retention factors, such as workplace flexibility. In the wake of the COVID-19 pandemic, the ability to work remotely with flexible hours for child-care and other home life responsibilities, is another driver in employees’ decisions on where to work.
As employers look for creative ways to fill openings, it is important to broaden our idea of what someone in this profession looks like and not perpetuate stereotypes. The cybersecurity industry is extremely broad, requiring a variety of talents, many of which are not strictly within the technical realm. Check out RH-ISAC’s new podcast episode to hear from WiCyS executive director Lynn Dohm on the methods she has seen for promoting inclusion in cybersecurity.
Hiring outside the norm was also covered in the recent Cyber Thursday session by Kontoor Brands. Presenters John Scrimsher and Aaron Beuhring discussed breaking down the barriers and misconceptions related to hiring, such as requiring knowledge of coding or a computer science degree. Yes, there are some areas of cybersecurity that require technical knowledge, but cybersecurity has such a broad depth of domains that there is room for a variety of skillsets and backgrounds. Having diversity of thought is just as important, since people with different perspectives will ask questions that bring to light improvements that organizations may not have previously considered if everyone in the room has the same background.
Learn more about staffing and budgeting trends for 2022 in the full CISO Benchmark Report, available exclusively to CISO members.
Not a member? Learn more about how you can access industry trend data like the CISO Benchmark Report as an RH-ISAC member.