Identifying, finding, developing and retaining the cybersecurity skills your organization needs is critical, which means finding good people with those skills, or training people to develop the skills needed can be difficult without leadership buy-in and the budget to invest in people.
The skills challenge facing the cybersecurity sector is well documented. In the 2025 ISC2 Cybersecurity Workforce Study, for example, research findings from over 16,000 cybersecurity professionals highlighted the extent to which teams and organizations are struggling to find and retain essential skills, as well as develop new skills to keep pace with emerging technologies and threats.
There is a further problem, though: senior management teams who underestimate or don’t fully understand the value of having cybersecurity staff. At a financial level the cybersecurity team is a cost center: people and tools cost money and are rarely seen as a revenue generator (though are of course a revenue protector). Worse, cybersecurity staff can be among the more expensive technical hires in an organization. One study suggests an average of $85,000 a year for an entry-level SOC analyst, for example, or almost twice that for a SOC manager. Those with recognized certifications can potentially earn even more.
Despite the headlines that report the average cost of dealing with a cybersecurity breach being $4.4m, the reality for the average organization is considerably less (one U.K. insurer noted a few years ago that clearing up after an attack would in fact cost just £25,700 – around $34,500 today) – much less of a financial incentive for the average management team to invest heavily in a cybersecurity team.
The Reality of the Challenge and the Need
The reality is likely to be somewhere in between those figures, of course, particularly for medium-size businesses – maybe a modest six-figure sum for clear-up costs that is added to by the impact to the organization’s reputation and potentially to its sales and therefore profits. This potential impact, combined with a general (and growing, according to budget stats) awareness that cybersecurity defenses are critical for organizations, means that cybersecurity leaders are increasingly able to make a compelling business cases to senior management that cybersecurity staff are not only required, but an essential investment.
Recruiting staff is, however, expensive. Recruitment agencies charge anything between 15% and 25% of the first year’s salary for anyone they place in an organization – so for the SOC manager example from earlier on a salary of $160k, that means an agency fee of up to $40,000. Not only is it expensive to recruit and employ cybersecurity staff (if, indeed, you can attract the ones with the skills we need or the foundations on which to develop) there is the added challenge of getting them up-to-speed when they join. At the more junior end of the scale, it can be quite quick to acclimatize a new junior, entry-level analyst, for example. In the average case it can be a good few weeks before a new staffer gets to know all the right people, controls and systems and hence becomes fully productive.
The People Problem
Retaining staff with key skills and retaining staff to develop their skillset is therefore an attractive concept. It is, however, almost as hard to do as recruiting them – according to one survey 82% of CISOs considered retention to be “challenging”. There are two key factors in retaining staff, though.
First, is helping people enjoy the job. Stress is the primary reason people fail to enjoy their roles in cybersecurity. It is impossible to miss the hundreds of articles written each year about burn-out – excessive stress – in cybersecurity teams (this one, which puts burn-out rates at upwards of 60% of the workforce, is typical). But there is more to helping staff enjoy being part of a cybersecurity team and this does not just mean the having Google-style ping-pong tables and free fruit in the office: simple things like effective management, openness with staff, inviting people to share ideas they have, saying “thank you” and “well done” every once in a while. Make people feel valued and a busy cybersecurity job will immediately be more enjoyable.
The second and most important action, though, is to take that word – “valued” – and treat it literally by investing financially in people. Training and certification is the most obvious areas to focus, because everybody wins: the employer gets people with a growing skillsets and the cybersecurity professionals constantly expand and improve the depth and range of their subject knowledge.
Incidentally, failing to invest in training because of a fear that people will train up and leave is always a bad idea; as one quote we found put it: “Training is often a retention signal, not a departure trigger”.
Providing the Right Tools
Investing in tools that help people do their jobs is also highly valuable, but it is important to do so in consultation with the team, to buy what they actually need. Avoid buying too many packages. The team will not have time to use them effectively and the organization will have wasted money that could have been spent elsewhere. Next, be flexible and generous with financial compensation for the team: salaries should be appropriately generous, out-of-hours and on-call arrangements should be paid generously, and incentive (bonus) schemes can be attractive if designed and implemented well. Without spending any more money, an organization can include flexible working as an option for the cybersecurity teams, so long as it is properly managed.
Finally, returning to the concept of investing financially in people, since alongside training (which is the most expensive use of staff development funds) there are plenty of developmental techniques to offer team members. Mentoring is a tremendous tool for staff of all levels and for the more senior team members business coaching is extremely useful aid up the management ladder. Encouraging (and paying for) people to go to networking meetings, or to take part in professional body chapter meetings, or to attend or even speak at conferences, is an inexpensive way of developing people’s contacts, knowledge and confidence.
Investing in cybersecurity staff is, then, one of the most effective ways to use funds. Recruiting is expensive and highly inconvenient, and staff turnover benefits nobody. Organizations and cybersecurity leaders can spend far less by focusing funding on engaging and developing the people already in the team than it would cost recruiting their replacements, the incentive to do so is clear.
