The Costs of Hiring and Retaining IT Security Staff

February 21, 2018 · steveverbanic · · Comments

Anyone considering building an internal IT security team has run up against the realities of hiring, training, and retaining top cybersecurity talent. Qualified employees can be tricky and expensive to find and even more expensive to recruit and retain. These factors pose hardships on CIOs/CISOs, and stem from multiple factors in the cyber security space, including a rise in the damage done by cyber criminals, the rise of specialty cyber security needs, the lack of qualified talent, and employee overuse and burnout.

In the next 2 years, demand for skilled cyber security talent is expected to rise to 6 million positions globally, with a projected shortfall of unfilled positions of around 1.5 million (citation). Why? Cybercrime continues to rise. According to the Harvard Business Review, Cybercrime now represents a $445 billion business, and it won’t be any less profitable any time soon.

How do these trends affect your business? This shortage of qualified talent drives up business costs in a variety of ways. This post will examine the costs of building and maintaining a quality cyber security team continue and what some companies are doing to save.

Hiring Obstacles

Hiring talent adds to costs in three different ways. First, there is the skill and technology needed to locate talent. Finding suitable candidates was listed as the biggest obstacle to hiring in 2017, with 46% of those surveyed citing it as a main hardship  (LinkedIn).  Next in importance were compensation and competition, with 43% of respondents and 39% of respondents, respectively.

According to the Society for Human Resources Management (SHRM), the average cost per hire for any position is $4,129. Considering the nature of IT security shortages, however, you may expect a higher cost when it comes to finding top talent. This includes only the technology, tools, and recruitment time, and not the actual costs of salaries and benefits that make the job more enticing to the candidate.

Another factor included in hiring costs is the need to vet those candidates without traditional technology degrees. Though many companies are considering dropping requirements for bachelor’s degrees because they cannot find the requisite talent, they still need to validate talent through contests, Hackathons, technology tests, and expert vetting from current IT Security employees.

Lastly, when recruiters do locate and vet potential employees, there is the cost of appealing to these candidates- a cost that keeps rising. In fact, Jobvite reports that 68% of global businesses “have increased their average salary offer for candidates in the last year.”  Although the salary typically is the most expensive part of attracting top talent, it is far from the only cost. Costs can include employee benefits, bonuses, and a certain amount of the CIO or CISO’s time in reaching out to candidates as well. recommends that the CIOs and CISOs looking to hire top talent get personally involved in the search by spending their time reaching out on channels such as Facebook, LinkedIn, and Twitter. This involvement adds additional tasks outside of the traditional CIO skillset, and can take time away from valuable cybersecurity work.

Training Talent

Onboarding and training periods exist in every profession. According to the Harvard Business Review, it typically takes about 8 months before one new employee can reach full productivity. In IT Security, that time can expand because of changes in technological tools and regulation.  In addition, there is also the need to cross-train employees on how to use multiple cyber security tools so that the investment in the tools is not lost when an employee leaves.

Employee Retention

Once you hire and train talent, you have  the additional risk of losing that talent to competitors offering a better work/life balance, better job experience, or a more competitive pay and benefits package. Though maintaining these features of the job can be pricey, they are essential for preventing attrition, which is typically more expensive.

The size of your cyber security team can affect your employees and add or subtract from the hassles of the everyday job. Having just one IT security employee means that person must spend much of his or her time putting out fires rather than addressing the most advanced threats. This type of monitoring work can lead to employee burnout and force your trained talent to look elsewhere for better. The majority of companies (64%) don’t even realize what they are doing wrong in this area, because they only measure employee engagement once during the year, according to the Deloitte University Press.

Competitor poaching can also raise the costs of retaining a balanced and effective cyber security team. Recruiters aggressively seek staff with more than one year of experience and flood them with more lucrative offers, according to Gartner. These offers don’t fall on deaf ears either. In 2017, 74% of global employees reported they would be open to making a job move, according to a Jobvite survey.

To keep your investment in each employee, therefore, you may have to provide extra benefits throughout the year to increase your employees’ willingness to stay. These could include additional benefits or bonuses for time spent at the company.

How to Counteract Expensive Hiring and Retention Practices

The costs of building a team are diverse and cannot be eradicated completely. However, there are ways to reduce these costs and maintain an effective IT security team. One way is to hire SLAIT  to take over your Monitored Security Service and reduce your risk.

With SLAIT’s ThreatManage service, you will eliminate your hiring and training costs by gaining a team of highly-trained professionals. It can also reduce the risk of attrition by taking the monitoring burden off your team and allowing them to work on the IT Security initiatives in which they specialize. You will also have more time to manage and strategize without wasting time on non-critical security alerts.

See our website to learn more about ThreatManage and its benefits for your business.