Recent research by the UK government found that 50% of all UK businesses have a basic cybersecurity skills gap. Over 160,000 cybersecurity jobs were posted in 2023—an increase of 30% from 2022. Cybersecurity Ventures also predicts the cyber workforce shortfall will reach 3.5 million people by 2025 worldwide.
This was also a topic of discussion during a panel at The C2 Intelligence event organised by SE Labs that took place last month. The panel, made of CISOs and Heads of Threat/Cyber Intelligence from large and well-known organisations such as NATO and Europol, shared their learnings and advice for retaining talent. Given the tips I have heard from clients and at events over the years as well as this panel, I thought it would be useful to put them all into one place. So, if you are struggling to retain your cybersecurity talent, read on.
Provide training from the start
Providing online and/or face-to-face training for your employees as soon as they start is key, not only to show them that they are valued and that you are committed to their professional development but also to help them acquire the skills needed to do their job confidently.
Establish mentorship programmes
Talking about professional development, implementing a mentorship programme and a clear career path is also a good way to demonstrate to your employees you care about them and want them to succeed. With the right training, any of your employees can be mentors (as well as mentees) and advise and guide those that are just starting their career. Don’t forget to give them the option to find a mentor outside the organisation too as some might feel more comfortable talking to somebody externally and outside their functional hierarchy.
Create a supportive work culture
There are a lot of surveys out there showing that workplace culture today attracts and retains more employees than salary and benefits. To have a positive and supportive work culture, there are a few steps you can take:
- You need to make your employees feel they are part of a mission and aligning that mission to the cybersecurity strategy.
- You also need to make sure your team leaders have the mindset to support and look after their team, especially in the event of a major attack. Your team might spend days and nights trying to contain the attack so making sure you have a supportive environment around them is going to be key in helping them get through it. Buying food, setting up bed camps, providing toiletries essentials or giving them some time off are all part of it.
- Thinking about what happens after an event is important too. Having a PTSD specialist or psychologist available could be beneficial. Serious events like a ransomware attack for example can have detrimental impact on your team mentally, physically, and personally.
Offer competitive benefits
Although, as stated above, a competitive salary is not necessarily the highest priority for all employees, it’s still a top priority and particularly for Gen Z workers. Getting compensation right is therefore imperative if you want to retain your top talent. It requires you to have a pulse on the market and have data from similar companies about base pay and bonus pay at your disposal to make the best decisions.
Be flexible
Like one of the panellists pointed out “Today’s workforce is different. Your life is not your job. Your job is what enables it.” Your employees might want to go on sabbatical for six months and travel around the world or work for one month in New York and another month somewhere else. For generations before it was unthinkable but today this must be taken into consideration. The more flexible you will be with working hours, remote working and holidays, the more chance you will have to retain talent.
Encourage diversity
It’s been said time and time again but probably not enough, the lack of diversity and inclusion in cybersecurity is what is holding the industry back. According to a survey by Trellix and Vanson Bourne, the industry’s workforce is homogenised – 64% identified as white, 78% male, 95% with a bachelor’s degree, and 85% in IT, computer science, or a technology major. People that don’t have a degree but have earned certifications or completed other vocational training tend to be excluded despite 56% of security professionals believing that people don’t need university degrees to have a successful career in cybersecurity. This must change and as cybersecurity leaders you’ve got the power to do this:
- Encourage women to acquire the skills needed through online training, which can feel safer and more inclusive.
- Offer internships, apprenticeships, and benefits packages that appeal exclusively to women and get involved in programmes set up by organisations such as Women in Cybersecurity (WiCyS).
- Showcase the achievements of your talent, of all genders, to encourage others to join the industry. By seeing more women in leadership positions in cybersecurity for example, students and employees will realise that it is not just an old boys’ club but an industry that anyone with a passion and desire to learn can contribute to.
The cybersecurity skills gap is real and will only continue to increase unless cybersecurity professionals and their organisation come together to make the changes stated above to retain their talent.
