Not a Member? Get access to HR news and resources that you can trust.
Here is how HR can help prevent the missteps that could cost your company big in court.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
Expand your influence and learn how to become an effective leader -- Join us in Phoenix, AZ, October 2-4, 2017.
Although employer demand for cybersecurity talent has grown steadily since 2007, several recent high-profile computer-hacking events are pushing that need to stratospheric heights, according to a study released on June 17, 2014, by the RAND Corp.
The report, “Hackers Wanted: An Examination of the Cybersecurity Labor Market,” found that a growing nationwide shortage of qualified cybersecurity professionals could threaten the business operations of millions of private-sector employers. This skills shortage, however, poses more significant problems to the federal government and could eventually compromise national security, the report claimed.
“It’s largely a supply-and-demand problem,” said Martin Libicki, lead author of the study and a senior management scientist at RAND. “As cyberattacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks.”
In addition, the increasing demand for cybersecurity talent is having an impact on human resource professionals working in the public and private sectors, the study revealed. HR staffs are struggling with how to identify the best-qualified candidates because “cybersecurity credentials have proven to be only weakly correlated with competence.” The challenges HR and hiring managers face are “highly dependent on the cybersecurity issue at hand,” the report asserted.
“If the job tasks are compliance, user interface or trouble-ticket management, then differences between mediocre and high-level performers is likely to be tolerable,” the report stated. “If the issues are code-writing or ‘red-teaming,’ then skill differences are likely to be significant.”
The report suggested that employers should take new and “more unconventional” approaches to identifying talent such as looking for a candidate’s successful participation in a hackathon or even participating in hackathon events with corporate sponsorships. Dozens of hackathons are held throughout the U.S. every year, where software developers and coders work cooperatively to create new software applications or solve computer security issues. Participants are typically recognized for the best new applications and software solutions.
While the researchers for RAND found an overall shortage of qualified cybersecurity professionals, they discovered that the lack of skilled talent is most acute for higher-end jobs, in which annual salaries above $250,000 are fairly common for professionals who possess technical and managerial skills.
Since private-sector employers typically pay higher wages than federal agencies, which are often constrained by budgets and seniority rules, the skills gap has grown particularly problematic for the U.S. government, the report concluded. The study highlighted the National Security Agency (NSA) as doing a good job in recruiting, hiring and retaining talented cybersecurity professionals. The NSA is the largest employer of cybersecurity professionals in the United States, and less than 1 percent of the job openings at the agency go unfilled for more than four months.
“The NSA has a very low turnover rate, losing no more to voluntary quits than to retirements,” the report revealed. “One reason is that it pays attention to senior technical development programs to ensure that employees stay current and engaged.”
The NSA has a very intensive development program that can last as long as three years for some employees. Through the talent development, the agency guarantees pathways for advancement and active participation in some of the world’s most intricate and sophisticated cybersecurity issues.
“For the most part, our interview suggests that the NSA makes rather than buys cybersecurity professionals,” the report stated.
The NSA, however, does have problems competing with private-sector employers for upper-level cybersecurity professionals, the report revealed. Many high-level NSA professionals are being poached by banking firms and defense contractors, because these employers can offer salaries of $300,000 or more per year.
The report suggests that both private- and public-sector employers could learn from the NSA model and that employers should focus more on grooming younger cybersecurity professionals for management.
“For instance, if jobs in the greatest demand require managerial experience, more intensive efforts can be made to take promising cybersecurity technicians, so to speak, and run them into management to determine more quickly which of them can achieve the rare combination of technical and managerial skills,” the report suggested.
Organizational communications and reporting responsibilities are two additional issues that employers need to address when hiring cybersecurity professionals, another recent report has suggested.
According to a study conducted by the Ponemon Institute and sponsored by FireMon, only 6 percent of cybersecurity professionals surveyed reported being “highly effective” at communicating risk factors to senior management. Nearly 30 percent said that they never communicate with senior executives, and slightly less than a third of the respondents reported that the only time they meet with upper-level management is when a serious risk has been discovered. More than two-thirds (71 percent) of the survey respondents said that communications about cybersecurity risks happen at too low a level within the organization to be effective, and more than half of respondents admitted to filtering or softening negative facts before talking to senior executives.
“This survey reveals there is a lack of understanding of what's important and how it should be measured,” said Jody Brazil, president and chief technology officer at FireMon, a security management consulting company in Overland Park, Kan. “Most security professionals are invisible until they are forced to disrupt the flow of regular business, and disruption is seldom viewed as positive by those in charge.”
Security breaches can, however, grab the attention of those in charge, but often it’s too late because the damage is done. For example, Gregg Steinhafel resigned as CEO of Target after a massive data breach in late 2013 exposed as many as 40 million payment card accounts. The fallout from the data breach has been severe, with Target’s stock value and earnings plunging approximately 30 percent in the final quarter of 2013 and first quarter of 2014.
While data breaches like the one at Target and more recently, P.F. Chang’s restaurants, tend to grab headlines and attention, it remains to be seen if corporate attitudes on strengthening cybersecurity will shift dramatically. The growing demand for skilled cybersecurity professionals may indicate that businesses are beginning to get the message.
Bill Leonard is a senior writer for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies