Cyber security talent is expensive – so why not develop your own?
Cyber talent is expensive. In the UK, security analysts typically command salaries in the £50,000 region, and this cost snowballs for organisations that run security operations centres (SOC) with several employees. AT&T Cyber Security recently published a ‘cost-effective’ SOC blueprint, but even this basic setup demands four employees, one of whom – the SOC manager…
Cyber talent is expensive. In the UK, security analysts typically command salaries in the £50,000 region, and this cost snowballs for organisations that run security operations centres (SOC) with several employees. AT&T Cyber Security recently published a ‘cost-effective’ SOC blueprint, but even this basic setup demands four employees, one of whom – the SOC manager – will expect around £70,000 per year.
And then there’s the cost per hire; cyber security is one of the most lucrative sectors for recruiters, because demand outweighs supply. (We won’t bore you with the skills gap narrative here, but talent remains sparse in 2019.) Beyond that there’s the dreaded churn, with LinkedIn reporting that technology has the highest turnover of any sector. In fact, 82 percent of organisations say most security analysts leave for financial reasons or career advancement, so finding and more importantly keeping employees is an expensive business.
Why spend on cyber security talent?
The question for many organisations is whether the outlay is worth it. Small businesses might deem cyber security nonessential and simply bank on their IT team keeping them safe – but this is not a financially viable option for enterprises, whose huge datasets mean they risk losing millions to a breach. And incidents are more common than you might think: last year in the UK, for example, nearly half of all UK businesses experienced a cyber-attack or security breach.
According to IBM, the average cost of a data breach is $3.6 million, so spending on cyber security talent will save you time, money and stress in the long run. However, there is no strict rule stating where talent must come from to be effective.
An alternative to recruiting cyber talent
While ignoring cyber security isn’t realistic, honing your organisation’s pre-existing talent is. Many people possess the traits required for a cyber security role, and they could be working in any department in your business. Problem solving, perseverance and a competitive nature are all indicative of cyber security potential, as are analytical thinking and a desire to learn. Identifying and nurturing raw talent instead of hiring experience can be extremely lucrative.
You might be doubtful – cyber ninjas don’t hide in sales, right? – but sourcing your own talent is perfectly feasible. We’re not suggesting a fully-fledged pen-tester is lurking in your ranks unbeknown to you (that would be silly); rather, that your workforce boasts employees more than capable of filling cyber security roles. And there are several reasons you should look to tap into this potential. Hiring externally is an expensive game and all too easy to get wrong. There is surely no bigger disappointment than hiring someone who is perfect on paper, only to discover that their real-world skills don’t match up.
Better still, when promoting from within you also know what makes that employee tick because, hey presto, you’ve already worked with them. This will help in your quest to retain that worker as they develop – something that’s essential when considering just 15% of cyber pros have ‘no plans’ to leave their current role.
Identifying and upskilling hidden talent
When trawling your business for raw cyber talent, remember: you are not seeking experience and pre-existing hard skills, but personalities. To identify those with a propensity for cyber, you must look out for tell-tale traits like curiosity, creativity and a competitive nature.
As well as knowing what to look for, you need to know where to find it. While the obvious solution is to raid the IT department, consider screening those working in analytical and strategic departments like finance and marketing too. You should also inspect your employees’ backgrounds; did they study maths at university, for instance, or serve in the military? A 2017 study found that 1 in 5 cyber security professionals joined from a different sector, which proves that those with non-technical backgrounds can, and do, successfully transition into cyber.
Once you’ve pinpointed those with potential, you need to put them through their paces; this means finding a way to test their learning ability, dedication and practical suitability. It’s crucial that you don’t fall into the trap of thinking your protégé will become a threat hunter overnight. You’ll need to invest in their potential, supply the tools required to succeed, and allow sufficient time for development.
With Immersive Labs, you can monitor your entire workforce as they develop new skills through our gamified labs. You can engineer your team’s learning to suit your business needs with personalised skill paths, effectively developing your own bespoke cyber workforce. Our management features highlight your team’s strengths and weaknesses so that you can plug skills gaps and improve your organisation’s risk posture on the fly. And as our platform is fully on demand, your employees can begin learning cyber skills anywhere, any time.
It might not be the conventional route, but utilising workers from alternative professions and backgrounds can have a lasting impact on your talent pipeline. It will also result in a diverse workforce that benefits from varied, atypical viewpoints, allowing problems to be tackled in new and innovative ways.
Upcoming Anatomy of a Hack: Hands-on Red Teaming with the “Zerologon” Vulnerability
28 October 2020
Test your cyber mettle for free: Immersive Labs Community is now in public beta
12 October 2020
Research: Can you build spyware for a Fitbit?
9 October 2020