By their nature, many smaller businesses do not have extensive cybersecurity staff and departments, as well as not always having dedicated HR personnel. Here’s some advice on defining what is needed, as well as recruiting the right people.

It is rare to come across a successful company that has an excess of staff, with people sitting idle for hours a week looking for paperclips to count and files to re-organise. This is particularly true in small and medium-size businesses (SMBs), because the cost reality of employing each staff member has a significant impact on the financial bottom line.

Although many SMBs outsource their IT management services to third party providers, in-house IT managers are pretty common because there’s plenty to do. Particularly if you have a modest set of systems, and not too many different technologies, it makes sense to have a ‘techie’ on the payroll; the outsourcing approach works best if you have diverse systems because the provider may be able to support diverse skillsets that wouldn’t be possible with one in-house general IT staffer.

Supporting Cybersecurity

But what about cybersecurity support? Should SMBs be looking to recruit a dedicated cybersecurity manager to look after the cyber-related risks, monitor compliance with security standards, report on vulnerabilities and patching gaps or conduct monthly phishing tests? Sure, the company would undoubtedly benefit from having such a person, but is it actually affordable?

Traditionally the answer has been a flat “no”. A quick LinkedIn search suggested a cybersecurity manager role with a “20 to 50” person company in London carries an average salary of £100,000 ($127,000); that’s perhaps a little extravagant but another role with the same title (201-500 people) comes in at £60,000-£70,000 ($76,000-$89,000). More affordable, but there’s still no chance of picking up a top-notch cybersecurity specialist for below market value.

Skilled and experienced cybersecurity people are hard to come by, too: although our numbers are growing, cybersecurity is still a candidate’s market. The latest ISC2 Cybersecurity Workforce Study estimates that there’s a shortfall of just under four million cyber professionals globally. That figure comes as no surprise: candidates can therefore pick and choose the roles they want, and the successful employer will be paying a premium to attract them. This is why many SMBs continue to use third-party support for their cybersecurity needs: they can pick and choose which cybersecurity needs to focus on. Unlike with payroll-based staff, they can adjust the amount of service they use to fit the budget available. Of course, paying an outsourced provider for the equivalent of one person is much more costly than having one person on the payroll, but the diverse skillsets concept mentioned earlier can justify that premium to an extent.

Addressing the Need

Are SMBs stuck with outsourcing cybersecurity until the end of time, then? Well, some years have passed since governments and professional cybersecurity organizations like ISC2 engaged in efforts to address the skills shortage. One account says that cybersecurity graduates doubled between 2016 and 2021. The problem is that this “doubling” was from 10,013 in 2016 to 23,746, so there is still more work to do before the demand premium becomes less of a financial obstacle for SMBs.

We need to take a step back and think about the cyber requirement. Working as the CISO for a division of a global bank is most definitely a full-time job. But do SMBs really need full-time security specialists? We would contend not … so let us look at what opportunities this creates for us.

First, just as we may not need a full-time cyber specialist, SMBs may not need a particularly experienced one. Honestly, experienced cyber people might find that the cyber requirements of an SMB simply don’t test their skills and that they’re bored senseless – which would often be the case for mainstream IT managers, for that matter. So, let’s look down the experience range and see what we find.

The answer is: graduates of an increasing number of education programs that combine IT and cybersecurity as joint degrees/certifications. It’s a really attractive solution: a bright IT person with a chunk of their formal education specifically focused on cybersecurity. IT support is a common first step for a newly minted college- or university-leaver, and if you can pick one up with a proper element of cyber education, you’re winning all around.

We can, however, go even further back up the education timeline: what if, instead of recruiting cyber staff, we play a part in creating them – or, more accurately, creating their cyber knowledge. It’s easy, when recruiting into engineering jobs, to look for people with certificates and qualifications, but let’s not forget there are other avenues: why not look at creating apprenticeships and being part of the individual’s education, perhaps even nudging it in one or two directions that are particularly relevant to our technology and systems? In some countries there’s even the concept of a “degree apprenticeship”, in which students study for (say) four days a week and work in a real company for the remaining time – and again, everyone’s a winner.

Recruiting cybersecurity staff as an SMB is still hard, and will remain so for the foreseeable future. But just like anything in business, “difficult” can be offset enormously by being a bit creative, inventive, innovative, different. No, you can’t often afford, as an SMB, to have a full-time security person on the payroll. But if you look hard enough you may find someone with an IT-and-security qualification who would fit the bill.

And if you don’t? Change your approach and help make one.