Skilled, experienced cybersecurity professionals can write their own tickets. Researchers at the Center for Strategic and International Studies found, as of January 2019, the U.S. had a total cybersecurity workforce of 716,000 — and 314,000 unfilled positions. Moreover, the CSIS estimates that there will be 1.8 million unfilled cybersecurity positions worldwide by 2022.
If you are operating or establishing a security operations center (SOC), this means hiring and retaining cybersecurity talent is probably a challenge. You’re competing with other security service providers, government agencies and enterprises for security analysts and other professionals with experience in threat detection, incident response and SOC management.
When you find the perfect candidate to fill a role at your company, the next challenge will be keeping them. The State of Cybersecurity Report by ISACA, a global association helping individuals and enterprises achieve the positive potential of technology, reports that the top three reasons cybersecurity professionals change jobs for better financial incentives, promotion and development opportunities and better work culture or environment.
Here are three things to keep in mind as you work to find, recruit, and retain the skilled SOC staff you need.
1. Focus on Candidates with the Right Qualifications, Not a Diploma
There are a lot of businesses and agencies scrambling to fill cybersecurity positions, but for many of them, cybersecurity isn’t their core business. They may not have the edge you have as an IT professional to understand and assess a candidate’s skills or potential.
In an interview with TechRepublic, David Jarvis, security and CIO lead of IBM’s Institute for Business Value (IBV), points out that there are some roles in cybersecurity that don’t require a traditional, four-year university education. “You can come in from the military, you can come in from a community college background,” he says. “It’s really about the skills and what you can actually do with hands-on skills as opposed to a university education.”
Jarvis adds that in addition to the right technical skills, you also want to look for people who are problem-solvers, good communicators, methodical, and committed to life-long learning.
2. Create an Attractive Compensation and Incentive Package
You may need to adapt your hiring practices to attract an in-demand, skilled professional. Make sure the salary you offer aligns with candidates’ experience and expectations. Glassdoor shows salaries for cybersecurity professionals span a wide range. The average cybersecurity professional in the U.S. makes $36,664 per year, but filtering results by company show salaries well over $100K. You will need to do some research to determine the salary you need to offer to attract the skill and expertise you need.
Also, build a competitive package to accompany your salary offer that includes benefits such as healthcare coverage, 401K, and paid time off. You may want to consider offering career development, training, and covering the costs of certifications. Flexible schedules or telecommuting, if possible, may make choosing to work at your company more enticing.
3. Build Your Retention Strategy on More than Money
A recent study by Enterprise Strategy Group and Information Systems Security Association found that CISOs, on average, only stay in a position for 24 to 48 months. Although most left to take positions with better salary and benefits, 36 percent left because they weren’t a good fit for the company, and 34 percent left because they didn’t have a voice in decision making.
From the outset, manage your cybersecurity professional hires’ expectations for their role and your company organization and culture. Also, take care not to overload your cybersecurity team with excessive responsibilities, long hours, and inadequate time to rest and recharge. You could burn out your most valuable resources and watch them leave for other positions where the stress level is lower.
Alternative to Staffing Your Own SOC
If inadequate resources are holding your SOC as a Service offering back, you may want to partner with an established SOC for outsourced services. This may provide at least an interim solution that enables you to take a SOCaaS offering to market and get your clients the cybersecurity services they need now.