Building out a new function is usually the result of a core business need or a response to business development. Senior leadership, HR professionals and hiring managers must consider a range of factors before committing to an internal change such as the introduction of a new desk.
Past experiences have shown how hiring, onboarding, training and developing new talent can amount to a considerable impact on your organisation's bottom line - even more so when a mis-hire occurs. Recent research has shed light on the cost of hiring the wrong talent. According to the Recruitment & Employment Confederation (REC), “a poor hire at mid-manager level with a salary of £42,000 can cost a business more than £132,000”. For larger firms, high turnover rates caused by bad hiring decisions can cost millions of pounds, a frightening thought. It is therefore critical that firms ensure they are hiring the appropriate talent for a necessary need, especially when it comes to a brand new function that has no precedent within the business.
Attracting the Best InfoSec and Cyber Talent
Within the information and cyber security sectors, there are four main focal points which need to be considered by employers if they wish to secure the strongest candidates in the space. From our experience as leading cybersecurity recruiters, the below are the key motivators for great talent:
1.Culture: Find the Right Fit
The term cultural fit has been a workplace buzzword for several years now, with numerous businesses using the vague term as a justification for hiring - or not hiring - a specific candidate.
Contrary to what some may believe, finding the best cultural fit is not based on expanding your team with like minded people: hiring this way can lead to a lack of diversity within your firm.
Hiring to improve your business culture often requires more consideration. You want to question if the candidate’s values and beliefs align with your organisation's mission: do they share a similar attitude and vision as their potential teams and colleagues?
Why Is It Important?
These cultural factors are important as they help your business - and your function - attract the appropriate talent. According to Hueman RPO, professionals would consider taking lower compensation to work at companies known for their great culture. For this reason, when building out your security team, it is best to start by defining in detail what is your company and team’s culture.
Defining the culture can be done in many ways, such as using an external company/Consultant or holding in-house discussions with current staff. Take a step back to analyse how the current team works, assess the dynamic, how well they work together and how impactful a new hire might be. Whatever the method, it is imperative that the hiring manager or recruiter can pinpoint the key characteristics that align with your culture.
What Are the Benefits of Hiring the Right Cultural Fit?
Making the right cultural hire for your security team can greatly benefit your company in more ways than just monetary. Never underestimate the power of a happy employee! Employee satisfaction is always important; wanting a sense of belonging is human nature and more often than not, it gets employees engaged, motivated, productive with lower stress levels which increases overall performance.
Naturally, with the right culture you will start to notice a positive shift in your employee loyalty and an overall cohesiveness within your teams and the way they work.
What Are Candidates Looking at in Terms of Corporate Culture?
Rutherford's expert headhunters have gained a clear understanding of the top culture concerns security professionals highlight when considering a move to a new firm. We found most candidates place an emphasis on two key elements: team structure and leadership style.
Before committing to a move, potential new hires have expressed the importance of clearly grasping the structure of the current team, but also how they function as a whole. Some questions come back frequently from strong talent whenever they want to dig more into the culture subject:
How well-organised is the leadership model?
What kind of communication is being used?
How transparent are interactions between employees and employers?
Do senior leaders impose definite goals?
What kind of team leadership framework is used?
Hard work is not a deterrent for top performers, and for most professionals it is a priority to feel motivated within their environment, both by their team and management.
Consequently, during the headhunting process, security candidates stress the importance of working with a leader who breeds inspiration and bears the capacity to work closely with the team. It is also crucial for leaders to act as a mentor that can be looked up to.
When building out your security team, the hiring process must therefore take into account your organisation's leadership style and the top-down management.
2. Work-Life Balance
In recent years, work-life balance has become a key factor for candidates. During the pandemic, employees were exposed to a new way of working. Working from home gave them the opportunity to to take more control over their working day, being able to prioritise daily tasks while spending more time with friends and family.
According to Benenden Health, 30% of the working population describe themselves as unhappy at work because of the lack of balance. Having a good work-life balance not only improves mental health but benefits the business in the long run as employees are more efficient and productive.
Ensuring a good work-life balance became an uncompromising factor for candidates when the time came to negotiate new contracts or return to the office, and this doesn’t seem to be slowing down.
Improving Your Employees’ Work-Life Balance
Although it is not a company's sole responsibility to cater to their employees' work-life balance, it is important to prioritise mental health and wellbeing. Professionals may find it challenging to address these issues due their deeply ingrained work habits, but there are copious ways work-life balance can be improved within organisations and teams:
Offering flexible working options
Building a culture of trust
Supporting employees’ individual responsibilities
Focusing on productivity rather than hours
Providing mental and physical health-promoting activities (e.g., gym membership, cycle to work scheme)
These options may seem broad but it is important to note that improving work-life balance is not a one-size-fits-all approach. Although the above can be applied across the business, senior management will most likely need to tailor their approach on a case by case basis, so that the model is adapted to the function’s needs.
How to Attract Top Candidates Through Work-Life Balance
It is no secret that job seekers crave a good work-life balance, however every industry differs in how they present this. What we have seen recently from a recruitment standpoint is an influx of security candidates seeking that flexibility.
These professionals are no longer open to working five days in a physical office: they are looking for a working model which allows them to work remotely from home or on a hybrid basis. The more flexibility offered to professionals often correlates directly to the level of attractiveness of the role.
