Hiring Top Cybersecurity Talent | Addressing the IT Skills Gap Part 2

Jeremy Wittkop, CTO


“The secret of my success is that we have gone to exceptional lengths to hire the best people in the world.”  – Steve Jobs

The first instinct of many executives is that they want to hire the talent they need in all aspects of their business. This approach gives the organization maximum flexibility and control with respect to those resources, but it comes at a great price in the cybersecurity sector. There are plenty of other organizations willing to pay top dollar for top talent and it has given rise to a cottage industry of cybersecurity mercenaries who move from job to job every 18 to24 months, seeking the next big pay day. While there is certainly nothing wrong with people constantly capitalizing on their skills in the open marketplace, the value of a cybersecurity leader who stays for two years or less is certainly significantly diminished, as it is difficult to accomplish a lot in that time frame. The return on investment for the organization is realized when the cybersecurity professional is able to affect organizational and programmatic change that will simultaneously protect the organization from external threats and educate users to better protect the information they handle. It is difficult to affect that type of organizational and cultural change in 18 to 24 months.

There are certainly cybersecurity professionals organizations can hire that are not mercenaries, but they, by definition, are available far less frequently, and if they have a successful track record, command a higher salary even than the mercenaries, even when they have a similar skill set. Loyal employees tend to cost more than temporary ones.

“The competition to hire the best will increase in the years ahead. Companies that give extra flexibility to their employees will have the edge in this area.”  – Bill Gates

The race to attract this type of talent is ultra-competitive, and the best among them do not stay on the market long, so it is important to have a hiring apparatus that can find talent quickly and move to aggressively pursue that talent before it is employed elsewhere. If it is your goal to hire all of your talent directly, these three recommendations are foundational to your success with this strategy:

  • Ensure you have recruiters that are dedicated to sourcing the best cybersecurity talent possible. These can be internal or external recruiters.
  • Ensure your HR department is set up to attract and retain this type of talent. This may mean evaluating and providing compensation changes to match the open market more frequently than you do with other employees in the business. This also includes being creative with compensation packages that include work-life balance initiatives and less traditional benefit options.
  • Ensure you implement a holistic human capital strategy which challenges and develops team members. Cybersecurity Professionals who do not have an opportunity to gain new skills and use those skills on the job will leave quickly.

Before moving on, the second point could benefit from further explanation. Traditional benefits packages like 401k matches and medical and dental benefits are expected in today’s marketplace. Forward-thinking organizations are looking for creative and flexible ways to attract and retain talent. Examples of this could be things like the pet insurance policies offered by InteliSecure because we have many animal lovers among our ranks who consider their pets family members. Therefore, we offer benefits to cover their pets’ health just as we would cover their spouses or children.

One benefit that has been the subject of much conversation recently is paid time off (PTO) policies. Some organizations are moving towards policies that do not track the number of days off a salaried employee takes and they may take as many as they wish so long as they meet their performance objectives. For companies using this strategy, they get the added benefit of not having to accrue a liability in the form of employee PTO, and not having to pay out any PTO if an employee chooses to leave the organization. Other ideas utilize a more traditional PTO structure with unlimited sick days, to combine the freedom and flexibility of unlimited PTO with the earned value of a more traditional system. Other approaches include floating holidays, paid maternity and paternity leave, etc. The point is that organizations competing for talent that is in short supply and high demand are finding that they must compete not only in terms of salary, but also in the way they view their team members and that can include re-imagining the nature of the employee-employer relationship.

When I was the leader of InteliSecure’s Managed Services department, the hiring strategy was the only option available to me as a service provider. Our organization was growing too quickly to train enough employees to fill the need, and I could not outsource the work due to the nature of our business. We were additionally challenged at the time being a small company not many people recognized, and as such, we had to get creative with our hiring strategies. We employed all of the tactics mentioned above as well as some others that were designed to capitalize on our location in Denver, CO as being a destination for many young professionals. We created a culture centered on what Colorado has to offer and created company funded programs to encourage employees to experience activities like whitewater rafting and skiing. We experimented with things like “take your dog to work day”, which didn’t work out so well when our clients would hear dogs barking in the background. The point is, we listened to our team members and if we didn’t have a strong aversion to implementing a policy, we would try it out on a probationary basis. Some of these ideas didn’t go well and were quickly terminated, but some became important parts of our corporate culture and the way we work. We ultimately succeeded in hiring people who are, in my opinion, the best and the brightest individuals in the market, but we had to dedicate ourselves to that goal in order to do so.

Throughout the years, our organization has evolved and our programs have changed based on feedback from our team members, but the point is that we are always challenging what we are doing with respect to our human capital strategy in order to ensure InteliSecure is a destination for people who want to build amazing careers while enjoying life along the way.

Another important point relates to compensation reviews. Much has been written about the Millennial Generation. As a member of the Millennial Generation (technically) and someone who has spent a fair amount of time mentoring and directly managing the Millennial Generation, some of the things written about it are, in my opinion fair and accurate, while others are not. The truth is many cybersecurity professionals are Millennials, and it is likely as we continue to attempt to address the skills gap, an increasing percentage of cybersecurity professionals in the workforce will be Millennials. Rather than bemoan the fact that Millennials often have a different set of career expectations than previous generations, it is important to accept that they will be an important part of your team.

Millennials have the reputation of moving between companies far more than other generations. In my experience, that has often been true, but it is not something that is inevitable. I believe Millennials simply view the employee-employer relationship differently than others do. Millennials, in my experience, value their contribution to the organization and they demand that the organization value their work as well. This means Millennials have a need to know why their work is important to the company and how it impacts the company’s mission. They need to feel connected and that the work they are doing has meaning to the organization and the broader community. The good news is that cybersecurity has great meaning and significant implications. The challenge is that leadership in organizations needs to communicate with this generation proactively in order to keep them engaged and keep them around.

Another important point is that Millennials have far less patience with their employers than past generations. Let me give you an example. Ross Perot founded Electronic Data Systems (EDS) which was a great IT services company. In the 1970’s and 1980’s EDS pioneered the High Performance Low Experience (HPLE) model which consisted of hiring smart people at less than market rates and training them to be experts in their field. In those times, it was common for EDS to tell employees that in exchange for the opportunity and the training, they needed to work below market rates for their skills for a few years, but eventually they would be paid at or above market rates. While the HPLE model is still being used in cybersecurity, Millennials are going to give you months, not years, to pay them commensurate with their skill set. This means that if you are executing that model, you must review performance monthly or quarterly rather than just annually, especially early in the cycle, and be prepared to pay people what your competitors will pay them. If you do not, you will simply be training your competition.

Hiring is an expensive and time consuming proposition. Retention is an important piece of the puzzle if your strategy is predicated on having your cybersecurity program operated by internal employees.

In the next section we will explore cultivating your talent which is closely related to the hiring strategy, but in larger organizations, can also be accomplished by teaching current employees in other parts of the business cybersecurity skills.