The cybersecurity talent crunch isn’t new, but for CISOs the challenge is no longer just about hiring, it’s also about holding onto the talent they already have. A recent report by IANS Research and Artico Search indicated that more than 60% of cyber professionals are contemplating switching jobs within the next 12 months. Among those considering a change, dissatisfaction with career progression emerged as a key issue.
With demand outpacing supply and professionals regularly fielding offers, retention needs to be top of mind for CISOs. Still, some argue the real issue lies in how the shortage is framed. But the problem may be widely misunderstood, according to Tom Chapman, co-founder and director of cybersecurity recruitment firm Iceberg.
“I don’t believe there’s a cybersecurity skills gap,” he says. “What I believe is there’s a training and development gap.” Chapman explains that many graduates find it hard to land their first job because employers often prefer candidates with years of experience. “Nine times out of 10, organizations aren’t paying us to find graduates. They’re coming to us to find skills that have been harnessed over a period of time that are hard to get.”
Chapman says because of this dynamic, roles that fall in the mid-career range, requiring six to 10 years of experience, are among the hardest to fill. “These people are already embedded in good organizations and are probably working on really impactful projects,” he says.
Jessica Cassidy, co-founder and practice lead at OPCyberTalent, agrees that the mid-career gap is a critical pressure point and for this reason she believes there is a talent shortage problem. She points out that unlike more mature fields such as software engineering, the cybersecurity industry is still growing and developing the talent pool it needs.
“There is a shortage because we’re playing catch-up,” Cassidy says. “There’s a shortage because we only have a certain population. Now, we’ve got a bigger population of entry-level professionals, but we’ve also got bigger problems. We’ve also got these senior folks who have been in the business for quite some time and they’re getting ready to retire or move onto less stressful roles, so we’ve got this gap of the three to eight years’ experience, and it’s a pretty big gap, and that’s what people want.”
These mid-career professionals are particularly valuable because they’re still eager, affordable, and adaptable. “They’re in roles where they’re getting paid pretty well and those security teams don’t want to lose them, and they do whatever they can to keep them. But you’ve got these new roles, and more security problems are opening up, so how do you plug that gap with more junior folks? That’s what most talent teams and executives are thinking about,” Cassidy says.
Why do cyber professionals leave?
Understanding what drives people to leave their roles is the first step to fixing it. Cassidy identifies several red flags that can push talent away, including a reactive rather than proactive cybersecurity culture, poor leadership, limited scope for influence or advancement, and pay.
Chapman adds that lack of internal opportunities can be another major reason that drives talent away. He shares the story of how a SOC analyst felt invisible in his organization.
“He’d been in the same role for almost three years, and he’s that sort of individual that doesn’t complain and always delivers,” Chapman explains. “Under the radar, he was upskilling himself on his own; he’s a hungry individual who wants to learn. Although he’s in a SOC role, he’s looking at more threat hunting and purple teaming. But no one had ever asked him what direction he wanted to go in, or what sort of occasions he was eyeing up, or what technology he wanted to explore or get exposure to. So, when we called, he was all ears. He told me that he didn’t know that he was allowed to ask.”
Chapman points out that many cyber professionals are problem-solvers first and career planners second, which is why regular career conversations are essential. “If you’re not having regular, proactive conversations about growth and motivation, you’re leaving the door wide open for attrition,” he warned.
Build teams from within
Recruiting talent from within the business and training existing employees, even those traditional IT roles, is what helped another CISO, Chapman shares. “I always ask CISOs, ‘Have you looked internally first?’” he says.
He explains how the CISO of an industrial organization needed OT security engineers but found them hard to source. Instead of hiring externally, he turned to his plant’s control engineers. “[He] asked, who knows the environment better than anyone? Who’s curious about security? And then offered those opportunities internally … and found a couple of people that were interested in cybersecurity, but had no idea about a pathway into cybersecurity,” Chapman explains.
“It wasn’t casual [training]; he built a training and development program that covered core security concepts, practical skills, and he paired them with mentors from the existing security team, ran workshops, and even brought in some guest instructors.”
The approach led to stronger retention, a more resilient team, and deeper cross-functional understanding. “What really stood out was it was inclusive,” Chapman says. “There were engineers who never thought they could pivot into cybersecurity. What was really interesting about that story is that there’s a particular woman, formerly a control engineer, she’s now running vulnerability assessments across all the plants.”
“Where this team had traditional security engineers for OT environments, they also have OT engineers now doing cybersecurity, so both parts of the team are helping each other learn more about the systems.”
Cassidy echoes this sentiment, emphasizing the importance of succession planning. She says programs such as internships and apprenticeships are critical, especially for identifying those eager to pivot into cybersecurity roles.
“Maybe there’s someone in a help desk role that really wants that cyber role. Or there’s someone in software engineering, and they’re tired of code, and want to do something else. Whatever that may be, they need an opportunity,” Cassidy says. “It’s realising you’ve got these eager people that want to do that job. So how do you bridge that gap with those hungry and talented folks?”
Support growth with certification and autonomy
Another strategy the experts advise that can help both retention and professional development is offering support for industry certifications.
“Certifications are worth their weight in gold,” Chapman says. “Covering the cost of credentials, which can run to $10,000 or more, can be a major factor in whether someone stays or goes”.
Cassidy points out that in addition to certifications, there are other upskilling opportunities such as a cybersecurity bootcamp, or online, self-paced programs, signing up for a centre of excellence, while also giving individuals the opportunity to shadow someone already in cybersecurity.
What’s important, they both argue, is to create an environment where professionals feel there’s room to grow, whether that’s building a new team, influencing tool selection, or developing custom solutions. “If you’re hiring for a mid-level manager, if they’re going to inherit a team, is that really a big sell? Whereas if you’re going to let them build a team from scratch, then that’s exciting,” says Chapman.
Cassidy recommends tying development to incremental financial increases, a model that rewards commitment and progression. “If you’re training those folks and giving them incremental financial increases as they hit certain milestones, say every eight to 12 months or if they meet certain KPIs, it can make a difference. I’m not saying it has to be 10% each time, it could just be a bonus. People are financially motivated.”
Ultimately, retention and growth aren’t about ticking boxes, it’s about building relationships and understanding what benefits can be gained by both the cyber professional and their managers.
“It’s a joint process. It’s not one-size-fits-all, but that’s why it’s so important to talk to your staff and work out internally, ‘Okay, this employee’s motivations are X and Y. What am I doing to help them in that journey or aid that progression?’ And not enough people are asking themselves that question,” Chapman says.