(ISC)² – the world's largest nonprofit membership association of certified cybersecurity professionals – published the report Hiring and Retaining Top Cybersecurity Talent. Based on a blind survey of cybersecurity professionals in the United States and Canada, the report reveals low numbers of highly engaged workers. Only 15% of respondents say they have no plans to switch jobs this year, while 14% plan to look for a new job and 70% are open to new opportunities.
Data suggests unmet expectations between organizations and their cybersecurity workforce – during the hiring process and time on the job – combined with high demand for security skills and frequent contact from recruiters may be encouraging many cybersecurity professionals to consider new opportunities.
"The cybersecurity workforce gap is growing rapidly, and turnover within cybersecurity teams makes filling those roles even more challenging," said (ISC)² COO Wesley Simpson. "It is more critical than ever for organizations to ensure their recruitment and employment retention strategies are aligned with what cybersecurity professionals want most from an employer. Our study sheds light on what motivates cybersecurity jobseekers and what's most important to them for professional and personal fulfillment. Armed with this insight, employers can do a much better job appealing to top cybersecurity professionals, and retaining their talent and expertise for the long term."
Key findings from the study include:
- When asked what's most important for cybersecurity professionals' personal fulfillment, salary (49%) is not the top priority
- 68% want to work where their "opinions are taken seriously"
- 62% want to work where they can "protect people and their data"
- 59% want to work for an employer "that adheres to a strong code of ethics"
- When asked what's most important for cybersecurity workers' professional goals, respondents identify the following:
- 62% want to work for a company with "clearly defined ownership of cybersecurity responsibilities"
- 59% want an employer that "views cybersecurity more broadly than just technology"
- 59% want to work for an organization that "trains employees on cybersecurity"
- When asked what best describes the value they bring to an employer:
- 81% say "developing cybersecurity strategy"
- 77% say "managing cybersecurity technologies"
- 69% say "educating users about cybersecurity best practices"
- 67% say "analyzing business processes for risk assessment"
- When asked what skills they use most on a daily basis:
- 58% say network monitoring
- 53% say security analysis
- 53% say security administration
- 47% say intrusion detection
What Employers Need to Know
The report also identifies how employers often fail to impress cybersecurity jobseekers and staff, as well as how aggressively their cybersecurity workforce is being pursued by recruiters.
- Respondents said vague job descriptions (52%), job descriptions that inaccurately reflect responsibilities (44%) and job postings that ask for insufficient qualifications (42%) demonstrate an "organization's lack of cybersecurity knowledge"
- Cybersecurity workers believe their performance should be evaluated by:
- How quickly they respond to a breach or security incident (43%)
- Security program maturity (30%)
- How effectively they increase employee security awareness (30%)
- How effectively they handle remediation (28%)
- Cybersecurity professionals are being aggressively targeted by recruiters with 13% saying they are contacted "many times a day"; 8%, once a day; 16%, a few times a week; and 34%, a couple times a month
- 85% of cybersecurity workers would investigate a potential employer's security capabilities before taking a job, and what they discover would influence their decision
- 52% are more likely to take job with an organization that takes security seriously
- 40% will work for a company that needs security improvements
The report offers additional insights into the cybersecurity workforce, as well as advice on how employers can better appeal to cybersecurity professionals.
The findings from this study are based on a blind survey of 250 cybersecurity professionals within the United States and Canada conducted by Market Cube, LLC on behalf of (ISC)² in December 2017.