Quibbling over dollars leaves jobs unfilled and companies at risk
Originally published on Medium [story no longer exists], this interview was conducted in November 2017 to explore the “CyberSN Research Study: The Cyber Security Hiring Crisis” in more detail. Read on to learn more about our findings
In today’s data-driven world, it seems impossible to imagine that among all the information that’s been collected and aggregated there is no repository with real-time cybersecurity salary data.
Yet, in cybersecurity — one of the fastest growing industries in the world — the compensation data across all positions is unreliable or inaccurate according to recently released research from CyberSN.
Analyzing information across 52 organizations and 83 cybersecurity positions, The Cyber Security Hiring Crisis: A Cyber SN Research Study, reveals that the majority of companies needed to raise their salary caps to hire cyber security talent.
For most companies, though, salary caps aren’t getting lifted and positions remain open because “Current HR practices around salary reviews and adjustments fail to meet industry requirements.”
These research results beg lots of questions, particularly if security is a real concern rather than a checkbox for compliance.
In order to better understand how salary caps can be something that stands in the way of enterprise security, I spoke with CyberSN founder and CEO, Deidre Diamond who offered insightful answers to my questions.
Q: With the growing jobs gap looming over the industry, why is salary caps one of the top issues in recruiting cybersecurity talent?
A: Organizations look at cyber like they look at IT, but cyber salaries are higher based on supply and demand. Often times, IT doesn’t want cyber making more than IT because it becomes an uncomfortable conversation about why one person is worth more than another.
As a result, it becomes this round and round discussion that results in nobody wanting to do anything, so the salary caps remain. The position then sits open for an average of six months while they continue to search for someone to fit within their salary cap.
The reality is that even if the data they are using is a month old, it’s old data. Salaries change every day and HR can’t stay current.
We see quite often that cyber leaders don’t feel supported when they go to have these salary conversations with HR. It’s not a welcoming environment.
Q: So is the issue that the data is unreliable data because it is old, or is the data non-existent?
A: For those people who are using old school bureaus, the data is definitely old. Those reports come out once a year, and a lot of times, security as a role isn’t necessarily in that data. The Department of Labor doesn’t even have cyber as a job listing.
If there is cyber, it is usually one role around information security. But, there are 35 different job categories in cyber, and most security people are doing three jobs in one even though the person is paid based on a title. That isn’t going to work.
The data they are using is not concise, but most often the people in HR think it’s legitimate and helpful. The reality is, the cyber industry is so different from IT and software.
Q: Are the salary caps a recruiting issue depending on job level?
A: It’s across the board. It doesn’t matter. Everybody wants to pay what people are already making, but the candidates aren’t going to take the risk of moving based on a lateral compensation.
We don’t see entry level positions. People don’t hire entry level because they are already understaffed. Among the masses, nobody has the budget to take an entry level person and train them. They don’t want to do it, but how do we bridge the gap?
Only 20% of the marketplace is picking up entry level people to train because the majority can’t afford it.
What we see happen is a job goes unfilled over a $10,000 difference. So often they don’t hire a person because internally companies see raising the cap — even $10,000-as a bad move.
Changes to the Equal Pay Act are going to change all of this. We can’t ask for information about somebody’s base salary. So, will people then be guessing at the offers? Right now they start with base salary and go from there, but the EPA changes are going to create more churn.
Q: What are some creative tactics companies are using to make the full compensation package more attractive?
A: Total compensation absolutely matters, and it is a part of the entire conversation. But who wants to take less money? In our four years of being in business, we have only see two people take a lesser salary for an opportunity.
Most people won’t even move for lateral compensation. Very few companies can pull off a lesser salary by offering a better total compensation package. If you are Google or Amazon, you can maybe get away with replacing the base salary with stock options, but people aren’t leaving because of money.
So why would you want to nickel and dime? If they are interviewing with you, they are interviewing other places too. Put your best offer out there because you don’t want to end up in a place where they didn’t take the position and you could’ve done more.
Q: Are the salary caps the result of growth or is it that people are leaving? If it’s turnover, is the salary capped at what the previous person was earning?
A: It’s 50/50 replacement and growth, but less about what the person was previously making. When somebody is in the seat, it’s a lot easier to get the cap raised by looking at similar roles in the organization, but the people in the current positions aren’t earning market value.
That’s a huge issue because HR gets sets salary by comparing the role to somebody who is being paid below market. Yet this is security.
Q: Are salary caps an issue across all sectors? Which silos are willing to raise the caps in order to hire talent?
A: We offer sales staffing for security companies, and the issue is the exact opposite. You never run into this issue of salary. For most cyber roles, it’s six months before they decide to outsource. In sales, it’s day one. Companies don’t care about security, they care about revenue.
Yet, the number one reason people want to leave is because the company doesn’t really care about security. What’s heartbreaking in that these people are problem solvers — protectors who really understand how everything works, but they are under utilized which makes the job satisfaction minimal.
The best salaries come from software companies, particularly for positions in sales and anything to do with the customer success process. Then consulting firms — managed service providers. Anyone that’s closest to revenue.
Q: Companies are starting to invest in cybersecurity insurance. Looking at the reasons we have talked about, why do they need to raise caps if they can get away with security as a check box and buy insurance coverage?
A: As a CEO, I can answer that for myself. When we talk about these insurance companies, we don’t know the future of what the policies will look like. The reality is that no breach costs the same for any one company. There’s so much that is unknown. Policies are going to be basic, so it really Isn’t a way to avoid investing in security.
It comes down to the question, “How much risk are people willing to take?” I’m seeing that people’s risk tolerance is still pretty high.
Q: What will be the impetus for change?
A: More breaches. When I think about where we are at today, it’s only the breaches that have gotten us the budgets. More and more people need to feel the pain through breaches or penalties, and we are seeing more regulations coming out.
It’s highly unfair that according to the PCI standards, companies can be fined by the bank for not securing customer data, but how about Equifax getting my personal information stolen? There’s no consequence.
PCI was the first time we saw fines and that’s when we saw changes, then HIPAA. When we see regulations that fine people, we start to see cyber budgets.
The Equifax breach had no consequences, but the laws are now being put in place.
Companies that are not investing in recruiting and retaining for cyber security jobs will pay with a breach.
We love you, cybersecurity community. Please reach out if we can help you with your search or hiring needs! Email us: firstname.lastname@example.org