AUSTRALIA’s unemployment rate could sink below 4 per cent this year, and fall further to 3.75 per cent by the end of 2023, the nation’s Reserve Bank forecast in February. If reached, that would be the lowest jobless rate in Australia in nearly 50 years. AISA communications manager Nick Moore asked cyber security recruiters what this would mean for hiring and retaining staff in the already challenging infosec industry.
If Australia’s unemployment rate falls below 4%, how will that affect staff retention in cyber security?
Paul Jenkins (Decipher Bureau): “We have seen a huge increase in salaries over the past 6-12 months. Counter-offers are on the rise, but it seems to be things like flexibility, training, lack of management support, or workload that are impacting people’s decisions to leave the most.
“Companies are starting to focus a lot more on staff retention, creating comprehensive EVPs (employee value propositions).
“We believe we will start to see an increase in retention bonuses for key projects. The opening up of borders and subsequent increase in overseas candidates is likely to have an impact on salaries - perhaps driving them down - and people’s desire to leave.”
Diane Humphries (Cameron Recruitment): “It is already a struggle to retain cyber security workers. It's a discipline where movement and resignation are amongst the highest of all technical roles. International borders reopening will not improve the demand for cyber security workers in the short term.
“So if unemployment rates fall further, difficulties with staff retention will be exacerbated because it will mean many more organisations are looking for staff across the board, including IT and cyber security roles.
“It also means to retain staff there will be an even greater pressure on existing salary packages and benefits for cyber security workers.
“HR departments and senior leaders need additional strategies in the areas of career development, flexibility, upskilling and remuneration to address this impending situation.”
Jim Morris (Synchro Partners): “With unemployment rates forecasted to fall below 4 per cent, this amplifies an already apparent short supply of accessible talent in the market and intensifies competition amongst employers, with the possibility of your staff being tempted to greener pastures.
“New projects, new technologies and career growth opportunities arise every day so it is evitable that the ‘musical chairs’ in the cyber security marketplace will continue.
“This is the nature of the beast as seen in the competitive market pre-GFC (Global Financial Crisis).”
Ricki Burke (CyberSec People): “I don't see much of a change. There have never been so many jobs in cyber security. Simply put, it's a war for talent and using a recruitment term, ‘It's a candidates’ market’.
“Security professionals are in the driving seat of where they want to work, what type of conditions they are looking for, etc. But if you think it's bad in cyber security, it's even more challenging in software engineering.”
If it falls below 4%, how will it affect recruitment?
Diane Humphries: “Unfortunately the process will take longer, jobs will be unfilled for longer and every job will require a ‘search’. This all leads to higher recruitment costs whether you recruit via an internal team or through a recruitment agency. Some roles will remain unfilled so the restructuring of roles and duties may be required.”
Jim Morris: “Prospective, available candidates are already in low-supply, whether you are the local burger shop or a national cyber security firm. That is the brutal truth.
“A key difference is, however, cyber security is a relatively niche, specialist area, with an already limited talent pool of available candidates. Couple that with the requirement for candidates in our sector to frequently upskill to keep up with constant changes and we’ve got a recipe for a different level of skills shortage.
“Employers will face multiple challenges and obstacles when recruiting new staff – increased competition for talent, less overall supply and changes in candidate/jobseeker behaviour and expectations.
“Now is a critical time for employers to review their value proposition to potential recruits out in the marketplace. What can you offer that the competitors in your segment can’t?
“In my recent experience securing candidates within areas such as cloud security, penetration testing, incident response/threat intelligence or niche GRC (governance, risk and compliance) areas (IRAP, ISM, PCI) has become increasingly difficult for employers because of the market conditions.”
Ricki Burke: “Same challenges, just another day.”
Paul Jenkins: “The cyber security industry is already suffering a shortage due to closed borders, and a severe lack of junior to mid-level talent. With this in mind, more organisations need to up the recruitment of juniors with under two years’ experience to ensure they have an internal pipeline of talent for the next 2-4 years.
“Recruitment of staff will continue to be a challenge but may be countered by the borders now opening up to international candidates.”
What advice would you give employers around staff retention? Is it possible to offer too many inducements?
Jim Morris: “First take a step back and really understand what you currently offer and how it stacks up against your competitors. Then look at adding extra value from there.
“As a cyber security professional, continually developing their skills is the only way to keep up with the pace and demand of the market. What new skills are you offering your staff? What kind of programs can you offer them to be working on?
“These are the key areas staff will consider against other options if they develop a ‘wandering eye’ for new opportunities as they are tangible ‘value adds’ for careers.
“It can be easy to get swept up in the price/wage wars, having pinball machines, table tennis tables and fully stocked beer fridges but getting the real, measurable value propositions by way of professional development opportunities is a fundamental starting point for employers.”
Ricki Burke: “Focus on what employees are looking for, not what you want. We speak with hundreds of people a week, no one is asking to work in an office 3-5 days per week.
“Usually, people will move jobs for another that matches their motivation or helps them with their career goals, money is not usually the driving factor.
“For the first time, we will see more people moving sideways to do the same job somewhere else because they are being offered more flexible working conditions.”
Paul Jenkins: “It’s important to provide an EVP that your staff actually want. Tailoring perks for different situations will be key to ensuring you retain top talent.
“Whilst the market is competitive, yes, creating an environment where the perks are endless is already causing unrealistic expectations in some candidates. Ensure your EVPs are realistic and can be delivered.
