How to compete in a wage-fuelled market for cybersecurity talent

By Jamal Elmellas, below, Chief Operating Officer,  Focus-on-Security

The cost of living crisis is expected to see workers quit their jobs in droves in search of higher pay this year, according to The Workplace Today study which revealed one in five workers (equivalent to 6.5 million) are actively seeking higher remuneration. For the SME sector this could potentially make it much more difficult to recruit and retain staff, particularly as many won’t have deep enough pockets to compete with the big players in the market for talent.

One of the areas experiencing the worst shortages is cybersecurity with the (ISC)2 Cybersecurity Workforce Study 2022 reporting that vacancies increased 73% in the UK last year. Those shortages then equate to understaffing, exposing the business to greater risk of attack. SMEs are already suffering the consequences of such shortages. The Business of Cyber Security report found 54% of SMEs were subjected to a cyber attack in 2022, up from 39% two years earlier, with the average attack costing up to £4,200.

Vicious cycle

Moreover, those that do remain on staff then tend to become overloaded or burdened with additional tasks. The State of Security 2022 report found 76% of security team members have been forced to take on responsibilities they are not ready for. This in turn, increases stress levels and the risk of error, and stressed employees are of course more likely to leave, creating something of a vicious cycle.

So how can SMEs compete for talent? What can they do to make their cyber roles more compelling to prospective employees? Given that four day working weeks, extra holidays and perks may not be workable, what can they offer?

Interestingly, the (ISC)2 report found that the reasons for people leaving cyber roles was just as likely to be down to a job with a better title or a promotion (31%) or opportunities for career advancement and growth (30%) as it was for higher pay (31%). This indicates that staff can be motivated to stay if they feel invested in.

Staff morale is key

Workplace culture also plays a significant role. The same report looks at Employee Experience (EX) as an indicator of risk. It found that those businesses that had low EX where employees expressed dissatisfaction with teams, organisations and departments, were much more likely to be understaffed, so there’s a direct correlation between employee morale and risk.

What’s more, employees didn’t value incentives such as remote working, recognising their birthday or additional time off, or even robust parental leave policies. What they wanted was for their efforts and input to be valued, to be actively listened to and their feedback sought. Very few organisations seem to be doing this today, potentially allowing SMEs to differentiate themselves.

Similarly, if they can offer employees a clear career path they’re much more likely to be successful in recruitment and retention. It may seem surprising but many job descriptions neglect to mention the training and career advancement on offer even though this is seen as a “strong selling point” by candidates, according to a Department of Digital, Culture, Media and Sport (DCMS) report.

Planning a path

Businesses have struggled to offer career progression because there’s been no real consensus over the skills and responsibilities specific cyber roles should have. This has made it very difficult for employers to plan their workforce too. Thankfully, progress is now being made in this area with the UK Cyber Security Council currently rolling out its Cyber Career Framework. This covers 16 specialisms and maps responsibilities, remuneration and associated roles so it should prove invaluable to companies in helping them draft their job descriptions, for example.

Another reason SMEs have fought to compete over talent has been their ability to leverage technology. The price point of solutions such as Security Incident and Event Management (SIEM) solutions has come down as cloud-based solutions have emerged and this automation has enabled those businesses that can afford to invest to significantly lighten the load on their security staff.

But it’s generative AI promises to truly level the playing field. Language learning models such as ChatGPT, Bing and Bard are all freely available and can be used to automate much of the written processes and red tape that bog down businesses today. Uses include the creation documentation, summarisation of reports or even designing bespoke security awareness campaigns. Personalised phishing exercises can be created by scraping user information from social media platforms, for example, making these highly convincing. But in order to benefit from these tools, SMEs will need to look for employees with a new set of skills, namely AI prompting.

So, there are tactics and technologies that SMEs can use today to significantly increase their ability to recruit and retain cyber talent. By putting the candidate first and foremost, offering them training and career advancement, putting in place an EX program to listen to and value their input, and using technology where they’re able to augment their staff and make their working lives both easier and more productive, SMEs can compete with the big league and even beat them at their own game.