It’s no surprise that the number and severity of cyberattacks continue to increase, with ransomware more than doubling in North America since 2019. These breaches cost companies an average of $4.24 million per incident.
Unfortunately, the current supply of experienced cybersecurity staff is not enough to meet the growing demand. The latest survey report from the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) indicates that there are more than four million unfilled cybersecurity positions globally. More than a third (38%) of respondents point to pay as the top contributing factor to that skills gap.
Compensation is Key
The report also states that cybersecurity professionals need fair and competitive compensation, and reiterate that it is critical to hiring and retaining top security personnel. Companies not offering competitive compensation is the top factor (38%) contributing to the cybersecurity skills shortage. More than three-quarters (76%) of organizations admitted having difficulty recruiting and hiring cybersecurity staff. Obtaining a higher compensation package is the main reason (33%) CISOs leave one organization for another.
In the U.S., LaborIQ by ThinkWhy research forecasts that computer and mathematical jobs, which include cybersecurity, are projected to grow 13.9% percent from 2021 to 2025, much faster than the 9.4% percent job growth average forecast for all occupations, and experience 13.1% wage growth in that timeframe. For example, the current LaborIQ recommended salary for a cybersecurity analyst in Dallas with four to six years of experience is $107,129 and expected to increase 1.8% by the end of 2022.
Increasing demand—and thus, competition—for cybersecurity talent is seen in Virginia, Texas, Nevada, Maryland, California and North Carolina. In these high-demand areas, employers must ensure that their salary offers are based on current competitive compensation data.
Human resources and talent managers could consider supporting their organization’s critical cybersecurity needs by implementing programs similar to what’s offered by the National Security Agency (NSA), which offers paid developmental programs to attract, retain and keep employees current in their skills.
ISSA points out that organizations should be made aware of the following alarming statics highlighted in the survey:
- 29% of respondents said the security team’s relationship with HR is fair or poor.
- 28% said the relationship with line-of-business managers is fair or poor.
- 27% of respondents said that the relationship with the board of directors is fair or poor.
- 24% said the relationship with the legal team is fair or poor.
The LaborIQ research indicated that the median salary for the cybersecurity analyst job title has remained steady at 1.0% compared with the same time last year. Based on the criteria selected, companies can expect to pay 9.0% more than the current median salary. Expect salaries to increase through the next four quarters. It is currently a job candidate’s market and will remain that way even as talent supply will remain steady through the next four quarters.
Among the list of metro areas to compare, the lowest recommended base salary for the cybersecurity analyst job title is $91,922 and can be found in Las Vegas-Henderson-Paradise, Nevada. Recruiting within this metro area would be the most cost-effective way to find talent. In this list, the highest recommended base salary is found in Washington-Arlington-Alexandria metro area at $123,439.
Another key finding in the recent ISSA-ESG report is that human resources and cybersecurity teams need to align on business value. Nearly one in three (29%) professionals surveyed said the HR departments at their organizations likely exclude strong job candidates because they do not understand the skills necessary to work in cybersecurity. One in four also said job postings at their organizations tend to be unrealistic, demanding too much experience, too many certifications or too many specific technical skills. Nearly a third (30%) suggested CISOs try to better educate HR and recruiters about real-world cybersecurity goals and needs and 28% said job recruitment activities need to be more realistic when it comes to the typical levels of experience cybersecurity professionals have.
Effects of the Cybersecurity Skills Shortage
Top ramifications of the skills shortage include an increased workload for the cybersecurity team (62%), unfilled open job requisitions (38%) and high burnout among staff (38%). Further, 95% of respondents state that the cybersecurity skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse.
Notably, the three most often-cited areas of significant cybersecurity skills shortages include cloud computing security, security analysis and investigations and application security. These areas should be the focus for cybersecurity professionals when looking to develop skills.
For now, recruiters searching for candidates to fill open cybersecurity positions will find that it will take more time to find the right candidate, a higher annual salary offer may be necessary and your company may need to develop training to attract and keep your new hire up to speed.
Research into forecasted talent availability for this job showed it will remain tight over the next five years and will be accompanied by a steady increase in salary growth. If companies are actively hiring for this role, consider recruiting in other metro areas and offering at least the recommended salary. Competitive compensation and benefits will help with recruitment and retention.