Should you poach cyber security staff? asks Jamal Elmellas, pictured, Chief Operating Officer for Focus-on-Security.
It’s no secret that the cybersecurity sector is experiencing unprecedented shortages, making it a candidate’s market, but competition is now proving so intense that more businesses are resorting to poaching professionals to fill vacancies.
According to ISACA’s State of Cybersecurity 2022 report, 59 percent said the top reason for cybersecurity staff leaving their current jobs was due to being recruited by other companies. This comes above choosing to leave because they’d been tempted by higher pay (48 percent) or due to limited promotion and career development opportunities (47 percent). Companies are not unaware of the problem either, with 60 percent admitting they were having difficulties retaining cybersecurity talent, up seven percent from the previous year.
The situation is set to become more acute according to the Department for Digital, Culture, Media and Sport (DCMS), which warns that there is an annual shortfall of 14,100 new entrants into the profession (it revised its estimate of the workforce gap last year, increasing it by 40 per cent, indicating how much demand has grown). Meanwhile Gartner has warned that by 2025, nearly half of cybersecurity leaders will have changed jobs, with 25 percent choosing to leave the profession, creating a gap at the top end of the market too.
Reduced resilience
Businesses are beginning to feel the effects of this shortage, with 69 percent claiming to be somewhat or significantly understaffed which this is having a direct impact on their ability to remain secure. The ISC(2) Cybersecurity Workforce Study 2022 found consequences included insufficient time to carry out risk assessment and management (48 percent up from 31 percent the previous year), oversights in process and procedure (43 percent, up from 29 percent) and tardy patching (39 percent, up from 29 percent).
Such effects will undoubtedly force businesses to reappraise their recruitment and retention strategies which means we could see headhunting of passive candidates (ie those that are not actively seeking a job) become the norm. But the cybersecurity market is an incestuous one so is it wise to let yourself be headhunted as a candidate or to perform poaching as a company?
Provided you don’t ask the employee for sensitive information on your competitor, poaching staff is not illegal. In fact, it’s viewed as part and parcel of a healthy labour market. This is of course with the exception of non-compete clauses, usually included as part of a business buy-out to prevent an individual from setting up a new competing entity and/or taking staff with them. Businesses that do choose to head-hunt should ask the prospective employee about any post-termination restrictions and, if there are any, seek legal advice on any conditions of hire.
As a candidate, it’s wise to know your worth by monitoring the market and to have an idea of what you’d like to achieve in your career. Ambition is looked on positively and so again there’s no reason not to be open to being headhunted. However, employees are very unlikely to be entirely open about their aspirations, both financial and career-wise, with their existing employer, creating an exploitable situation. To counter this and reduce the risk of staff being poached, the business therefore needs to prioritise retention.
First and foremost, identify the talent you have that is most at risk of being poached. According to Fortinet’s 2022 Cybersecurity Skills Gap, the roles most in demand are in cloud security (50 per cent) SOC analysts (42 per cent), Security Administrators (42 per cent) and Security Architects (40 per cent) while the top five in the ISACA report were cloud computing, data protection, Identity Access Management, Incident Response and DevSecOps. But bear in mind, too, that possible discontent among senior management and the C-suite.
Many organisations think they have to increase salaries to compete. But the ISC(2) study found that while 31 percent left to go to a higher paying position, the same number were also motivated to leave for a job with a better job title or which was effectively a promotion and 30 percent said they left due to lack of opportunities for career advancement or growth. This indicates that employers can hold on to their employees if they can proactively provide them with a career plan and give them the support they need to get there in the form of training.
Moreover, the report also found a direct correlation between poor employee experience and staff turnover, suggesting that employers can also make a difference by improving the workplace culture. It found the most common accommodation made was to provide flexible working conditions such as remote working but this wasn’t the most impactful. Instead, valuing the input of employees made the most difference. Yet only 28 percent of organisations had programs in place to listen to and value staff input and only 35 percent solicited input on employee needs.
These are relatively modest changes that the business can make but there are also other changes to the recruitment process that can increase their chances of attracting talent.
In many businesses, for example, it’s become clear there’s a breakdown in communication between the hiring manager and HR and that this is resulting in poorly worded job descriptions that don’t match the needs of the role or ‘unicorn’ job descriptions that combine incompatible skillsets so are essentially unfillable. This can see the recruiter sidestep HR and seek to speak to the manager directly or even rewrite the job description entirely, according to the DCMS report. So, there’s a clear need to align the security team with HR more closely.
Yet there are clear lessons to be taken from these studies. People vote with their feet when they feel undervalued, unsupported or unfulfilled. Businesses can, therefore, reduce the chances of their staff being poached by addressing their needs. But they can also increase their chances of headhunting key talent by ensuring they communicate the demands of a role, the opportunities for progression and the support offered as part of the company culture. Fundamentally, if the right candidate is selected for the right job and is given the right level of support and career progression, they are much less likely to leave.
