Cyber Talent: Companies Struggle to Compete for Skilled Workers

April 26, 2017 | WSJ Pro Cybersecurity

Peter Metzger, a headhunter, tells his corporate clients he can find them the most accomplished and experienced cybersecurity workers but then moves to discuss a competitive salary and benefits.

"I say, 'I know them and their compensation looks something like this,' and I hand them a piece of paper with the number and they gag, and I say, ‘Where is your limit?"' said Mr. Metzger, a vice chairman and cybersecurity and business­ risk expert at DHR International, a global executive search firm. He categorizes the worker shortfall as "somewhere between serious and acute.''

It's not just the top talent that is being sought out by companies trying to fill a growing number of cybersecurity jobs. A report from consulting and services firm Booz Allen Hamilton and the Center for Cyber Safety and Education forecast a worldwide shortfall of 1.8 million cybersecurity workers by 2022, an increase of 20% from the group’s previous shortfall prediction made in 2015. A survey of IT executives and managers by cybersecurity firm Trustwave found 57% said finding and recruiting people to work in cybersecurity is their biggest challenge.

And many of those who have jobs in cybersecurity don't have the requisite skills, another sign companies are scrambling to find people. A survey of cybersecurity professionals by Isaca, an advocacy group for information security professionals formerly known as the Information Systems Audit and Control Association, found 25% said cybersecurity job candidates lack the technical skills needed, while 45% said candidates don't understand the business of cybersecurity. Any cut in the number of H1-B visas that allows companies to bring in tech talent from overseas-something the Trump administration is considering--could exacerbate the problem by shrinking the available talent pool even further.

"New people entering the workforce are not at the numbers we need, nor do they have the level of technology and operational capabilities we need," said Patrick Gorman, head of strategy for CyberGRX, a cyber risk management firm.

During his time as chief information security officer for Bank of America, Mr. Gorman said close to 2,000 cybersecurity people were hired by the bank. "All we were doing is raiding each other. If they were at another big bank, I would raid them and they would raid my people," he said.

Shortage Boosts Salaries

That competition is driving salaries higher. A bulletin put out in March by SilverBull, an IT cybersecurity recruiting and staffing company, found the median average salary for a chief information security officer ·was $223,000, up from the $204,000 the company posted in a bulletin two months earlier. The number is higher for CISOs in major cities, with those in San Francisco getting an average salary of $421,000 and those in New York $406,000.

But raiding and competing for the same limited pool of people doesn't solve the larger question of how to get more people trained to work in cybersecurity. A pipeline is beginning to develop as universities launch degree and certificate programs in cyber-related fields and more people enroll in such programs. The military and government remain robust training grounds where people can acquire advanced skills and then transition to the corporate world and a higher paycheck.

Dave Mahon, chief security officer at telecommunications company CenturyLink, said former military people are in demand because they have a more holistic view of cybersecurity that comes from their military training. In the military they had to consider issues not just from a technology or cybersecurity view but had to factor in political considerations and geopolitical concerns, giving them a broader perspective for the implications of taking certain actions.

“I love to recruit from the military," he said. "There are ways to recruit them, and certain headhunting firms specialize in transitioning military personnel to corporate America.''

Some companies are taking existing workers and retraining them to work in cybersecurity roles, and other firms are hiring outside companies to oversee their cybersecurity--or reducing their need for additional manpower by relying on machine learning, artificial intelligence and other automated tools to monitor and react to any cyberthreats.

"Companies are always looking for good people" and that will still be the case even amid growing use of non-human resources, said Nathan Burke, vice president of marketing at Israel-based cybersecurity firm Hexadite. "Even if you have a bunch of analysts and start using automation, you wouldn't lay them off but would make them work on something more interesting." And even if companies could rely on AI and other technologies to handle their cybersecurity, they still] would need people to run those systems, said Eran Barak, chief executive at Hexadite. And if there aren't enough people trained to work in that area? "Then we will have a real serious problem, “said Mr. Barak.

Mr. Mahon agreed, saying while it's "going to be substantial to have technological solutions, “employees also are going to need better training to give them a more well-rounded view of what cybersecurity entails. “The profession has to evolve. There was a time when you could be a good accountant with a two-year degree; now you need to be a CPA, combining certifications and training to be a more holistic thinker," said Mr. Mahon. "That's where the cybersecurity industry has got to move."

Other Ways to Compete for Staff

For companies trying to retain their cyber staffers, especially those with small budgets that can't compete on dollars alone, all is not lost. Ron Sanders, a vice president and fellow at Booz Allen Hamilton who previously worked as an associate director of national intelligence at the Office of the Director of National Intelligence, said many people are attracted to the cybersecurity profession by the challenge of the work and to the mission of fighting bad guys, and government departments and companies can use that to their advantage.

"Surveys show and our own ground-level experience validates, that money is not the only thing and not the most important thing in many cases," said Mr. Sanders, especially for Millennials and military veterans. Organizations that can't compete on pay need to focus on a "value proposition" that appeals to a person's sense of mission, highlights the cutting-edge nature of the work they will be doing and emphasizes opportunities for advancement and the chance to work on different projects. Even then, many will leave for other opportunities.

Mr. Metzger said offering flexible work hours, the ability to telecommute and generous vacation and time-off perks can go a long way to convincing young people to take a job with lower pay. "Don't rely on compensation alone; find other ways to attract people," he said. "People want to come where it's cool, where they have cool projects, cool tools, and technologies."

In the old days, companies would invest in an employee, send them to school, move them around to various jobs to hone their skills and, in return, would expect that person to work for them for 15, 20 years or more. "But we know Millennials just don't do that and employers had to learn that's it's OK" to provide opportunities even if an employee doesn't stay married to them for their entire career, said Mr. Sanders. "In the case of a cybersecurity workforce, a rising tide helps all boats."

Another area where companies can do better to recruit and train the next generation of cyberworkers is focusing on women, minorities, veterans and older workers, said Mr. Sanders. A report from PwC released in March found women make up 11% of all information security workers globally. "Employers have some obligation to partner with high schools and colleges...if nothing else it helps the kids realize how exciting and lucrative cybersecurity career can be," he said. "Companies and government agencies can collectively put the spotlight on cybersecurity careers. Universities at the undergraduate and graduate levels -even at the community college level- need to do a better job of providing graduates with real hands-on cyberskills."