It’s no secret that there’s a huge talent shortage in the security space today. With a low supply and high demand, salaries have surged, increasing 6.4% from 2015 to 2016. (That’s an even higher salary growth than software engineers are seeing.) And there is no end in sight. For companies that recognize how important it is to keep information and systems secure in today’s business climate, it’s important to find workable strategies for hiring and retaining security talent in spite of this shortage.
While most organizations would benefit by developing a full-fledged, multi-faceted recruiting and retention strategy, we want to share a few more tactical ways to help bridge the talent gap in the shorter term.
Build Relationships With Local Universities
Hiring interns can help you temporarily increase bandwidth, but it’s not just a way to increase productivity in the summer. If you build a strong pipeline of candidates through an internship program, you can make sure that you have a steady influx of talent into your company year after year. While you can’t build your entire security team with junior talent, identifying and grooming young “pre-professionals” can increase your team’s capacity and success in the long run. Our own experience hiring interns has been richly rewarding for both the interns and Threat Stack as documented in this post about Michael Chen who deferred graduation from Harvard to work with us.
Of course, hiring and cloud security training take time. You want to make sure that they are well-supported, that their roles are clearly defined, that their work is meaningful, and that they have an opportunity to show initiative and experience growth. If interns enjoy their summer or semester work programs and feel integral to the success of the company, it’s far more likely that they’ll want to return for a full-time position upon graduation. (And keep in mind that their positive word of mouth will spread among both students and faculty when they return to school.)
Also — and this should go without saying — paying your interns is a very, very good idea. In many cases, it’s illegal not to, but more importantly, compensation indicates that you value their time, knowledge, ability, and effort. This will also increase their likelihood of considering your company as a place to work after graduation. (For guidance on paid vs unpaid internships, see the following general information provided by the U.S. Department of Labor)
A high percentage of North American universities and colleges have internship programs of one kind or another, and each has specific regulations. For some great common sense guidelines, however, take a brief look at the program offered by the University of Virginia, which advises employers to:
- Recruit early
- Set learning and performance goals
- Make a plan — and be specific
- Assign a mentor and supervisor
- Provide adequate resources
- Check in regularly, provide lots of constructive feedback, and give interns an evaluation before they leave your company
If you’re interested, take a look at the university’s full guide for more detailed information on how employers can build and maintain a high-quality relationship with the school’s internship program.
Think Outside the Comp Sci Box
Get creative and look outside the traditional profile when you search for interns, entry-level hires, and even lateral candidates (people who are interested in switching careers beyond entry level). Contrary to popular belief, computer science majors are not the only viable candidates for security jobs. Think instead about the qualities you absolutely need in a security candidate. Some of the traits we look for include:
- Interest in security
- Ability to be a team player
- Detail-oriented nature
- Analytical mind
- Leadership skills
- Communication abilities
Rather than just looking for people with tons of experience in the security space (which, let’s be honest, is difficult to find), searching for a profile of skills, knowledge, and character assets that lend well to the security role can help you broaden your talent search and have more success.
Naturally, you will need to train and support these employees, but if you can do this successfully, balancing nontraditional hires with the deep expertise of security veterans can help you push past the talent shortage, build a well-rounded team, and gain a competitive edge.
Anticipate and Prevent Burnout
One of the most important things you can do to retain security talent is to identify and understand the factors that lead to burnout and mitigate them as much as possible.
As you probably know, alert fatigue is a big problem in security today. If you hire security analysts and their sole job is to sort through a never-ending barrage of false alarms, odds are pretty good that they’ll get frustrated at some point and leave. Instead, look for ways to balance the load among employees. You definitely don’t want to burn out talent so you’re always having to hire and train new people since this can be a huge drain on resources and is disruptive to operational efficiency. Over time, it can also affect your reputation in the security community and make it even harder to hire quality employees.
Also keep in mind the fact that, according to a recent Computerworld survey, security professionals are under more pressure than other roles to increase productivity and take on new tasks. Given the current talent shortage, this is no surprise, and in some cases these high expectations can’t be avoided. However, you want to make sure that you understand how much you are asking of your employees. High expectations aren’t a bad thing inherently, but you don’t want to push people to the point where they are frustrated and feel they can’t succeed.
Instead, work collaboratively with your security managers to understand the team’s overall workload and balance it out as well as you can, using appropriate technology to reduce busywork and remove unnecessary strain from your valuable employees.
A Plan for the Future
Finally, as they say, be the change you want to see in the world. If your organization has the bandwidth, it’s a great idea to get involved in the security community. For example, attending career fairs and speaking at local conferences about how rewarding (and lucrative) security jobs can be is a great way to increase recognition for your company and slowly improve the pipeline of security candidates. You can write contributed opinion pieces for local and national publications (as well as your company’s blog!) about the value of security and the benefits of getting involved with the space. And there are many other ways to attract talent while increasing the visibility of your organization — as we’ll see in future posts.
While you won’t be able to solve the security shortage overnight, the ideas outlined above should help you overcome some immediate hurdles, and in conjunction with overall publicity campaigns about this vital discipline, help to steadily build your company’s reputation as a known entity that attracts and retains quality candidates at all experience levels.