'Create an environment that's attractive to them': Macquarie's Rachel Smith on how to keep your cybersecurity talent
Talent Acquisition#Retention#TheGreatTalentWar
Among the rising demand for tech talent of all stripes, the competition for some specialisations is exceptionally cut-throat. One is cybersecurity. Always a field with higher demand than supply, the spike in remote work last year – and the corresponding surge in cyber threats and attacks – has made it even more sought-after. Today, the competition for cybersecurity talent is so great that even large and prestigious companies are facing challenges getting, and keeping, the people they need.
People Matters asked Rachel Smith, Group Head of People and Culture at Macquarie Telecom Group, what's happening in the cybersecurity field right now and how Macquarie is holding onto their valuable talent amid the stiff competition from other firms, corporates, and even their own clients.
Despite the importance of cybersecurity today, the talent pool still can't seem to catch up to the demand. What's your perspective on this?
We're finding that the talent pool at entry level – graduate level – is definitely improving. The number of graduate applicants is going up. However, on the flip side, trying to recruit more senior roles is harder. Where we would traditionally want five years' experience, we are struggling to find people with three years' experience. The salaries they demand are very high, and they're very picky about the kind of roles that they want to do. For example, it took us six months to fill an architect role.
The COVID situation is both helping and hurting. On the one hand immigration is flat, so we have no access to international talent. Many of our roles require people to be on site, so remote work isn't an option either. On the other hand many people don't really want to leave the safety of a secure job at the moment, so retention is not as difficult as it would be.
Looking ahead, I think the talent pool will take at least three years to catch up to the demand. If you base it on the five-year experience mark, which is where we're now facing the most difficulty, and bear in mind that the industry has just started to gain traction in the last couple of years. People will take another three to four years to build up to the levels we're looking for, and combined with COVID it may be even longer.
What strategies are working for recruitment and retention?
Unfortunately there's not much we can do in the more experienced space, but we have a lot of strategies for the graduate space.
We position ourselves as being a great opportunity for people who want to continue their careers in cybersecurity: we use the message that they can progress with us, because we have a great pedigree and a huge variety of clients. We service the government; federal agencies use us for their cloud cybersecurity work; and we're now moving into the corporate world, offering the same kinds of services to corporate organisations.
We also show candidates that we can offer them a lot of potential for learning and career growth. For example, we recently secured funding to launch a Cybersecurity Centre of Excellence. This is really important at graduate level, because they want to learn. Cybersecurity is a field that moves so rapidly, anything that gives them an opportunity to learn and understand is a selling point, and the desire and ability to learn is a vital skill. So we have to create that environment where they can continuously learn.
Next, from a retention perspective, we can't just use traditional employee engagement strategies. We have to target our approach specifically at the kind of people that we want to hire. These are people who actually like the field, who have what you might call a gaming mindset.They are people who wake up in the morning and read about cybersecurity, whose social media feeds are filled with cybersecurity content.
We have to create an environment that's attractive to people like that, in order to keep them happy.
Could you share a bit more about how you create that attractive environment?
Putting myself in our candidates' shoes, the question is: 'Why would you come and work for an organisation like us, versus a large corporate that has a massive cybersecurity department?' And the answer is, variety. These are people who like to learn, and they like to learn a lot. What we can give them is access to variety. Besides government agencies, which are always targets for all manner of attacks, we have everything from aged care providers through to car tire places, businesses that are vulnerable in different ways. The environments that our cybersecurity experts operate in varies from customer to customer. It gives them the opportunity to upgrade their skills on a daily basis.
We also encourage our people to display their skills through events like hackathons. One advantage we have is that our business now runs two separate cybersecurity practices, and while they are very closely linked, we like to leverage the competition between the two of them and we'll probably be able to start running internal hackathons in the not too distant future. These are things that people in the field really enjoy.
We're also pushing to establish internal development of talent for our cybersecurity teams. We've already done this across much of our other businesses, where we have clear and well-laid-out career development pathways for a lot of our technical roles that come in at graduate level: we have up to 10 year plans for them. And we're now in the process of developing that for our cybersecurity talent. We already have a two-year plan in place, and we'll be pushing that out to a further horizon moving forward.
Unfortunately, these same things that make us attractive also make our people very attractive.
It creates a big challenge because our competitors are trying to lure them away in every direction. People are being turned by massive salaries. We had a graduate who, with 18 months' experience, was offered twice his salary. We luckily managed to retain him for the reasons that I've mentioned – being a great place to work, offering growth and variety and other opportunities. But the fact that there are people chucking that kind of money around, to hire people who have been out of university for a couple of years, is making me think again about my own profession!
It sounds like graduates are much easier to hire than more experienced people. How are you building a pipeline of talent in schools to leverage that?
We start engaging them at university level, and we try to build relationships with them from the very beginning of their university time. We hold career fairs to get our brand out there, we make ourselves very present by offering scholarships for cybersecurity degrees, we bring students on tours of our data centers – that's the most visually sexy part of our business – to get them excited and interested.
It helps that today cybersecurity is being talked about more as a career. There's more media coverage of the cyber threats that happen on a regular basis, and so the profile of the industry is increasing on its own. We're even getting more women into the profession, which is great.
From what you've described, graduates today are getting a whole lot of competing offers. Do you have any thoughts on how they can choose the best place to work?
Think about the environment that you want to work in, and where you want your career to go.
Dollars can be hard to say no to in the short term, but investment in yourself, especially in the early years, can pay dividends later on in your career. So I would encourage people to have a look at the development opportunities that are on offer, the investment in their learning environment, and the ability to do the kind of work that they would like to do.
And think about the health of the company as well. Some organisations have been in the business for years, and you know from a single look that they'll be around for a lot longer. But there are also organisations that may not have quite so secure an operating future. So keep the future in mind, not just the near future but the middle and maybe even the long term.