It’s estimated there are 3.4 million vacancies in the cybersecurity sector, according to the (ISC)2 2022 Cybersecurity Workforce Study, which equates to a 42 percent shortfall as the global cybersecurity workforce is said to total 4.7 million. This has led businesses to compete in earnest over a small pool of talent and the consequences of this are that more cybersecurity professionals are changing jobs than ever.
Gartner predicts that by 2025, a quarter of cybersecurity leaders will change jobs and this creates a destabilising effect that then elevates risk. The Cybersecurity Skills Gap Global Research Report found 80 percent of the organisations it surveyed worldwide had suffered one or more breaches that could be attributed to a lack of cybersecurity skills and 67 percent agreed that the shortage of qualified cybersecurity candidates was creating additional risk.
A vicious circle
Unfortunately, this high staff turnover then sees organisations limit the very initiatives that could help with retention, creating a vicious circle. The business fails to see why it should invest in employees that are deemed a ‘flight risk’ and so limits training, mentorship programs and job rotation, for example, which the (ISC)2 study says directly lower staff shortages. It found only 49 percent of large organisations who had implemented these initiatives had staff shortages compare to 77 percent who hadn’t.
Other factors included whether there was a good relationship between the hiring manager, HR and the recruiter. Where this broke down, staff shortages were again higher because there was no clear communication. This meant job descriptions were composed that didn’t meet the needs of the hiring manager or were out of step with the market and so were unrealistic in their expectations.
Once they’ve secured a candidate, however, it’s not just training and job progression that businesses are failing to address. Many within the industry point to the high stress levels as another contributory factor. In fact, an unhealthy work culture was blamed by 25 percent for them leaving a job within the last two years, following by feeling burn out (21 percent) and a bad work/life balance (19 percent).
Pay not the primary driver
In many ways this is good news for businesses because it means it’s not just a case of who has the deepest pockets. Rather, candidates also value the workplace culture which the (ISC)2 report defines as inviting and valuing employee input, where their opinions were heard, and needs met. It found happier employees are also regarded themselves as more productive, more highly motivated and more likely to stay within the organisation over the next few years.
So, what should businesses be doing to improve their recruitment drives and to boost retention? Firstly, look to get a grip on turnover rates. How often are you losing staff? Perform exit interviews and use these to see where there are deficits in meeting employee needs. Secondly, look at how well teams are functioning internally and whether there are effective communications between security leaders, HR and recruiters. Chances are that if you are going through a large number of candidates but not filling those roles that the job descriptions are off-key.
Get proactive
Next, take a proactive approach and seek to improve working processes and the workplace culture. This may be through by using automation or providing them with tools to ease workloads and reduce stress. There’s now widespread evidence that generative Artificial Intelligence (AI) can be used for everything from code review to GRC documentation to summarising reports, for example. Set up processes that positively encourage employee contributions and ensure that these are actioned and where possible flat hierarchies so that members of the team don’t feel there is a gatekeeping culture.
Finally, do invest in personal development and career progression. Today, only half of organisations are reimbursing professionals for third party exams which seems far too low. Provide career development opportunities and mentors that can help staff to grow. The motivation for earning certifications is usually down to either a desire to improve skills (64 percent) or to stay up-to-date with current trends (53 percent). In fact, only 15 percent took a certification in order to apply for a job outside the organisation.
The (ISC)2 survey found that twice as many people would prefer an internal promotion over getting a new job, so cyber professionals don’t want to perpetually move jobs. If they feel valued and invested in, they’re much more likely to stay.
Jamal Elmellas is Chief Operating Officer at Focus on Security, the cyber security recruitment agency. He has specific expertise in and is adept at designing and delivering secure, scalable and functional ICT services.
Prior to joining Focus on Security, Jamal built a successful Security consultancy and as CTO delivered secure ICT services for both government and private sectors. He has also fulfilled the role of Lead Security Architect and Assurance practitioner within sensitive government departments and blue chip organisations.
Jamal has almost 20 years’ experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner.