Qualified security professionals are in high demand. No sooner do you hire them, they leave for better pay or greater job satisfaction. Here's how to find, hire, and retain the best of the best.

Talented cybersecurity professionals aren’t playing hard to get. They are hard to get.

It’s difficult to recruit qualified security staff because there are more openings than humans to fill them. It’s also difficult to retain IT security professionals because someone else is always hiring. But don't worry: Unless you work for an organization that refuses to pay the going wage, you’ve got this.

The numbers

Let's look at the hiring data for security pros, and then run through some ideas for recruiting, employee retention, and less obvious alternatives. (If you already know how bad this problem is for your organization, feel free to skip the data and go right to the tips.)

Two recent studies present dire, but somewhat conflicting, views of the availability of qualified cybersecurity professionals over the next four or five years.

The first study is the Global Information Security Workforce Study from the Center for Cyber Safety and Education, which predicts a shortfall of 1.8 million cybersecurity workers by 2022. Among the highlights from that research, which drew on data from 19,000 cybersecurity professionals:

The cybersecurity workforce gap will hit 1.8 million by 2022. That’s a 20 percent increase since 2015.

Sixty-eight percent of workers in North America believe this workforce shortage is due to a lack of qualified personnel.

A third of hiring managers globally are planning to increase the size of their departments by 15 percent or more.

There aren’t enough workers to address current threats, according to 66 percent of respondents.

Around the globe, 70 percent of employers are looking to increase the size of their cybersecurity staff this year.

Nine in ten security specialists are male. The majority have technical backgrounds, suggesting that recruitment channels and tactics need to change.

While 87 percent of cybersecurity workers globally did not start in cybersecurity, 94 percent of hiring managers indicate that security experience in the field is an important consideration.

The second study is the Cybersecurity Jobs Report, created by the editors of Cybersecurity Ventures. [The report has since expired and the link gone dead.--Ed.] Here are some highlights:

There will be 3.5 million cybersecurity job openings by 2021.

Cybercrime will more than triple the number of job openings over the next five years. India alone will need 1 million security professionals by 2020 to meet the demands of its rapidly growing economy.

Today, the U.S. employs nearly 780,000 people in cybersecurity positions. But a lot more are needed: There are approximately 350,000 current cybersecurity job openings, up from 209,000 in 2015.

So, whether you’re hiring a chief information security officer or a cybersecurity operations specialist, expect a lot of competition.

Recruiting tips

It’s almost always better to retain decent talent than to replace it. As in any other job category, you should try your level best to keep well-performing professionals. That also applies to keeping staff who show promise but need training or mentoring (because, well, better the devil you know). That said, there is always a need to add new staff, whether due to poaching from well-funded competitors, natural attrition, or business expansion.

Recruiters can help. While I don’t always suggest recruiters, it’s recommended when it comes to senior cybersecurity staff. That’s true particularly if you are looking for specific areas of expertise, such as vetting source code or performing “ethical” testing of your systems.

Not sure where to start with Hybrid Cloud Security? Yep, we have a dummies guide for that. Read it now

Widen your lens. The cybersecurity field is dominated by men, which means there is an opportunity to open things up. If your organization is overwhelmingly white and male, you need to start thinking outside the usual hiring-by-personal-networking path, because even with the best of intentions, your existing staff will probably recommend techies who look like them—white and male.

Proactively recruit and hire more women across the IT department. This isn’t diversity for diversity's sake (which isn’t necessarily a bad thing, of course). Half of the people in this world are female. Depending where your organization is located, a significant percentage of the local talent pool may be minorities. Work with HR, local colleges, and professional associations to ensure that you are reaching everyone—and that your ads and job descriptions don’t convey an implicit bias.

If you are recruiting women and minorities (and you should be), make sure you have an environment where they can thrive. Otherwise they will leave, and the wrong lessons might be learned (such as, “We tried hiring women and it didn’t work out,” instead of, “We have an environment that’s hostile to everyone who isn’t a white male”). For some ideas, read "How to make your company more attractive to women in IT" by Barbara Krasnoff.

Similarly, if you do work with recruiters, emphasize that you truly want to see a mix of candidates. Don’t accept the recruiter claiming, “Well, we only received resumes from men.” Push them to do better.

Broaden the scope of job qualifications. Is it truly necessary that a candidate have five years of cybersecurity experience, or even a college degree? In some cases, maybe. In others, you may be better off hiring someone with a general technical competency, such as in cloud computing or Windows Server internals, who also has a strong interest in security.

You can recruit internally, even from teams that aren't currently part of your IT department. You might also do well hiring military veterans with a good service record; a security clearance suggests that they can keep secrets.

The idea here is to look for the right attitude and aptitude in someone who needs to come up to speed. This means, of course, that you have to provide the right training and mentoring, whether it’s attending conferences or taking on tasks that seem a little too difficult. And you now run the risk of training someone who, three years from now, may leave for a better-paying job that requires three years of cybersecurity experience. Remember, there’s no such thing as loyalty, not in today’s tight job market. That puts the burden back on you to retain that person.

