Recently Paul, one of Directors here at Decipher Bureau, posed the following question on LinkedIn:
Of the 160+ votes the poll received, over 80% said that they would.
Whilst we acknowledge that this is of course hypothetical (and a LinkedIn poll!), the overwhelming majority ‘yes’ response might seem surprising to some - after all, as a cyber security professional, would you want to be associated with a company that has had significant issues in this area?
Given its current relevance, and the comments we received in relation to the poll, we decided to look at what impact the significant upswing in data breaches in Australia is having on hiring in the cyber security industry, and why professionals would consider working for a company that has already experienced a data breach.
The Great Skills Shortage
Australia is experiencing a significant talent shortage in the cyber security industry (no doubt in part to the spate of recent data breaches and a need to bolster security expertise in-house). In fact, in the Australian government's 2022 Skills Priority List, all occupations in ‘cyber security’ were listed as facing a shortage. This makes competition fierce for organisations who recognise the importance of hiring cyber security teams (either proactively or reactively), and puts a premium on the limited resources with experience in the space.
It also means that skilled candidates have huge negotiating power, and can take their pick of employers and offers when discussing salary and benefits. So why would they choose to work for a company that has already experienced a data breach?
“Their response to the attack, and their willingness to fix things”
A company that has had a data breach faces huge brand reputation and financial risk; and some may never recover. However, comments show that an organisation that firstly responds to the breach with full disclosure, puts their customers first and takes all possible measures to look after them - and then
commits to invest in capabilities and improved security can be a highly appealing prospect for cyber security professionals. It means the position of cyber security is considered valued, and having been through a breach truly shows an organisation what is at stake and what it takes to recover - the result being senior management and teams who are more likely to support and prioritise security systems and processes (hopefully) with less red tape.
Assuming the above conditions are met, having survived a data breach and come out the other side can make an organisation one to consider for cyber security professionals because they don’t have to prove the worth of what they do, nor educate about the risk. Further, as much as they’d have preferred not to, being exposed to a breach gives employees and management real-life understanding and experience, making cyber security a less siloed business function and easier working relationships going forward.
“Because it actually makes no difference”
This sounds like a strange response, but it’s a reality. From a potential employee’s point of view, a company that has experienced a data breach and dealt with it appropriately (both internally and with customers) is, at the end of the day, no different to an organisation that hasn’t had a breach (yet). There are more likely other factors that a candidate will place emphasis on, just like with any job opportunity (salary package, culture, professional development etc). The benefits however, as mentioned previously, is that the organisation now knows they are not immune and will put steps in place to best prevent a data breach occuring again, is less likely to be complacent, and more importantly, have the processes to respond swiftly if it did.
Now more than ever, it’s a job-seekers market for cyber security. And for organisations that have been on the receiving end of a data breach (and those who haven’t yet, but see value in being proactive) it’s become mission critical to get security teams and capabilities embedded. As we’ve touched on here and in previous articles, job-seekers tend to look at a variety of elements that make a company an employer of choice. Therefore in isolation, having experienced a breach doesn’t necessarily hold a negative connotation - an organisation demonstrating the right mindset towards information security however may provide opportunity and benefits for a prospective candidate, in spite of what’s happened in the past.
As specialists in our field, we always aim to undertake an open, rigorous recruitment process with our client/partners, as well as the candidates we work with, to obtain the desired outcome for both parties. If you’d like any more information about recruiting or retaining top cyber security talent, or if you’re looking for your next cyber security role, reach out to the Decipher Bureau team. With offices across Brisbane, Sydney and Melbourne, and an experienced team around the world, we’d love to help you out.
Speaking of recruiting top talent, Decipher Bureau is currently looking for consultants! If you're interested in having a chat about joining the team, and to find out why we’re a great place to work, please get in touch.
Find out more about current employment and hiring trends within the Australian cyber security industry - Download the 2022 Salary Guide here