When demand outstrips the supply of any product or services, prices rise, and shortages occur. That’s an Economics 101 lesson. Those with a greater need or desire to purchase a limited offering will do so, and those with fewer resources will either end up going without or looking for alternatives.
Tech professionals charged with recruiting cybersecurity talent understand that theory quite well. The U.S. Bureau of Labor Statistics predicted the number of jobs in that space to increase 18% between 2014 and 2024. Between the headline-grabbing data breaches and the escalating threat of ransomware, those figures may be on the conservative side. Businesses want and need help.
Meanwhile, the pool of qualified professionals required to fill those positions hasn’t kept pace with the growth. In fact, the shortage of skilled specialists is forcing many providers and vendors to significantly boost the salaries and incentives included in their job offers and causing others to scale back their expansion plans.
The supply and demand issue is driving the cost of quality cybersecurity talent higher. As the old saying goes” you get what you pay for.” But how much should it cost a company to employ a skilled cybersecurity expert? The answer is usually a lot, but the amount can vary substantially by market and the proficiencies required to do the job.
For example, MSPs looking to hire talented IT security professionals in New York City will be competing with scores of businesses; including Fortune 500 companies, financial institutions, government agencies and many other organizations with very deep pockets. Wherever demand is hot for cybersecurity experience ̶ which is virtually everywhere today ̶ and the supply is low, hiring firms should expect their payroll projections to rise substantially. In the New York, for example, the annual average salary for a certified IT security professional is approximately $119,000.
Those investments are simply the cost of doing business. With a national average salary of $93,000 (which equates to more than $44.00 per hour), tech companies must carefully research the costs and availability of talent before developing cybersecurity strategies. The sticker shock might cause some to rethink their job requirements and stretch out their recruitment timelines.
If not, they may find themselves in bidding wars for recruits with multiple suitors. That’s never good ̶ the “winning company” often over pays for talent it didn’t properly investigate and screen, and the risk in those situations can be of greater concern than the much higher than expected cost.
Take a Step Back
Tech companies need to know what they're looking for before building job descriptions and kicking off their recruitment efforts. That starts with understanding each client’s specific security needs and developing baseline technical requirements that will address all those objectives. Would a level-one technician be able to handle some of those responsibilities? Which current employee or less experienced new hire could fill that role or serve as an assistant or second in command ̶ instead of recruiting two top-notch cybersecurity professionals to run a new practice?
After carefully researching the talent pool and developing an appropriate recruitment strategy, it’s time to execute. Finding individuals with those skills is usually the easy part. Most are already gainfully employed. They’re securing the networks and locking down data systems for local businesses and institutions.
Some are unhappy in their current roles and will likely be just as hopeless in a new one. That’s a good reason to build from within whenever possible. Tech companies should groom their existing talent and invest in the training and certification programs they’ll need to become cybersecurity experts. The trick is finding ambitious employees with strong loyalty and high job satisfaction. If properly incentivized and motivated, they’ll remain with the company long after their cybersecurity training is complete.
That may require a boost in the bonus and overtime budgets. Money is still a great motivator, but younger team members may prefer getting extra vacation days or a more flexible work schedule as a reward for their efforts. Smaller tech companies need to get as creative as the Fortune 500 in that area if they wish to retain and attract quality cybersecurity talent.
Those firms are also usually reluctant to promote from within when building out their practices because backfilling key positions is hard. But when the best-qualified employees are passed over based on their current value, many will end up feeling they’ve hit a promotional ceiling and leave. Successful tech companies reward for performance instead of limiting growth opportunities for their most productive team members.
There are no easy answers when it comes to filling the cybersecurity talent gap. CompTIA continues to boost its promotion of tech careers and support programs and, while those efforts appear to be paying off, it could take years to overcome the shortage in this area.
Know someone interested in tech jobs? Send them the CompTIA Cybersecurity Career Pathway, an article filled with insightful information and links to tools and other resources
In the meantime, every tech company should have a recruitment strategy. Not just to land top-notch cybersecurity professionals, but to attract entry-level technicians, sales, marketing and other team members. That takes time and vision.
Brian Sherman is president of Tech Success Communications, a channel-related content and social media development firm. He served previously as the chief editor at Business Solutions magazine and senior director of industry alliances with Autotask. Contact Brian at [email protected]