The bright-eyed, bushy-tailed millennials with an interest in and aptitude for cybersecurity are likely to be open-minded and to question everything. Yes, it’s maddening. But they are inquisitive, which is exactly what you want a security professional to be. Once cybersecurity becomes a punch-the-clock rote job for someone, the employee is a liability, not an asset.

Oh, and there’s compensation. Needless to say, you need to know the local pay scale. That pay scale obviously varies depending on location and the role you aim to fill. One place to start salary research is Glassdoor.

You have to be competitive in job offers. Competitive doesn’t mean that you must pay the highest salary. In fact, you might have flexibility if your organization has a good reputation, the work is engaging, and you can show candidates that you'll provide training, support, freedom to explore and learn, and a career path. Also consider the intangibles, such as flexible working hours. Find out what the candidate wants; it may not only be money.

Retention tips

You’ve got your security staff—whether it’s one or a dozen or 100, it doesn’t matter. (Well, it does, we’ll get to that soon.) Some of them are “keepers.” If you’re lucky, all or nearly all of your employees will be solid performers who you won’t want to lose or replace.

To retain the security specialists you value, figure out what they want and deliver it.

For some of your staff, the challenge is the thrill of the hunt. They like finding potential vulnerabilities. They scour vendor bug reports and security news feeds, and even dabble in the Dark Web. Great. Let them!

Find a way to bottle that enthusiasm. Ensure that their work is acknowledged by you and management, and that what they find is shared and turned into actionable intelligence. At the end of the day, cybersecurity is all about reducing business risk. If you can help your security pros—and the rest of the organization—see the successes in heading off vulnerabilities before they turn into breaches, you’ll have happier security teams and happier executive management. (And perhaps easier budget meetings next year.)

For other employees, job satisfaction comes from helping your organization accomplish its mission. Find ways to get security specialists out of their silos. Help them understand the projects for which they're building security capabilities, whether it’s designing new Internet-connected widgets or opening new offices overseas. Get those staffers involved in discussions about new initiatives that might have implications for your security posture. Position your security team as enablers of business success, instead of just another bureaucratic obstacle. Help them learn how to say yes to new ideas, and encourage them to be disrupters.

Don’t push people into unwelcome roles. Some employees do an excellent job, but it’s only a job. Their real passion is rock climbing, or taking their family to theme parks, or playing video games. Embrace the quality of work they deliver, but don’t try to turn them into something they’re not. Find ways to enable these workers to get what they need from their job, whether it’s consistent hours, telecommuting, or a competitive salary. You always need to know when you’re paying someone appropriately, or if their newest professional certification warrants a bump in the old direct deposit.

What about promotions? Cybersecurity staff are like many other IT professionals: Some want to be promoted into management positions, and others don’t. However, they still want professional advancement in order to gain recognition and status, improve their paychecks, and burnish their resumes. Don’t try to push staff (in cybersecurity or otherwise) the wrong way. Nothing kills a team more than advancing someone into management who has the wrong personality or the wrong skill set and would rather spend their time poring through the weekend’s firewall log files.

Security attitudes encapsulate corporate culture. The cybersecurity team is (often) part of the broader IT department, and of your organization as a whole. If you have a toxic environment, that affects even the most heads-down cybersecurity professional. If you don’t have strong teams and management support for your work, fuggedaboudit.

Finally, be conscious of who you want to retain—and who you don’t. You should have clear expectations for each member of the cybersecurity team, and clear performance metrics. If you don’t know how well each person is doing, well, you don’t know. Fix that.

Another option: outsourcing

If you are in a large organization and have the resources to staff, empower, and manage a cybersecurity team, that’s great. If you can offer training, travel to conferences without worrying about “coverage,” and a genuine career path that can keep your people engaged for the next five or 10 years, you have a good chance to keep those expensive, highly trained cybersecurity professionals.

What if you have only one or two security experts? Or you can’t really offer a career path and mentoring? Consider outsourcing cybersecurity to managed security service providers (MSSPs). They have the staff, training, and information sources to be really effective. And I’ll be honest: They will be more effective than you can be, because cybersecurity is their business, not yours.

Here are some reasons to consider MSSPs:

They are staffed to monitor your organization 24/7.

They can correlate security events from multiple clients.

They can afford specialists in obscure security topics.

They receive and use real-time security threat information.

They can offer a real career path for cybersecurity professionals.

Hiring and retention is their problem, not yours.

Yes, the MSSP is a cost, but it’s often worthwhile.

Note that there is an issue of responsibility here: The MSSP is like any other contractor or vendor in that you still retain the legal responsibility for managing your security risk. That said, make sure the contract doesn’t let the MSSP off the hook if there is a breach.

Lessons for leaders