As part of our “security takes a village” focus, we are exploring how stakeholders other than a dedicated cybersecurity or IT team can help keep your organization secure. In this post, Alyssa Miller, ActZero Networks’ Human Resources Manager, discusses a cybersecurity consideration with implications for HR teams: the cybersecurity talent shortage. She outlines how concerns can be overlooked by organizational leaders given the absence of a cybersecurity knowledge center on either team; the difficulty of solving the problem through traditional means (hiring people/training internally); and impacts to KPIs (such as employee churn & satisfaction) in the event of a breach – which can be more likely with the absence of security personnel.
As the person responsible for recruiting our own cybersecurity people, I have experienced this talent shortage firsthand. Working at a cybersecurity company means I hear all the reasons for the shortage when I complain about it: there are more breaches, more news coverage of breaches, and more awareness among company leaders… but I think another reason is that this industry and the skills required to participate in it are constantly changing/evolving, and computer science programs are having a hard time keeping up as a result. More and more schools are offering a dedicated cybersecurity program, but they still aren’t as common as general IT programs with a cybersecurity course or two.
This problem is especially difficult for small to medium-sized businesses working on a budget. Even if you can afford an established professional, how do you assess their qualifications? This is easier for me because I’m always looking for cybersecurity talent. I’m thinking about the HR generalist at a small enterprise, who has never hired for that role before. Would their IT team be able to give them guidance? And, if they were able to, would the business need to hire a security analyst in the first place?
Why consider recent grads? It’s not that there aren’t established cybersecurity professionals – it’s that the demand is so high that unless your business has very deep pockets, it can be tough for you to attract seasoned talent. If you decide to go down that route, another problem you can face is how to nurture and train this person. With dozens of cybersecurity certifications out there, how do you know which are the most important for your business? Can you afford to hire someone equipped with these certifications or the cost of sending someone to attain them?
This all boils down to keeping these employees satisfied in a competitive market. It has less to do with any employee satisfaction score your HR team may be scored upon, than with reducing the chance of churn. I know many recruiters who are scored on their company’s ability to retain employees. Will you be able to keep these hires if you can’t help them grow? You are also faced with the risk of an employee leaving you for a larger enterprise even if you do invest in their training and certifications – which can leave you back at square one.
As my HR peers know, a go-to alternative when you can’t find external talent is to find interest internally and move them laterally or promote them. Unfortunately, the concerns of nurturing and training for new hires stand (and are probably more pronounced) for such an internal candidate. All this is to say that it’s a bit of a perfect storm right now. There is a need for this talent, and because everybody is aware of it, the supply of qualified people is limited, and the certifications and training required is expensive. This ends up leaving the companies who need it the most without access!
What should you do about it? Well, when my friends in HR ask for help, I tell them to consider our service instead 😊. Sure, I’m biased. But I think different teams are considering services instead of a dedicated full-time employee more and more. If this talent shortage continues, they may have to!