The media loves a good talent crisis story and headhunters love to pile it on. And why not? Fear is like a giant thunderhead that rains down fees for recruiting firms. You’ve probably seen the stats. There are 1 million unfilled InfoSec jobs worldwide which will increase to 1.5 million by 2019. From 2017-2021, expected spending on Cyber-related products and services will reach $1 trillion. Cyber Security jobs are up 74% over the past 5 years and will rise another 53% through 2018. The Cyber Security unemployment rate is basically zero with two roles needed for every qualified candidate. All of this is music to my ears, but I’m one of the only ones.

Instead of the scare tactic article that has become so common in the Cyber field, I’d like to provide a few tips to ease the burden for companies looking for talent in this radically changing and fast growing field.

  1. Present a competent approach to your Cyber Security Program. In terms of Cyber Security hiring needs, the U.S. is #4 on the list of countries. #1 is Israel. Why? Partly because of the longstanding emphasis that Israel places on Security in all areas of life. It’s ingrained into the very culture of the country. Your company could do with a small dose of this priority. When talking to an organization about a CISO role, I often present a simple graph to the CEO. On one end of the graph is the word “Lax”, and on the other is the word “Hyper”. I ask that CEO to put a simple dot on the graph as to where he/she thinks the company needs to be in the Security spectrum. It’s a basic, yet critical exercise. I repeat the exercise with other executives in the company. The message is simple – where you are on the graph isn’t so much about fervor, or lack thereof, it’s more about everybody being on the same page. Security professionals are highly sensitive to a company’s approach to their Programs, and they know where the good ones are. If a company presents a unified and cohesive approach to its Program, it’s ahead of the game and can attract qualified talent much easier.
  2. Recognize that Security is so much more than tech. When talking to a CISO, I always ask him/her to give me a weekly breakdown of where their time is spent. If their time isn’t basically 50/50 between tech and the business side, I know we’ve got a problem. I think most people still believe Cyber Security to be primarily a tech issue. It may not be sexy, but healthy areas of Compliance, Privacy and Training can do wonders for an overloaded tech staff and investments in these areas can help prevent a breach every bit as much as a good firewall architect.
  3. Do not post insane job descriptions online. This seemingly simple area is a major no-no for competent Security professionals. Show your knowledge of your Program by understanding what the jobs really require. Your Security Analyst doesn’t need to have a CISSP. Your Architect that you covet isn’t going to have a full-fledged background in Firewall, Mobile and Cloud, and your Security Team Lead isn’t going to do patches. Ridiculous job descriptions are a sure way to make certain that Security professionals in your area stay away for your company.
  4. Train internally. The thing about Security that is so tricky is it tends to scoff at traditional lines of business. Different methods of attacks and breaches can come from the CEO’s assistant, salespeople in the field connecting to WiFi, your IoT-based office printer, and the list goes on and on. Some people within a company just have a knack for Security. Find them and set them on a course to a job that will set them up forever. This approach breeds loyalty and it’s a powerful tool in retention.
  5. Get out your checkbook. If you’re doing pretty well in points 1-4, congrats! There are some other companies that are doing well, too. Don’t lose the race on the last step. Let’s keep this one simple. If you won’t pay a premium for your Security staff, it won’t be great. Money talks.

Hiring in Security is just like doing Security. The right combination of unified competence, creativity and cash can set your company apart, thus making it a known destination for happy Security professionals.