As mentioned earlier, the security function has evolved and so has the complexity of the roles. Hiring new talent for a specific security role may require a professional with a special skill set - if that candidate with the ideal background and competencies is located far away, you will most likely have to make concessions from a working model standpoint and offer them a flexible solution.
At Rutherford, we have seen how the companies who are able to offer improved flexibility - some of them even going for a fully remote working model - end up appealing to a wider landscape of candidates. If you are in a position to offer creative working terms, securing the best talent will become easier.
3. Career Progression
When building out your security team it is important to think about career progression for your employees. Progression is important for professional development as it gives staff a sense of purpose, increases satisfaction, creates new opportunities and improves engagement and productivity.
Since the pandemic and the emerging widespread adoption of digital technologies, cybersecurity threats have increased. Cryptomining, ransomware, trojans, botnet, adware, exploit kit, man-in-the-middle, DNS tunnelling and zero-day exploitation are now only a few of the new variations of cyber-attacks being carried out today.
Each organisation will need to build their security team on a business-by-business basis, allowing them to frame their security teams around their immediate needs. However, as the variety and complexity of cyber-attacks grow, so does the demand for qualified cybersecurity professionals. Without a strong sense of progression, your team members could be at risk of losing motivation and your business could lose strong talent as they seek better opportunities elsewhere.
How Can Career Progression Benefit Your Business?
According to SHRM, when candidates feel invested in by their employers to develop and progress within their career, they are more likely to be engaged and motivated in their role, whilst actively working to fulfil the company's overall mission.
A poll conducted by Monsterfound that 29% of workers said a lack of growth opportunities was their reason for wanting to quit their roles, whilst 80% of workers do not think their current employer offers growth opportunities.
Applying an effective career progression framework within your team will offer clarity and will provide your employees a sense of meaningful progression. Experts say that employees who believe their employers make an effective use of their talents and abilities are overwhelmingly more committed to staying on the job.
How to Attract Top Candidates Through Career Progression
With capped potential, top achievers will never be satisfied - this sums up the feedback our Consultants often hear from candidates on the importance of career progression. If firms do not have the scope to offer more responsibility or an opportunity to advance from a given position and salary, they will likely look elsewhere for opportunities or simply see your company as a stepping stone until a better chance presents itself.
It is therefore essential to go over the numerous paths to promotion within your team with your candidates. For instance, what kind of mentoring or training programmes do you offer for managers? Do you give internal promotions? What is the typical time it takes for an employee to advance to the next level? What conditions must they satisfy—or surpass—in order to get there?
A company's ability and willingness to grow them will be one of the main selling factors when security candidates consider their next challenge.
Before the global pandemic hit, the average CISO salary wavered around £150,000 a year. Then, COVID-19 dramatically altered how businesses operated: firms were forced to conduct processes digitally, virtually connect with their network and work remotely. These significant changes came with challenges - cyber attacks increased by 400%since the start of the pandemic, reinforcing the need to integrate the security function into firms.
These fundamental business changes have shifted how firms see and value cyber security, with larger financial services groups now offering up to and over £200,000 per annum. It is imperative to note that you cannot associate strong compensation packages alone with the right hire. Paired alongside the other three motivators - culture, work-life balance and career progression - your business will position itself above competitors in the market.
How Important Is Compensation to Top Candidates?
Rutherford has found if all the above boxes are ticked, candidates are usually relatively flexible when it comes to salary expectations.
A major advantage that candidates seek when looking for new employment is support with professional development and up-skilling. In Rutherford’s experience recruiting within the cyber security industry, we have found one of the most common questions among professionals is about financial support for professional certifications.
Employees feel more motivated to work when they feel invested in: it lends itself to a high performing, engaged environment, meaning that even if your basic pay offered is below market rate, you can maintain market competitiveness by offering benefits that are worthwhile in addition to wage.
The Rise of Information and Cyber Security Functions
Information Security (InfoSec) and Cyber Security risks have surged over the last decade, and the past 12 months have seen that growth accelerate and evolve. As a result, organisations must cast an even closer eye on their InfoSec and Technology Risk policies and ensure they have the right people and resources in place to mitigate the threat.
However, unlike other business areas, building out the security function is not as straightforward. Cyber incidents come in all shapes and sizes and will require your security team to have a number of professionals with niche specialisms and the right skill sets to appropriately put in place the solution.
It is also worth noting that the position of security teams within businesses have shifted over the last few years. The function was most commonly seen as a technical role with a focus on technology but now, gone are the days when InfoSec was “an IT” issue. Nowadays, the function is business-critical, gaining support from the wider management team and having more influence over business decisions through integration. According to a Gartner report, 88% of Boards now regard cybersecurity as a business risk rather than solely a technical IT problem.
With an incredibly candidate-short market, the competition for excellence has never been greater in the recruitment space. Firms have started to build aggressive and compelling packages to entice the sector's rising stars to join them, as hiring managers are working hard on growing their team to respond to business needs.
If CISOs want to secure great talent when building out their function whilst further solidifying cyber's position within their firm, they will need to take into account the key elements that candidates in the industry are actually looking for when considering a new position.