Security skills are like gold to businesses, and their value continues to escalate as the complexity and severity of attacks, as well as compliance requirements, continue to grow each year. The problem for today’s organizations, regardless of their size or market, is the limited pool of available talent. Even though the number of skilled security professionals is rising, the demand for those individuals is far outpacing the supply ‒ resulting in a significant shortage that researchers expect will worsen significantly over the next few years.
An estimated 350,000 cybersecurity positions remain unfilled in the U.S, according to a recent report by Cybersecurity Ventures, and the global shortage is expected to reach 3.5 million by 2021. Recruitment and retention plans are about to shift from a problematic concern to a “level 10” challenge for businesses and the tech community. MSPs will continue to compete with the deep-pockets of enterprise companies and other tech firms, which will inevitably drive salary and benefit requirements for new recruits through the roof in the coming years.
That presents a significant challenge for services providers. With demand for advanced cybersecurity skills rising, no matter what type of clients they support, MSPs are going to need more people with exceedingly greater talents in the coming years and must leverage all their available resources to ensure the viability and profitability of these valued business practices.
Hiring the cybersecurity professionals that can make that happen will get more difficult and costly as demand for their talent increases. MSPs who fail to expand that core skill set may have to curb expansion plans or boost their training and partnering efforts to fill the void.
Of course, local market demand and specific skill needs are key variables when talking salary costs. In larger cities, MSPs looking to hire talented IT security professionals will be competing with dozens of businesses with potentially better benefits and deeper pockets. Wherever demand for cybersecurity experience is highest (which means virtually everywhere today) and supply is lowest, companies can expect the minimum salary requirements for these professionals to rise substantially over the coming years.
That situation is already the norm in some communities. For example, the average annual average salary for a certified IT security professional in NYC is nearing $150,000 (that is if you can find one). MSPs in that area have been quite vocal about their difficulties finding experienced and affordable cybersecurity talent. Many continue to pass up new business opportunities until they can fill these open positions.
Costs are rising for those with security-related training, certifications, and experience, regardless of location. The average annual salary for an IT security generalist is now $77,247 in the U.S according to a recent PayScale survey ̶ if you can find anyone with genuine credentials willing to accept that amount. Professionals with advanced skills command a far higher premium (check out the six highest paid positions here).
MSPs and other organizations that need quality security talent have to find a way to absorb those costs or train from within. That’s why you must research the costs and availability of talent when building a cybersecurity plan that addresses clients’ concerns as well as your company’s bottom line. Sticker shock when hiring can cause MSPs to pause and reconsider their job requirements or stretch out recruitment timelines, so it’s better to evaluate market prices before building your business plan.
Which Skills Are Really Needed?
The first step when building a cybersecurity strategy is creating a list of current team capabilities and customer requirements and identifying gaps that could prevent you from properly supporting current and future clients. That process is essential for developing job descriptions and kicking off recruitment efforts.
For example, you need to know if a level-one technician would be able to handle a specific set of responsibilities to ensure your firm’s security operations are running optimally in the off-hours. Could a current employee or a new hire with basic skills fill that role?
MSPs often recruit or promote based on potential or raw talent and then invest in training and certifications to bring those employees up to speed. That’s usually the best approach when top-tier professionals are too costly or not readily available in your area (or willing to relocate).
The second step is to carefully research the talent pool and develop a skills strategy that fits your specific situation. That involves asking and answering several critical questions, including:
- Can you find AND afford individuals with the competencies your company needs?
- Could existing employees provide that expertise and how much training would be required?
- If so, what costs would be associated with backfilling those positions and completing necessary training and certification?
- Would partnering with peers (other MSPs or similar IT services companies) or other third-parties be more cost-effective than hiring more employees?
After careful consideration of the various factors involved in answering those questions, MSPs will be better prepared for building a logical cybersecurity business plan. As skills shortages in this tech specialty increase, channel firms are more likely to focus their efforts on training and advancing current staff members. Grooming existing talent and investing in valued cybersecurity training and certification programs will be critical for MSPs who wish to build strong practices and better differentiate their businesses.
Of course, you’ll likely have to make deeper commitments to retain that talent, including increased salaries and bonuses for reaching certain milestones or countering competitive offers for their services. Money is still a great motivator, but younger staff members may actually prefer extra vacation days or a more flexible work schedule as a reward. You may need to be more creative with incentives to attract and keep quality cybersecurity talent today.
There are no quick and easy fixes for addressing the escalating skills gap. It will take patience and perseverance to keep your supply ahead of the increasing demand. Successful cybersecurity practitioners take time to develop and execute their hiring and retention plans and forge partnerships to fill any remaining skills gaps.