Businesses that can afford the added expense are bringing on their own in-house cybersecurity teams. These teams develop and implement strategies to defend against cyberattacks and to help the business recover in the event of a successful data breach. The shortage of cybersecurity professionals, however, is driving salaries higher and making it more difficult for businesses to assemble the skilled talent that it might need. As a result, businesses might need to go beyond their common hiring practices to form an in-house cybersecurity department.
First, the “cybersecurity professional” job title is too broad and generic. For example, a cybersecurity team needs to include individuals who are adept at detecting data intrusions, who understand data analytics, who can develop software routines that respond to the business’s specific needs, and who can analyze the company’s broader operations to identify and mitigate risks. The team must also have skills in cloud-based cybersecurity applications, network monitoring and access management, and data security practices. Every team member needs exceptional communications skills in order to get the cybersecurity message out to the entire company. No single individual is likely to have all these skills. Any business that hires one or more cybersecurity professionals without a better definition of the skill sets that it needs is likely to be disappointed with its results.
Second, businesses should expect to pay 6-figure salaries to seasoned members of an in-house cybersecurity team. Salaries vary as a function of geography, but chief information security officers in the United States earn between $130,000 and $380,000 annually. A single successful cyberattack on a business can result in costs and liabilities in the millions of dollars, and these salaries are more than justified in view of the risk reduction that an in-house cybersecurity team can provide.
Third, businesses might need to look outside of the typical pools of candidates with technology training to find the right cybersecurity professionals for their in-house teams. The white male stereotype that dominates the technology landscape is falling away as women and people of color are making greater inroads into cybersecurity fields. Including women, minorities, and other groups that have been typically underrepresented in the technology fields will also give an in-house cybersecurity team a variety of different perspectives that can be beneficial in detecting forms of cyberattacks that fall outside of the common attack patterns.
Fourth, cybersecurity personnel who are expected to remain on call for extended periods of time will quickly burn out due to a poor work-life balance. Higher salaries can compensate for longer job hours, but even that compensation will have limits. Businesses should structure cybersecurity teams to allow for time away from professional responsibilities.
Fifth, businesses are notoriously bad at recruiting employees for cybersecurity roles. Personnel shortages and competition for talent has exacerbated this problem. As cybersecurity becomes a more critical component of every company’s operations, businesses will likely need to elevate their development of internal talent and to make their cybersecurity teams more attractive to outside talent. This is particularly true in industries such as healthcare, which has historically relegated cybersecurity to a lower tier.
Businesses that continue to rely on third-party contractors to handle cybersecurity matters will face these challenges indirectly, as those contractors will inevitably experience their own talent development issues. These challenges will abate as the cybersecurity field continues to grow and more individuals are drawn into it by larger salaries and better employment opportunities.
Pending that growth, and even after more people enter the field, businesses will need to adopt other mechanisms to protect themselves against cyberattacks and to handle losses and liabilities that threaten their profits when a cyberattack is successful. Cyber security insurance is the best option for that purpose. Sure, insurance is not a substitute for a good in-house cybersecurity team, but it can keep a business afloat both before and after it forms that team and implements regular cyberdefense and post-breach strategies.