What is Your Cyber Security Talent Strategy?

July 14, 2017

Building a Human Capital Action Plan to Meet the Growing Threats

Cyber security has quickly become one of the most significant risk factors faced by business leaders. Certain industries have greater threat exposures because of both the volume and nature of data inherent in their business (i.e., financial services, hospitality, retail, or healthcare). However, as more products become ‘connected devices’ in the push for the Internet of Things (IoT), cyber risks are now present in everything from our automobiles to our household appliances.

To combat these threats, some organizations have started aggressively hiring more cyber security staff. While the demand for talent is rising sharply, the supply of skilled talent hasn’t kept pace.  As a result, we see classic labor market economics in full swing. When the demand for cyber security talent rises and the supply stays constant, the price (salary) goes up.

We expect the imbalance between supply and demand to be the new norm for the foreseeable future. According to Symantec, we should expect to see 1.5 million unfilled jobs in cyber security by the year 2019 because of the shortage of skilled talent. The job growth of cyber security jobs over the past five years has been 3.5 faster than the job growth of other IT jobs, but a whopping 12 times more than the job growth of jobs outside of IT.

InfoSec Specialist Job Growth is 12-times faster than Non IT Jobs

And the effect this increasing demand for workers is having on compensation is already significant. Based on our High Demand Information Technology survey, the 3-year growth in base pay for cyber security jobs is 3 times higher than other IT job families.

Developing a Cyber Security Talent Strategy

Responding to the organizational threats from hackers isn’t just the responsibility of the Chief Information Officer (CIO).  Human Resources leadership needs to develop the talent strategies to help protect their company’s digital assets.  Because the risk associated with cyber security is so great, many organizations have been making every effort to come up with creative approaches to their talent strategies.

Much work goes into developing a comprehensive talent strategy, but we’ll outline our thoughts on how you can start to develop a human capital action plan focused on cyber security.

Organizational Planning – HR and compensation professionals should facilitate organizational planning sessions with Information Technology leadership.  The IT leaders will know the details of what’s required to meet their objectives, but HR and compensation professionals can help articulate the structure and roles.

  • Organization Structure: A key consideration when designing your organization structure for IT security will be the reporting relationship. Most commonly, we find the top information security executive will be a direct report to the CIO. This helps ensure that cyber security is getting the level of attention it deserves.
  • Job Design: We created the Global Cyber Security Compensation and Talent Survey by working closely with industry experts to define the benchmark jobs. By participating in the survey, you can leverage the work we’ve done as you work through your job design process. Your job design efforts will vary based on your business needs, but comparing to our model job structure can help provide you a roadmap.

Staffing and Sourcing – The predicted shortages of available talent mean organizations will need to be more creative when defining action plans for staffing and sourcing. A successful staffing and sourcing strategy will be multi-faceted, but here are two approaches to consider.

  • Investing in Education: Recognizing that this demand for information security workers is a long-term problem, some organizations have adopted a ‘grow your own’ approach for sourcing talent. This involves selecting based on aptitude and potential and then investing heavily in training.
  • Selection: It’s not enough to just attract new candidates. In periods of high demand, it can be tempting to be less stringent on the selection processes.  However, ensuring you have the right talent identified saves time in the end.

Compensation Plan Design– Developing your compensation plans to meet the needs of your organization’s cyber security talent strategy involves sound business judgment and a solutions-oriented mindset. The high market demand for talent will most likely present you with some challenges and you’ll want to have your plans be adaptable to the unique needs.  You wouldn’t want your pay programs to be the barrier that stands between success and failure in the organization’s ability to attract, retain and engage the people needed to ensure cyber security. Here are some suggested compensation considerations.

  • Eligibility: As you look at adapting each of the various reward levers, be sure you have solid footing around who would be eligible for participation in the revised program. Yes, you want to support your company’s cyber security efforts, but not all jobs in the IT security family are facing the same challenges.  For example, our survey breaks out security operations roles from security architecture. The shortage of talent for security architecture is different than what is felt in security operations and reward programs needed in one area are not necessarily needed in another.
  • Market Positioning: One approach companies will frequently take to compete more effectively in highly competitive markets is to target pay levels higher compared to the results from the salary survey. For example, you may position the pay for most jobs near the median of the market data, but then look to the 75th percentile of the market data for cyber security jobs.
  • Market Data Sources: Like the old carpenters’ saying goes, use the right tool for the job, you shouldn’t rely on a generalized benchmarking salary survey to market price these critical jobs. The Global Cyber Security Compensation and Talent Survey is focused strictly on the market data needs for information security. This survey will carry a higher degree of credibility with your business partners in IT.
  • Compensation Components: You should give consideration to using the full array of reward plans, if it is appropriate. Some organizations may not provide short-term incentive to their individual contributor professionals across the organization. However, using incentives for cyber security professionals might help you drive better attraction or retention. In other cases, you may want to consider extending your long-term incentive plans to include information security.
  • New Hire and Retention: Be sure to consider special compensation actions such as sign-on bonus and retention bonus plans. These types of plans can help the organization with bringing in the new talent and/or hang on to the key contributors. Building these types of pay plans into your talent strategy proactively can help you save time compared to dealing with them on an ad hoc basis.

The business risks associated with cyber threats are increasingly more significant, regardless of geography, size or industry. The outline of ideas presented here are just some of the many components you should consider when developing a talent strategic plan to meet the growing demand for cyber security talent. Contact us to learn more about how we can help you meet the needs of your cyber security human capital.



Previous Article
Executive Total Target Pay Progression
Executive Total Target Pay Progression

We find three applications for benchmarking executive pay progression.

What HR Leaders Do Differently When Designing a Compensation Structure for Mid-Market Organizations
What HR Leaders Do Differently When Designing a Compensation Structure for Mid-Market Organizations

Aon’s mid-market compensation consulting experts shared what they do differently when working with companie...