Have you ever wondered why the pace of cyber crime continues to skyrocket, despite millions of dollars being spent by organizations and government agencies on creating new cyber security jobs? One answer could be that there’s simply too much churn in the cyber security field, with cyber professionals changing jobs too frequently in search of higher paychecks. The bubble in cyber security jobs is encouraging people to look for better opportunities at exactly the wrong time, and that may lead to the detriment of the fight against cyber crime.
Perhaps a sports analogy will make things clear. Imagine a professional sports team – it could be football, basketball or ice hockey – in which star players constantly come and go, and in which even non-star core players are often traded away, with no rhyme or reason. Even worse, instead of focusing on the next game and the next opponent, players are too busy preparing to meet with their agents to discuss what their next step should be. It’s easy to see that type of sports team would never be successful, so why shouldn’t that be the case with cyber security teams as well?
Details on the new (ISC)2 report on cyber workers
The extent of the churn within the cyber security industry was recently cast into the spotlight with a new report by (ISC)2, the largest nonprofit membership association of certified cyber professionals. The report found that a staggering 84 percent of cyber workers are open to new opportunities or are already planning to change employers in 2018. In contrast, only 15 percent of employees plan to stick around this year.
The result, suggests the new(ISC)2 report, is that cyber security workers are not nearly as engaged as they should be. Much like the case with the earlier sports analogy above, cyber security jobs have simply become the stepping stone to higher-paying jobs elsewhere. Who has time to battle cyber thieves and hackers when you need to be working on your resume?
One problem with this churn in cyber security jobs is that recruiters are playing a major role in creating a bubble. Remember – recruiters only get paid if they can place candidates with new employers, so they have every incentive to keep cyber security jobs moving around as quickly as possible, much like a game of musical chairs. The more cyber security jobs that they can convince candidates to accept, the more lucrative their profession becomes.
And, indeed, the figures from (ISC)2 help to paint a distressing picture. In this survey of North American cyber security professionals, an unusually high number of workers (13 percent) were contacted multiple times per day about new opportunities. And another 8 percent of workers were contacted at least one time per day. No wonder there is so much churn with cyber security jobs – at least one-fifth of all cyber professionals are fielding calls and emails from recruiters on a daily (if not hourly) basis! A security operations center, instead of becoming a beehive of activity against hackers, has become a beehive of activity for recruiters!
How to stop the churn with cyber security jobs
Given this backdrop of the enormous churn in the cyber security industry, what steps can realistically be taken to keep cyber professionals at their organizations? Simply throwing more money at the problem is not going to help.
That’s because cyber professionals are not motivated primarily by higher compensation. In fact, according to the (ISC)2 report, higher salary was only cited by 49 percent of respondents as the reason for seeking out new opportunities elsewhere. Instead, 68 percent said that they wanted to work with an employer who valued their opinions and insights. And another 62 percent said that they wanted to work in a job where they were protecting people and data. Even working for an organization strongly committed to ethics (59 percent) scored higher among worker priorities than simply making more money.
So what are some of the concrete steps that organizations can take to make their workplaces and cyber security positions more attractive to employers? One step might be helping workers earn their security certifications and placing more of an emphasis on lifelong learning in computer science. This might convince some budding security specialists that their employer is taking a long-term outlook on their careers. After all, according to the (ISC)2 report, training (59 percent) ranked high on the list of what was important to them in selecting an employer and joining a security team.
Employers should also be re-thinking the types of work that their workers are actually doing on a daily basis. The (ISC)2 report suggests that a clear majority (81 percent) would like to be engaged in developing cyber security strategy. They view this as the true value that they can provide an organization. Thus, if they are only engaging workers in day-to-day activities like penetration testing, it’s easy to see how some employers might not be giving cyber security professionals the big picture about what’s possible within some security fields.
The link between cyber security jobs and national security
It’s easy to see how all of the churn with cyber security jobs could also have an impact on national security. Cyber attacks on the government are much easier to accomplish if government agencies can’t find the right cyber security analysts, or if job openings in information technology elsewhere are luring away the best and brightest within the public sector.
Information security analysts play a very important role in information assurance and maintaining the integrity of security systems. Organizations need to realize this fact and take every step possible to keep them satisfied with their security jobs. Failure to do so could lead to more churn, and that won’t help anyone. If organizations want to be serious about fighting cyber crime, then they need to be serious about retaining the best and brightest cyber security professionals.