The law of supply and demand is alive and well in the IT industry. As with any product or services limitation, cybersecurity talent costs are on the rise, and companies without significant financial resources are being forced to forgo or cut back on hiring those experts. It’s Economics 101.
Any MSP who has attempted to recruit security professionals recently will understand the situation. The U.S. Bureau of Labor Statistics predicted the number of jobs in that space to increase 28% between 2016 and 2026 ‒ up from 18% in their 2016 report. Between the headline-grabbing data breaches and the escalating threat of ransomware, those figures may be on the conservative side. Compliance and security threats are escalating quickly and nearly every company, from the Fortune 500 to smallest MSP, needs help.
Supply is the other problem. The pool of qualified professionals required to fill those positions hasn’t grown nearly fast enough to keep up with the demand. In fact, the shortage of skilled specialists is forcing many providers and vendors to significantly boost salaries and incentives included in their job offers and causing others to scale back their expansion plans.
How much should it cost to employ a skilled cybersecurity expert? The answer depends on the local market and the job requirements.
For example, MSPs looking to hire talented IT security professionals in New York City will be competing with scores of businesses; including Wall Street financial institutions, large corporations, government agencies, and other organizations with deeper pockets. Wherever demand for cybersecurity experience is highest ̶ virtually everywhere today ̶ and supply is lowest, expect payroll costs for these professionals to rise substantially. The average annual average salary for a certified IT security professional in NYC, for example, is nearing $150,000 (that is, if you can find one).
Those investments are merely the cost of doing business. With a national average salary nearing $100,000, MSPs must carefully research the costs and availability of talent when building their cybersecurity plan. The sticker shock will undoubtedly cause some to pause and reconsider their job requirements or stretch out recruitment timelines.
If not, they may find themselves in bidding wars for recruits with multiple suitors. No one wants that. The “winning company” often overpays for an employee they may not have had time to adequately screen and evaluate, which can end up creating headaches for the management team.
Pause and Reflect
Tech companies need to know what specific talents they need before building job descriptions and kicking off recruitment efforts. That begins with an assessment of each client’s particular security needs and then developing a baseline of technical skills needed to address their protection objectives.
Would a level-one technician be able to handle some of those responsibilities? Could a current employee or less experienced new hire fill that role? For example, some MSPs look for potential and raw skills, and then invest in training and certifications to bring those employees up to speed.
Channel companies need to carefully research the talent pool and develop a recruitment strategy that fits their situation. Finding individuals with those skills is usually the easy part. The best professionals are already gainfully employed securing business networks and locking down data systems for local organizations.
Of course, those who are unhappy in their current roles will likely be disgruntled in a new one. That’s the primary reason many MSPs train and advance from within whenever possible. They groom existing talent and invest in the valued cybersecurity training and certification programs. The trick is finding ambitious employees with strong loyalty and high job satisfaction. If properly incentivized and motivated, they’ll remain on staff long after their training investments are paid off.
A boost in salary and bonuses may also be required to retain the top talent. Money is a great motivator, but some team members, especially those from the latest generation, may prefer extra vacation days or a more flexible work schedule as a reward. Smaller tech companies need to be more creative with their incentives if they wish to attract and keep quality cybersecurity talent.
Firms are often reluctant to promote from within when building out their practices because backfilling key positions isn’t easy. The problem is, when the best-qualified employees are passed over based on their current value, they feel like they’ve hit a promotional ceiling, and many often end up leaving. Successful tech companies reward for performance instead of limiting growth opportunities for their most productive team members.
There are no easy answers when it comes to filling the cybersecurity talent gap. Savvy MSPs spend more time developing their recruitment strategies today. The objective isn’t just to land top-notch cybersecurity professionals, but to attract entry-level technicians, sales, marketing and other team members. That approach requires a fair amount of time and a long-term vision.