How to attract and keep IT security talent

If you're struggling to hire and retain security talent, consider this advice about what security pros really want. How does your organization measure up?
377 readers like this.

It’s a well-known challenge: Good security professionals are hard for IT leaders to find. It’s that much harder if your organization isn’t a particularly attractive place for security talent to work. If you’re struggling to fill open security jobs on your team, it may be time to revisit what you’re offering. And we’re not just talking about money.

“There’s a cybersecurity skills shortage that’s plaguing the industry,” says Elizabeth Lawler, VP DevOps security at CyberArk.

[ Read our related story: Hiring security gurus: 3 strategies to find scarce talent ]

Lawler points to Cybersecurity Ventures’ estimate that there were 350,000 open cybersecurity positions in the U.S. in 2017. The firm has also predicted a global shortfall of 3.5 million cybersecurity jobs by 2021.

“If organizations are going to close this gap, they need to make their workplaces appealing to security talent – beyond a competitive paycheck or benefits package,” Lawler says.

That being said, employers need to be realistic about pay levels.

“Security is the most in-demand profession in IT right now, so companies need to be prepared to offer top dollar or, if they can’t, loosen up job requirements and be willing to look at more junior candidates,” says Jim Halpin, lead technical recruiter at LaSalle Network.

Security pros are here because they have a passion for it.

“No one is ever going to say money does not matter, but the best infosec professionals are not getting into the field to make money,” says Jim O’Gorman, president of Offensive Security. “They are here because they have a passion for it.”

We asked these experts and IT and security leaders to shed light on what security pros care about most when they’re job hunting. If you’re trying to add security resources or working hard to retain your security talent, take heed of their advice.

1. Security pros want to contribute tangible value

“There is nothing worse than working your butt off just to have the outcome put on a shelf and never used, or watered down in committee.”

The best way to appeal to a security pro’s passion for the field is to show how your company will value their work and put it into practice. If you’re hiring for a siloed team that your developers and operations pros ignore, well, good luck with that.

Security pros want to know their work will matter, and that the company actually fosters a culture of security – rather than paying it lip service and then doing the five-alarm fire routine when breaches occur in production.

“The best way to fuel passion is actually to give your employees a chance to make a difference,” O’Gorman says. “There is nothing worse than working your butt off just to have the outcome put on a shelf and never used, or watered down in committee.”

2. Security pros want to know what makes your company different

Qualified security candidates are likely fielding multiple offers; they don’t just want another offer. They want to understand why they should work for you instead of the other shop.

That starts with ensuring that security is a visible priority in the company rather than an afterthought. This is one way in which candidates begin to believe that they will, in fact, be able to contribute tangible value. If your organization just seems like any other from a security perspective, that’s a red flag.

“Candidates want to understand and easily visualize how they will add value and fit into the organization, so have a story to tell them,” says Halpin, the LaSalle recruiter. “Whether it’s the freedom and opportunity to build a function of their own, working with a knowledgeable team they can learn from, or having autonomy to set the strategy, explain to candidates the opportunities your organization provides.”

George Gerchow, CSO at Sumo Logic, says the security and compliance team at his firm has tripled during the last year – no small feat given that they’re competing for people in Silicon Valley’s notoriously cutthroat tech hiring environment. It’s all about differentiation – the specific characteristics of your organization are bound to be attractive to someone.

“Our team sells itself by providing a unique workplace where transparency and growth are a requirement,” Gerchow says. “Our team has three mantras that resonate with prospective employees: ‘Remain agile, automate yourself out of a job, [and] make decisions at every level.’ This provides an environment where everyone is empowered to learn rapidly, make business decisions, and grow into other positions.”

3. Security pros want real opportunities for continuous learning

Speaking of growing into other positions: Security pros don’t just want to know how they can help your organization. They also want to know how you can help them.

"Professional development around areas like microservices is key to attracting ambitious talent."

“Security professionals are going to be attracted to organizations that prioritize transformational initiatives – and security for the new stack in particular – but it’s equally important to recognize that technology moves fast and no one wants to be left behind,” Lawler of CyberArk says. “Candidates should know that your organization is committed to advancing their skills, so professional development around areas like microservices is key to attracting ambitious talent.”

Learning on the job isn’t limited to experienced IT security talent; it also reflects a growing reality that security can be a great field for career-changers and non-traditional candidates, provided you’re open to them.

“Another attractive quality is our diverse team that looks for talented and enthusiastic people who may not have a security background, but more importantly, have the aptitude and attitude to align with our vision and execute,” Gerchow says. Gerchow says his firm often looks for military veterans that are interested in breaking into the software industry, for example.

“Many of these folks bring operational rigor from high-pressure situations and know how to work together as a team," Gerchow explains.

[ What other skills transfer to security? Read our related story, How one CIO thinks outside the box to fill cybersecurity jobs. ]

4. Security pros don’t want to be micro-managed

If you were dealing with people who were motivated by money – and you had a bottomless pocketbook to keep them coming back – then we wouldn’t be here. But that doesn’t describe most security pros. That’s kind of the whole point.

Command-and-control micromanagers, bureaucracy, and recurring, low-value tasks are recruiting and retention killers when it comes to security talent. Well-defined goals and parameters, as well as the trust and freedom to achieve them, prove crucial.

“When you are there because you have passion, things like busy work and micromanagement kill morale and make the employee give up on making a difference,” O’Gorman says. “If that happens, you better hope you have competitive wages – otherwise there is nothing there to retain the employee.”

[ Which of today's IT roles are vanishing? Read our related article, 4 dying IT jobs. ]

Kevin Casey writes about technology and business for a variety of publications. He won an Azbee Award, given by the American Society of Business Publication Editors, for his InformationWeek.com story, "Are You Too Old For IT?" He's a former community choice honoree in the Small Business Influencer Awards.