I’ve written previously about how I believe a team’s expertise and talent are the most important factors in determining the success of a cybersecurity program. I’d like to elaborate a bit more on how I think that is affecting the marketplace for cybersecurity expertise and what it means for people operations.

To summarize my previous thoughts: Cybersecurity is adversarial, wherein the attackers and defenders are humans at keyboards. In that contest, the skill of the human operators has the most impact on which group prevails. Specifically, expertise, talent, and critical thinking are more important than tech stacks, resources, or other variables. It’s not the numbers on your team, but who is on the team.

We are starting to see companies with leading security programs explicitly acknowledge this in their headhunting and compensation strategies. These organizations are able to distinguish great talent from average practitioners. They understand the value of great talent, and they are willing to pay generously to recruit and retain it. Anecdotally, we are seeing this in how headhunters approach and engage with our engineers.

Publicly available pay data also shows this trend. Controlling for years of experience and location, an informal review of tech salary website levels.fyi indicates that technology companies with cutting edge security programs (such as Google, Meta, Netflix, etc.) offer compensation plans of 40% – 300% more than more traditional industries (finance, manufacturing, energy, retail, etc.). In fairness, the same data also shows that the first group offers higher compensation for other positions, but the disparity is much smaller. The proportionally higher compensation for security expertise is evidence that these companies recognize the value in recruiting top talent.

These trends may create uncomfortable conversations for security leaders who are struggling to recruit, and in particular recruit top talent. Organizations with less flexible human resources processes may struggle to update their compensation and benefits packages at the same rate the market is changing. According to technology job vacancy aggregator Dice, salaries for cybersecurity analysts increased an eye watering average of 16% between 2019 and 2020 (https://marketing.dice.com/pdf/2021/Dice_2021_Tech_Salary_Report.pdf). Many organizations will be unwilling to increase their compensation for new candidates so quickly. Similarly, many will struggle to offer such raises to their current team to assist in retaining them.

Organizations that are able to adapt to the rapidly changing talent marketplace will therefore have a marked advantage. Security leaders can respond to this phenomenon by identifying a recruiting counterpart(s) who can focus on cybersecurity talent. That person will then understand the specific considerations in recruiting cybersecurity talent. Therefore they will be an advocate for the security organization within HR/PeopleOps. Organizations that rely on generalist or IT recruiters tend to have greater challenges when acquiring cybersecurity talent.

Even if an organization is able to adapt quickly to changes in the talent marketplace, the demand for cybersecurity professionals still outstrips the supply. Recruiting and retaining top talent is likely to become an increasingly expensive endeavor. Many organizations will need to adapt their approaches to compensation, benefits, and employee quality of life in order to compete in this environment.

If you’ve experienced pain points in recruiting and retention you may need to have uncomfortable conversations with your executive team before you can start addressing the problem. What is your spend on people compared to technologies? If you want the best talent, is your compensation competitive with technology leaders? Given the speed with which the talent marketplace is changing, do you monitor those trends and adjust your compensation quickly? Do you know what your current team could make if they went somewhere else? What about your other benefits? Do you enable your team to live and work where they want? Organizations that apply traditional, slow HR processes around compensation and benefits will find themselves unable to compete in this market.

This is the final article in a three part series looking at cybersecurity program strategy from a big picture perspective. Previous installments can be read here and here.