Security Hiring Is HARD
Observations from the past few weeks trying to hire senior security people.
Security Hiring Is HARD. Many of us in the security industry know this already, but it becomes a big shock to those not entrenched in the industry. Many times executives responsible for security hiring (CEO’s, CTO’s, VP’s of Engineering, etc) are shocked by the “audacity” of high compensation packages requested by senior security people.
So this is a brief guide for the uninitiated. I have a more details in my upcoming book.
Supply & Demand -> Skyhigh Salaries
According to different sources, there are millions of open cybersecurity jobs in the US. I wasn’t comfortable quoting all these sources, so I did a quick unscientific search myself on LinkedIN:
“cybersecurity engineer” - 108,225 results
“CISO” - 2587, results
“infosec” - 43,491 results
Ok, you get the idea. This was just on LinkedIN and doesn’t include several other job sources let alone the military and jobs that are unposted. There is a shortage.
The point here is that salaries are very high, so don’t be shocked. Compensation for CISO’s is in the millions for fortune 500 companies and for security leaders in other companies ranging from $300-600K (base). I saw myself a Dir Of Cloud Security position being paid $600k (no bonus) at a hedge fund.
Care And Feeding Of Security People
Now you have cybersecurity talent, the challenge is keeping them. There is a high degree of burnout in the cybersecurity field. In my discussion with Nick Jeswald, a cybersecurity recruiter, we talked about the care and feeding of security people. Some highlights:
They want to get security things done. If they can’t get their security projects off the ground due to blockers from other teams, this will lead to frustration.
They love to learn and challenge their brain. Like any good engineer they want to stay sharp and learn and play with the latest things. Security does always have a straightforward solution, so anywhere we can innovate or learn new things, that will be helpful.
Defcon is mandatory. I’m adding this one here myself. Defcon (and other security meetups) is a place where hackers meetup, exchange ideas, and can be in a place where everyone understands them. This is where security people recharge. Let them and pay for them to go to Defcon.
Not Paying For The Right Tools. I’m not a fan of buying a tool to solve a problem… and although it’s related to the age old “buy vs build” discussion in tech... there will be times where you will need to purchase tools or licenses. Maintaining security costs money. This could be anything from paying for SSO, to rolling out a password manager for ALL employees, to buy Burp Pro for your engineers. I’ve seen companies of ALL sizes skimp out on all of the above. If you have a small security team and want them to be successful, then help them.
Take care of your security talent. Make sure they have everything they need (politically and financially) to get their work done.
Finding Senior People Is Hard, Try Junior Talent
Yes, we all want senior folks to hit the ground running and get things done. However, they have shorter life spans and come with their own set of problems and sometimes drama. When you’re in high demand, sometimes security people get too full of themselves.
However there are TONS of talented and hungry individuals out there that with a little mentorship and training can do a phenomenal job. It requires a little strategy, some vetting, and taking a bit of risk.
One combination I’ve found successful is getting a really good senior person and pairing them with one or two junior folks. With that scenario you avoid burnout, single points of failure, and start developing a cohesive team.
Hopefully this is has been helpful to you and has elucidated more about the security industry then when you first started reading. This is all advice I give my clients when helping them build their security teams.
What has your experience been? Feel free to comment below or share if you found it helpful!