Most Companies Are Overpaying for Cybersecurity Roles
Security leaders are hesitant to invest in training for existing employees as compared to paying to hire outside talent. This inclination creates a severe cost disparity.
In my role spearheading the development of new cybersecurity training initiatives, I spend a lot of time talking to employers and former security colleagues about how they hire and fill their talent needs, including how they keep (or in many case, can’t keep) their highest performers in a hyper-competitive market. Many CISOs referenced the challenges in identifying and hiring the best talent – despite some of the highest average salaries in the industry. And while all acknowledged the critical role of continuing education in the constantly evolving field of information security, few cited a commitment to training as a key solution beyond one of the ways they are working keep employees happy.
Ironically, recent statistics show that most organizations are not providing their cybersecurity staff with adequate training. A 2017 ESG Research Study on the Life and Times of Cybersecurity Professionals also found that over 75% of cybersecurity professionals surveyed identified training courses as the most effective way for them to increase their knowledge, skills, and abilities (KSAs) and actively seek organizations that provide them incentives to enable those education opportunities.
Let’s examine the actual cost calculus of what it costs to hire (or lose) a cybersecurity employee versus investing in training one.
"The cost of losing an employee can be up to 213% of the salary for a highly trained position."
The Costs of Hiring
Some of the more tangible recruiting costs include the cost of your recruiter(s), the costs of posting and marketing some of your jobs, background checks, screening fees, and recruiting events. But there are also significant intangible costs that are baked into that process: the productivity lost for functional managers to interview candidates (a 2016 article cited an average of 13 interviews per one hire for an IT professional), any referrals or bonuses, the ramp-up time required for a new hire, and the cost of time of having an unfilled roll. In fact, the most recent ISACA report on the State of Cybersecurity 2018 cites 55% of organizations take at least three months to fill their open cybersecurity positions, 32% said they take six months or more, and 27% said they are unable to fill cybersecurity positions at all.
A subsidiary of Deloitte estimates U.S. companies spends an average of $4,000 to fill an open position. But the reality is that it might cost much more. Another study by the Society for Human Resource Management found employers spend the equivalent of 6 to 9 months of an employee’s salary in order to find and train their replacement.
The Costs of Turnover
And those are just the costs of filling a role! Don’t forget there is significant cost in losing your talent, too. The Center for American Progress found the cost of losing an employee can be up to 213% of the salary for a highly trained position. There’s also the loss of productivity of when high performers leave which has a much more disproportionate effect on an organization that typically reported, which is estimated to be the equivalent of losing 400% more productivity than the average performer.
Cybersecurity professionals on average command 9% higher salaries than already well-paid IT professionals. So if a highly needed cyber professional is making $120,000/year, the cost of the loss of that employee to a company could be up to $265,000. So if that’s really true, why not invest in something more cost effective and efficient like training to upskill some of the workers you have?
The Cost-Effective Alternative
As we all know by now, training is one of the most requested incentives by current cybersecurity professionals although data suggests 62% of organizations are not providing the proper amount of training. The benefits of training are pretty clear: not only does it provide current and aspiring cyber professionals the ability align their skills with the evolving threat landscape providing benefit to their organizations, but it also helps develop their careers and maintain their job satisfaction. And compared to all the costs we just covered above to achieve a similar result, training is a steal.
For example, two of the most commonly required industry certifications for management positions in cybersecurity are the CISSP (Certified Information Systems and Security Professional) certification from (ISC)² or the CISM (Certified Information Security Manager) from ISACA. A cost of a credible comprehensive training course (including CyberVista’s courses) and the cost to take the certification exam itself ranges from $4,000-$8,000. And beyond certs, investing in continuing education annually for your employees could realize even more costs savings depending on how it’s delivered.
While you might need to provide a significant raise to your employee after they earn their certification and land the promotion, the investment is still significantly less than hiring a new external manager. For added benefit, if you need to backfill, you can continue to do so internally across properly-trained positions to emphasize mobility in your firm. A worthwhile morale boost. If you need to turn to external hires, you can do so at a lower experience level compounding your savings as you grow your teams.
Where To Start
The old adage “an ounce of prevention is worth a pound of cure” is the perfect analogy to compare the training expenses for existing talent versus the costs of hiring new talent; yet, some organizations without career pathways and upskilling plans may still be more inclined to fork over the added costs. Do you want your employees to earn certifications? To do labs or other hands-on training? Where should you start? If you need help in determining how to upskill your employees and develop a internal plan moving forward, I’d be happy to help.