01.28.22
Adriana Perovic

How to Identify, Attract and Retain: 3 Steps to Solve Your Cyber Talent Problem

Threat actors show no signs of slowing down. And as long as they continue to make a profit, we shouldn’t expect that to change anytime soon. Unfortunately, for all of us that aren’t actively deploying ransomware, we’re stuck playing multiple roles: technology experts, defenders, and part-time psychics. 

Along with that, cyber insurers are now placing more responsibility on the policyholder’s shoulders, making certain security controls non-negotiable if you want to be insured. It benefits both parties, but there’s an obvious burden of time, expertise, and finances to implement measures that boost your cyber hygiene. Our Risk + Response team talks to dozens of policyholders a month, and many are realizing that as they invest in better security measures, they’ll need the personnel to carry out their plans. 

We’ve spoken to our Chief Information Security Officer, Vice President of People, and a recruiter specialized in cybersecurity to get three unique perspectives on the most popular cyber talent questions. How do you even know where to start? What roles do you need to fill, and how do you find the right talent that’ll stay for the long haul in a competitive market?

3 Steps to Solve Your Cyber Talent Problem

Step One: Identify the Need

There’s a few things to consider before you can start writing up that job description. First, from a cybersecurity perspective, Corvus’s CISO Jason Rebholz emphasizes: “What are you trying to accomplish and how do you want to achieve that end goal?”

Let’s consider two different scenarios. In one, you’re a part of an organization that needs to build or restructure your security architecture from the ground up. You have the budget to do a lot of the work you need in-house, and it’ll be worth it for you in the long run to have an internal security team as you anticipate a lot of growth in the next year. Starting with a Security Manager may be the best route to take for long-term maintenance. With their expertise, you can implement processes across your organization and listen to their recommendations for future hires, like analysts and engineers, to achieve your risk management goals. 

For a different organization, that might seem impractical. Building out an entire security team is off the table, but you have an existing architecture you’re looking to strengthen or expand. If you’re comfortable with the security processes already in place at your organization, but need the bandwidth to support more (whether that be new controls or testing and auditing), contracting out a consultant may help balance out the workload. 

Whatever your scenario, a good place to begin is working with your own IT teams to determine their needs, or with experienced tech recruiters who can help you pinpoint talent that fills a gap in your cybersecurity goals. There’s no generic right or wrong answer to who you need to hire as each business has its own unique set of needs. What’s most important is knowing what you need for your organization to be more protected. 

Step Two: Attract Talent

The market for cybersecurity talent is tough right now. The pool of potential hires isn’t growing at the same rate as the demand, leaving organizations scratching their heads over what it’ll take to fill the roles they desperately need to meet their goals. Below, we’ve outlined a few steps to make sure you’re putting your best foot forward:

1. Keep In Mind That This Is a Niche Market

That’s a two-edged sword: there’s a lot of poaching of experienced talent, which contributes to the cycle of shortages as companies fight each other to attract and retain seasoned employees. However, this demand is driving many fresh, young professionals into the field. They know what they’d like to do in the industry and just need the right place to land. If you have some experienced cybersecurity staff already on payroll, consider opening up entry-level positions and tackling training. Have realistic expectations for what you need, and don’t exclude a whole pool of potential hires by implementing rigid expertise requirements.

2. Provide Candidates What They’re Looking For

According to ISC’s Cybersecurity Workforce Study, participants cited ways that the pandemic impacted their organizations for the better — and 53% mentioned improved workplace flexibility.  Remote work may be a priority for many cybersecurity professionals, so keep that in mind, especially since other companies will.

3. Consider Your Position in the Cyber Market

What is something unique you have to offer candidates? Use that as a selling point. Our VP of People, Stacey Richey, says: “Corvus highlights our unique position on the bleeding edge of cybersecurity to potential hires. We’re alerted to breaches before they become widespread, introducing an interesting set of challenges and opportunities.” For other organizations, you should highlight what makes you stand out from a security perspective. Do you have impressive resources? Plans for career development? Let candidates know and market yourselves.

Step Three: Retain Employees

None of what we’ve mentioned so far is easy, but retention may be the biggest challenge of them all. When businesses are battling to attract a limited pool of candidates, you know you’re up against competitive salaries, benefits and perks. Once you've hired for the roles you need, how do you keep them at your organization? Joe Hudson, a recruiter who focuses on cybersecurity at Hunt Source, says to retain staff you need to “deliver on promises to both the individual employee and the organization as a whole.” 

If you hire talent to perform specific job duties, make sure that the expectations set for the role meet their day-to-day tasks in reality. Throughout the interview process, confirm that you’re on the same page with candidates about what they should expect from the job. Beyond just the role itself, how an organization is presented versus how it actually operates can be a long-term deal breaker for employees. If a business presents a core value or mission statement, and an employee sees that it isn’t followed through in the actual work or how management operates, there’s a huge dip in incentive to stay. Especially if they feel that they have been misled. 

At the end of the day, sometimes the culture may just not be a perfect fit. But through certain initiatives — flexible remote work, alluring benefits, and listening to employee feedback — retaining talent doesn’t need to be mystifying. 

You can contact Joe Hudson here on LinkedIn. 

[RELATED POST] How to Prepare for a Cyber Hurricane: 3 Key Takeaways

How to Prepare for a Cyber Hurricane: 3 Key Takeaways

What’s the difference between your most overprepared travel buddy and a cybersecurity pro? 

[RELATED POST] Corvus Interview: The State of Cyber with Ian Newman

Corvus Interview: The State of Cyber with Ian Newman

The following interview was originally published as part of Corvus’s quarterly Cyber Risk Aggregation report, known as the Nutcracker Report. We deliver these insights on trends in the aggregation of cyber risk to a select group of reinsurers, reinsurance brokers, and program managers. If you’d like to receive the report in the future, please send your inquiry to flock@corvusinsurance.com.