Skip to main content
Opens in a new tab External site

November 2022 / 5 Min Read

Five Steps to Keep the Cyber Talent Pipeline Full in a Recession


Cyber talent is at a premium with more than 2.7 million positions unfilled globally. These five steps can help build talent resilience.


Key Takeaways

  1. Cyber security talent is essential for an organization’s well-being, but talent and skills shortages are straining businesses globally.
  2. HR professionals and the organizations they support are facing a dilemma in filling roles as recessionary pressures grow.
  3. A strong partnership between HR, CISOs and risk leaders is critical to develop a long-term resiliency strategy.

Good cyber security talent is essential to the very well-being of an organization. Through midyear 2022, overall cyber threats have increased, and no industry or country is safe.1 The reality is, it takes skilled talent to stay ahead of threat actors.

HR professionals and the organizations they support are facing a dilemma. Cyber talent is currently at a premium, with one estimate claiming there are more than 700,000 unfilled cyber security positions in the U.S. alone, and 2.7 million worldwide.2 At the same time, recession concerns may eventually curtail hiring, as businesses cut back on spending, and high-priced cyber talent is being heavily scrutinized. Global leaders understand there is a talent issue in cyber security:

  • 60% struggle to recruit cyber security talent
  • 52% struggle to retain qualified people
  • 67% agree that the shortage of qualified cyber security candidates creates additional risks for their organizations3

However, it’s more than a cyber talent shortage, or a limited desire to source high-priced talent -- on-going skills training for many organizations may also be lacking, but cyber security training is expensive. With so many IT departments short-staffed, there aren’t enough hours in the day to do the work, much less complete training. When facing the holistic challenge of both staff and skills as potential sources of risk, CISOs and risk leaders are turning to their HR partners for support. A strong partnership is critical for an organization to develop a long-term, successful resiliency strategy.

Here are Five Things HR Professionals can do to Navigate These Challenges:

1. Is it a talent or skills issue…or both?

The first step to answer this question should be a skills audit. Partner with your CISO, employees and other industry professionals to learn what skills are needed for an outstanding cyber security team. Work closely with your CISO to understand if implementation of training, and creation of a more comprehensive learning culture, will solve near-term talent gaps, or if an augment to existing talent is needed so it can effectively protect the organization from threat actors. There may be enough bodies in place, but they lack the skill sets to know how to make the right cyber security decisions at the right time to keep the organization safe. There may also be the need for more bodies, and in the current climate choosing the right strategy can be crucial in effective budget planning.

2. Attract, Retain, Sustain.

If talent augmentation is the agreed strategy, attracting new talent is always a challenge, and recruiting a new employee can cost three to four times that employee’s salary. Retention is a must in this environment, but retaining employees is more than just salary or perks. Ensure that current employees thrive by providing them with the tools they need to get the job done. That includes traditional compensation and benefits, but it also means making sure the workforce is resilient. Help build resilience by looking beyond compensation. Encouraging health-positive behaviors, supporting employees’ mental health, helping employees feel financially stable, and fostering adaptable skills are just a few ways to help build employee resilience. Nine in 10 employees who are resilient say they are likely to remain at their current organization for the foreseeable future, as opposed to just under half of employees who are not resilient.4 Employees are the best source for prospective candidates and the quickest deterrent for a potential candidate if they are not happy in their current role. Keeping focus on talent sustainability is the cornerstone of an excellent workplace culture.

3. Create a culture of learning

Whether training is determined to be a key to a successful resiliency strategy or being incorporated into long-term employee sustainability, it is essential in the constantly evolving cyber security world. When cyber security professionals were asked how their companies could address the skills shortage, nearly 40% named an increase in training. Nearly half of respondents, however, said their company did not pay for the type of training needed.5 People managers can potentially have a dim view of learning and development because of its short-term impact on productivity. To these professionals, training means employees spending multiple days away from their core functions. But technology and some creativity may help, as virtual training has expanded in recent years, and companies can use efficient to ease the impact to everyday work.

4. Not all skills are technical and not all positions are interchangeable

As with creating a culture of learning, placing people in positions that match their comfort level can make all the difference to the overall culture of the team. Some very skilled cyber security professionals may not be comfortable or have the current work life balance to serve as people managers, where some effective leaders may not have the same technical know-how as the people they manage. Finding that balance can be tricky, but an attractive Employee Value Proposition (EVP) and solid communication may help keep everyone on the same page, and promote a much more attractive work environment, which will see a much longer ROI on key talent acquisitions.

5. Ensure that the employee value proposition (EVP) is competitive, and continually review

Cyber skills are transferable from industry to industry and organizations must often compete against each other offering tactics like higher compensation and a more attractive overall EVP. This constant talent warfare ends up hurting all organizations in the long run and focusing on the overall work experience rather than just from a competitive lens can be the difference in long-term retention. Salaries, great work-life balance and benefits that contribute to an employee’s wellbeing are critical EVP elements. Partnering with your CISO is important here, too. More than a quarter of cyber security professionals said their hiring professionals may be excluding strong candidates because of either a lack of understanding of not only the skills needed.6

When facing the holistic challenge of both staff and skills as potential sources of risk, CISOs and risk leaders are turning to their HR partners for support


Plan Now for Current Economy – and For Whatever Comes Next

The current challenging economic climate will pass, but there will always be another challenge on the horizon. Having a plan to create and maintain workforce resilience among cyber security professionals will ensure that the company is as well-protected as possible against threats. Implementation of these simple collaborative steps between HR departments and CISOs can be the determining factor in building and maintaining a strong risk team.

A properly maintained plan will help this team lead a culture that can not only help mitigate the very real threats of cyber attacks, but ensure proper and well-defined risk budgeting, especially in difficult times when hiring and training budgets are being heavily scrutinized.

1 2022 Sonicwall Cyber Threat Report
2 A Resilient Cybersecurity Profession Charts the Path Forward | ISC
3 Fortinet. 2022 Cybersecurity Skills Gap
4 Aon Rising Resilient - a new generation of workplace is emerging.
5 Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment - ISSA International
6 Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment - ISSA International

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.