How to Attract and Retain Infosec Talent

Information security is undeniably a big conversation in this day and age. Costly breaches are on the rise and organizations are still scrambling to put out fires.

"Security breaches have become the norm, constantly forcing organizations to be on the defense,” said Jordan Lindsay, Kforce strategic accounts executive. “Breach attempts now dictate behavior within organizations, both for the business and technology."

Here is a big number to consider:

 data breaches

For effective security posture, Lindsay asserts that companies must supplement measures with strategy, dollars and talent. “Information security has become a critical business strategy for organizations. More and more, companies ask themselves ‘how do we protect our data, customers and brand?’”

In fact, cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.

Lindsay also notes there’s a new “trend in positioning chief information security officers within large organizations to establish ownership of security-related standards and execution.”

While companies are starting to put information security first, another looming crisis—bigger than malware and cyberattacks has surfaced—a severe talent shortage.

Cybercrime will more than triple the number of job openings to 3.5 million unfilled cybersecurity positions by 2021.

Recent statistics report yet another dilemma—turnover. The Information Systems Security Association indicates that 49 percent of cybersecurity professionals are solicited for job opportunities once per week. In this candidate-driven market, experienced professionals are charmed by frequent and lucrative offers from potential employers.

The current state of talent management needs new solutions.

“Due to the risk associated with the need for top information security talent, employers are quickly realizing the high demand, low supply market and correlating talent attraction needed to find the right people,” said Lindsay.

“Partnership with talent solutions firms, which have expertise within information security, has increased with intent to bring on thought-leaders to assist in overall vulnerability management,” she continued. Talent retention is a critical area of focus when finding information security expertise, and in most cases, the traditional offerings are not enough in this competitive landscape.”

Lindsay suggests that employers should communicate their brand as an entity that strives to exceed traditional offerings.

How to Attract & Retain Information Security Talent

Share your innovation story

Candidates want to be part of companies that are doing the next big thing in their space.

 “Speak to how you have your customer and their data at top-of-mind,” said Lindsay. Identify what you’re doing to get ahead of the curve as it relates to security posture, whether it be thought leadership or the fact you’re pioneering an initiative. These job seekers want to tackle innovative, challenging problems.”

Communicate your company’s goals

Effectively communicating your company’s objectives helps employees feel connected. Understanding the “why” behind initiatives gives purpose to work, a critical component of successful employee engagement and talent management. Frequent exposure to business initiatives, whether communicated or acted, should create an attractive culture where talent feels compelled to participate and contribute.

“Security professionals value a deep understanding of an organization’s goals for risk management efforts, whether it’s vulnerability assessment, privileged access, etc. This type of transparency ensures a positive impact when attracting and retaining talent,” Lindsay said.

Define a career path

Nearly 65 percent of cybersecurity professionals “struggle to define a career path,” per an Information Systems Security Association study. Informed hiring managers and employers should provide a clear career path for employees. In many cases, it can be a powerful retention tool.

Matching employees’ career goals with your business needs is the first step in building a defined career path, according to Fast Company. The implementation of junior and senior positions within an organization are typical next steps. Mapping out requirements before employees move to a new skill level or position is a critical factor in identifying a path of growth.

Non-traditional methods can include tactics like job redesign and enrichment opportunities. Employers can also provide skills development and mentoring options to bolster job satisfaction.

Leverage external thought leadership

Leveraging external thought leadership ensures that employees’ skills and organizations’ posture stay on par with current industry demands. Most of all, fostering different perspectives within your organization creates a culture where open dialogue and discussion are encouraged. 

“Employers have realized gaps in high-level information security talent within their current organization,” said Lindsay. “Despite the desire for organic growth, the demand for highly-skilled information security talent has triggered a trend of attracting and retaining talent from other organizations whose information security posture surpasses that of the organization in need.”

An example of this trend could be knowledge sharing through a financial services firm acquiring talent from an innovative company like Amazon or Google, according to Lindsay.

“Companies have moved to a culture of acceptance and openness to expertise from other areas; motivated only to benefit the security standards of their organization,” Lindsay said.

Hire outside the box

Becoming an attractive company alone isn’t enough to lure candidates in this high-demand field. Employers seeking to build and maintain a pipeline of candidates can alleviate their talent demands by broadening their efforts to look beyond the typical resume.

Creating partnerships with universities that nurture young minds is an exceptional way to identify budding talent, fill roles for the long term and keep curriculums to date with current field demands.

If you’re comfortable with hiring based on aptitude and the ability to train, consider reimagining candidates with different degrees and backgrounds. Remember, cybersecurity careers can span across many disciplines, including business processes, regulatory compliance and more. Someone with a cloud computing background with an interest in security might be a perfect candidate for upskilling.

Develop a proactive culture

One of the most critical selling points for candidates is a company’s culture. For information security talent, it’s important to have a proactive company culture, Lindsay reports. 

“Employers are realizing the need for a culture of proactive response and greenlight thinking. Security posture encompasses the need to identify potential risk before it occurs. If an organization does not allow for proactive and open discussion as it relates to risk, it will be challenging to attract and retain best-in-class talent.”

Employees also desire to work within spaces that embrace their roles. A culture that aligns with job function gives purpose to employees’ work and their experience.

Employee engagement often influences talent retention—the better the engagement, the longer service within a company. In fact, employees are six times more likely to be engaged and 8 percent more productive when given the daily opportunity to exercise their skills, Gallup reports.

Overall, the smartest investment a company can make is finding the right people. In this data-driven world, amid growing breaches and cyberattacks, organizations need to attract and retain talented information security professionals today. Organizations looking to remain competitive and protected must empower employees—the greatest defense to any threat.