Cyber security is among companies’ primary concerns today with no company seemingly immune to widespread breaches with long-lasting effects. The cost of cyber attacks is escalating rapidly and outstripping IT security spending, which is expected to reach $132 billion in 2021, an increase of 8% since 2016. Yet close to $600 billion is being lost to cyber crime each year.
Given these startling statistics, it’s not surprising that more organizations are hiring a dedicated cyber security function as opposed to having it covered by a traditional IT role.
Preliminary findings from Aon’s Global Cyber Security Compensation and Talent Survey corroborate the rising demand for cyber security talent, as companies are mobilizing teams with the dedicated focus of tackling and mitigating cyber security threats and issues. As we do a deeper dive, we’re seeing that professionals in these roles are relatively new to their jobs. Out of our database, about 2 in 3 incumbents (67%) were new to their job, having joined in 2016, 2017 or as recently as 2018. The pace of hiring has hastened even more so this year, as the number of hires in the first quarter of 2018 was almost on par with the number of hires through the first half of 2017.
High Demand, Short Supply
We expect the imbalance between supply and demand for cyber security jobs to be the new norm for the foreseeable future. According to Symantec, we should expect to see 1.5 million unfilled jobs in cyber security by 2019 because of the shortage of skilled talent. The job growth of cyber security jobs over the past few years has been 3.5 times faster than the growth of other IT jobs, but a whopping 12 times more than the growth of jobs outside of IT.
Given that the demand for cyber security talent is growing at a pace far exceeding the supply, our research shows that companies are willing to loosen their purse strings as a means to attract, engage and retain top cyber security talent. In 73% of cases, individuals who were hired into cyber security roles before 2018 were paid higher than those who were hired in 2018. Those hired in 2017 were paid 15% higher than those in 2018. We believe this is driven by a combination of merit increases and promotions reflecting the value of this role and retention bonuses to prevent in-demand talent from being poached by competitors.
Some of the most in-demand cyber security skills with significant pay premiums include:
- Penetration testing & Ethical hacking
- Security architecture
- Application security
- Threat hunting & Intelligence
Developing a Cyber Security Talent Strategy
The risk associated with cyber security is acute, causing many organizations to formulate talent strategies to combat this largely unpredictable threat. Given the high-demand for cyber roles, it’s important for companies to develop a human capital action plan focused on cyber security. Here are our tips for getting started:
- Organizational Planning: Facilitate organizational planning sessions with IT leadership. They will know the details of what’s required to meet their objectives, but you can help articulate the structure and roles. A key consideration when designing your organization structure for IT security will be the reporting relationship. Most commonly, we find the top information security executive will be a direct report to the CIO. This helps ensure that cyber security is getting the level of attention it deserves.
- Staffing and Sourcing: The predicted shortage of available talent means organizations will need to be more creative when defining action plans for staffing and sourcing. Recognizing that this demand for information security workers is a long-term problem, some organizations have adopted a ‘grow your own’ approach for sourcing talent by selecting based on aptitude and potential and then investing heavily in training.
- Compensation Plan Design: There are a number of rewards implications to consider with this new role, including:
- Eligibility: Not all jobs in the IT security family are facing the same challenges, and reward programs needed in one area are not necessarily needed in another.
- Market positioning: To compete more effectively in highly competitive markets, some companies target pay levels higher than what is outlined in the salary survey. For example, you may position the pay for most jobs near the median of the market data, but then look to the 75th percentile of the market data for cyber security jobs.
- Market data sources: Don’t rely on a generalized benchmarking salary survey to market price these critical jobs. The Global Cyber Security Compensation and Talent Survey is focused strictly on the market data needs for information security and will carry a higher degree of credibility with your business partners in IT.
- Compensation components: Using incentives for cyber security professionals might help you drive better attraction or retention. In some cases, you may want to consider extending your long-term incentive plans to include information security.
- New hire and retention: Consider special compensation actions such as sign-on bonuses and retention bonus plans, which can help your organization attract and retain key contributors.
The business risks associated with cyber threats are increasingly more significant — regardless of geography, size or industry. Understanding cyber security trends and developing a talent strategy to meet the growing demand for cyber security talent will serve your organization well in the long term.
Contact us to learn more about how we can help you meet the needs of your cyber security human capital.