“Ensure managers and leaders are keeping close to staff; regular catch-ups to understand goals and any concerns. Ensure managers are leading effectively. Many people are leaving due to bad management or an unclear career progression.”
Diane Humphries: “Don't offer inducements until you know exactly what each employee wants and values. It may be cheaper than you think. So many organisations think monetary rewards and bonuses are all that an employee is interested in. I see so many bonus systems that are hated and provide disincentive and acrimony rather than incentive for better performance.”
What advice can you give around sourcing and hiring staff in this increasingly competitive jobs market?
Ricki Burke: “Make sure you are paying market salaries and offer as much flexibility as you can, it's one of the key things people are looking for. Also, sell your company and the opportunity to people, don't start a job advert with the skills and experiences you are looking for.
“And, invest in new talent. Create more entry-level roles, true entry-level not a junior role requiring five years of experience. Build for the future today.
“Remember that most security professionals used to work outside of security as developers, system administrators and so many other jobs. Continue that trend. There are plenty of people doing ‘security’ that don't have cyber security in their job title.”
Paul Jenkins: “Ensure your interview process is succinct and well organised. To backfill a role - stop procrastinating and wasting time through the hiring process. If you meet someone you like – chances are 3 of your competitors have also met that person. Provide feedback within 24 hours. It’s either a ‘yes’ and move to the next stage or a ‘no’.
“Ensure high levels of communication throughout the process. Remember, this is the candidate's first interaction with the company – make sure it’s professional.
“Start proactively recruiting specific key roles and ensure you create a pipeline of talent both internally and externally for key roles. Don’t just rely on job ads as most roles are being filled through networks/recruitment search/referrals.
“Ensure you hire both proactively and reactively. If a good candidate comes up with the skills you require, you need to be able to move on this. Some roles are taking six months to fill. We can no longer expect a shortlist of three great candidates at the time you want to hire.”
Diane Humphries: “Be flexible. We still have clients who want all workers and new recruits working in the office full time. It's often the CEO driving this request. Candidates are voting with their feet and not wanting to be put forward for these jobs or not accepting offers for these jobs.
”WFH is here to stay and in this candidate-driven market flexible work will be one of the most sought-after benefits.
“This next barrier is talked about all the time. Many organisations' recruitment processes are far too long and in this market, candidates will not wait around. It's good to be thorough but if you can't make a decision after two (maybe three) interviews you are too risk averse.
“A manager with more recruitment experience and a good track record of recruiting in the past should be assisting to fill this role. Most people find their new role through their own network - maybe up to 70 per cent of candidates. Utilise your managers' and employees' networks to source more candidates.”
Jim Morris: “Look inwards first. Have you really looked at which individuals within your organisation have the potential (and willingness) to upskill in order to fill your capability gap? Oftentimes I see clients quick to skip this step, missing real opportunities to find the capability readily available in house, and an opportunity to positively affect retention rates.
“Be pragmatic about your list of requirements. Be realistic about what’s readily available out in the market. Does that candidate really exist and can you secure them within your target timeframe? If the answer is not an unequivocal yes, it’s likely time to consider where you can replace hard requirements with opportunities for prospective candidates with relevant experience to develop and upskill.
“Moving fast is critical in the current market. Assess your current recruitment process, identify the bottlenecks and where the opportunities to streamline are. Much more often than not, this does not have to compromise the thoroughness of your process.
“Candidates are not on the market for long and are often presented with multiple opportunities and offers at any given time.
“Know your competition. What is your competition doing and offering and how does your organisation offer a compelling option as a comparison? This could be around a number of different factors – remuneration, professional development opportunities, flexible work arrangements and company culture. You need to know how you’re positioned against competing organisations to help target and secure the right candidate audience.”
Is it better to leave a position vacant than hire a substandard candidate? What strategies can employers deploy to cover for vacancies?
Paul Jenkins: “Hiring a substandard candidate can be disastrous and create more damage in the long run as well as costing more money.
“We would recommend that companies hire based on attitude and aptitude; not just experience. If the person does not have all the technical skills you need – can they demonstrate an ability to learn quickly, and are they passionate about the tech you use? Hiring under-qualified candidates and training them up also creates loyalty. It will also address the skills shortage in years to come.
“Technologies are constantly changing and will continue to do so. If candidates can be upskilled quickly, that will ensure your team is staffed, and therefore not overworking others.”
Diane Humphries: “It's never a good idea to hire a substandard candidate. I don't think I've ever heard anyone say it was a good idea and worked out well, it usually ends in tears.
“To fill gaps employers can use the services of contractors if they can locate the right skills. Some flexibility may be needed when contractors do not have 100 per cent of the necessary skills, but they possess the majority of what you are looking for. Using remote contractors vastly opens up the pool of candidates available.”
Jim Morris: Look inwards first. Before going to market, which individuals in the business could redeploy into this role? Sometimes the answer lies within. Is this another opportunity to allow a team member to upskills? This can only have positive effects on your retention rates.
“Consider a contingent workforce. A contractor resource has been a viable solution within our industry for years, often in a full-time capacity. Though, the working world is evolving, with the ‘Gig Economy’ seeing a noticeable boom in recent years. Many candidates in the cyber security space have started to engage with clients either on a part-time, ad-hoc or advisory capacity.”
Ricki Burke: “There is a quote that goes something like, ‘A wrong decision is better than indecision’. I think a proper understanding and context is key to answering that decision. Other strategies could be outsourcing or contracting, but they are short-term solutions, which is fine if you have a short-term problem. If it goes beyond that, I'd go back to creating more entry-level roles and building more security professionals.”