SANS-GIAC Workforce research report for the year 2024 is based on a first-of-its-kind survey that analyzed the cybersecurity workforce with the goal of identifying the key factors to successfully build high-performing cybersecurity teams.
The report focuses on efforts to hire and retain mid-level cyber security professionals
The survey results analysed in this report zero in on five of the top cyber security work roles defined within the National Initiative for Cybersecurity Education (NICE) Framework, selected based on supplementary data from CyberSeek, a knowledge base that provides detailed reporting of supply and demand in the cyber security job market.
Let’s Face the Facts
We’ll delve into the results in depth in the pages ahead, but before we get too deep into the data, here’s an at-a-glance view of the key takeaways you can find in this report: Perceived Cybersecurity Team Effectiveness Is High Only 6% of survey respondents indicated their team is not meeting their cybersecurity goals
Human resource managers and Cybersecurity managers– can look to this report’s key takeaways to tailor their hiring and talent management practices for overall quality and strategic skills development for their cybersecurity teams.
Respondents details
Nearly half of all respondents (48%)indicated they provide cybersecurity services (30%) or cybersecurity products (18%). This means that the other half of respondents are from companies that need cybersecurity to keep their company safe
- Cybersecurity managers were asked to select their top three challengesfor hiring mid-level cybersecurity staff. Salary competitiveness was the number one challenge identified among respondents.
- When asked how effective they perceived their team to be, 54% of respondents indicated that their teams were meeting or exceeding goals. Out of the 46% remaining respondents, 40% of them stated that their teams arepartially meeting their goals.
Would You Rather Have Not Enough Staff or Not Enough Skill?
On average, managers who were concerned with staffing shortage rate their concern at 6.9 on a scale of 10. Similarly, on average, managers who are concerned with staff not meeting skills requirements rate their concern at 6.94.
When respondents were asked if they use the NICE Framework, 14% said that they use it and 56% stated they do not use it. A surprising 30% were uncertain whether or not they used it.
Crucial point to observe by HR Managers
Case Study Snapshot
There is no common lexicon – especially across HR and Cybersecurity managers in terms of sourcing and recruiting and accurately understanding staffing requirements, said Dr. Austin Cusak, a Technical Leadership Program Manager.
- Organizations are often juggling to understand technical terms misused or confused, which promotes a suboptimal environment for effective matchmaking between applicants and staffing requirements.
- Furthermore, Dr. Cusak, in his experience has seen HR management force outdated best practices on the cyber workforce, which hampers recruiting, career planning, and systematic advancements.
- These inefficiencies generally exacerbate the cybersecurity staffing shortages by unnecessarily exaggerating the average time-to-hire, typically measured in multiple months, for critically understaffed cybersecurity roles.
Similarly, 46% of HR managers emphasized the need for enhanced collaboration between HR and Cybersecurity managers. Notably, they are also keen on maintaining standardization, as indicated by 31% of the responses, which makes the case for wider adoption of the NICE
Framework.
One can conclude that HR managers and Cybersecurity managers each have a desire to
work together better to create a more efficient and effective hiring process.
Challenges
Cybersecurity managers were asked to select their top three challenges for hiring mid-level cybersecurity staff. Salary competitiveness was the number one challenge identified among respondents.
Case Study Snapshot
- Investing in new hires and developing home-grown experts should lead to the most sustainable results. Unfortunately, many organizations, especially private industry, disproportionally focus on identifying the “best athletes” that often keep circulating to the highest bidder with little affinity and diminished value to the organization. As Jay Bhalodia research inputs in SANS study say “If we are buying talent all the time, we will run out of money.”
Below are several of Jay’s general recommendations for positioning for sustainable success:
- Know who you are, where to compete for talent, and composition of your current workforce to add balance
- Utilize best-of-breed training and focus on recruiting of those that bring diverse experiences
“sitting in the seat” of roles that will add to your workforce’s expertise or culture
- Look for passion over experience, including passion for the craft, community and industry, preferably more than one
- Don’t be afraid of training people because they might leave; ultimately investing in people will increase their desire to stay
- Recruit for passion, and critically review your requisitions to confirm requirements versus preferred qualifications, where possible default to more inclusive language like “interest in” over “experience with”