Things To Consider When Hiring In Cyber Security

The cyber security industry has come on leaps and bounds in the past few years. Frequently gracing headline news, the sector presents the first line of defence against a 21st century problem that society is ill-prepared for. Tesco, the NHS and countless others have reported severe damages in the form of online hackers, prompting a recent report that stated the threat to UK businesses was “greater than ever”.

Perhaps more significantly, while the need for cyber security grows, the talent pool is dwindling. The gradual increase of hackers and cyber criminals has been met with little interest from those studying IT. In fact, the market has such a low number of skilled applicants that nearly a quarter of businesses feel that they don’t have enough people in their company to manage cyber security risks, despite an increase in breaches.

This affects small and large businesses alike. While large companies may struggle to recruit a full team and arguably have more to lose, smaller organisations often assume they’re not worth an attack and so may fail to put a suitable system in place entirely.

Therefore, in order to offer support to businesses seeking to recruit in this competitive market, we’ve put together a guide on the top things to consider when hiring in cyber security.

Have you identified your exact needs?

Plenty of employers remain unsure of all the ins and outs of the cyber security industry. There are two sides of the sector: technical and governance.


Here you’ll find your cyber security engineer and analyst positions, who operate in a very much hands-on capacity. Their role would encompass application security, network security (firewalls), endpoint security (anti-virus, spam and malware), security information and event management, and vulnerability analysis and mitigation.

Larger companies will have an entire team dedicated to network security, with individual employees focused on separate areas. This approach makes them more effective at finding and resolving any potential breaches. However, in order to employ a team of this size, you’ll need to be a much larger business.

The majority of clients we support in growing their cyber security department tend to hire one or two people. Their aim is to bring in someone to monitor everything on a technical aspect. This person will either set up and build the necessary foundations and infrastructure from the ground up or revamp and maintain a company’s existing security infrastructure.


An individual in a governance or risk role will handle more of the processes associated with cyber security. Similar to a health and safety position, they ensure the projects that are being created by the businesses are cyber security-approved. They need to have a knowledge of legislation, including (but not limited to) GDPR, PCI DSS or ISO 27001.

While individuals employed under this discipline of the sector characteristically sit within the compliance arm of the business, they often overlap with infrastructure. Network engineers and similar IT technicians will require the visibility of internal security when installing hardware.

It’s unusual for cyber security practitioners to form both sets of traits into one role and, as an employer, you shouldn’t attempt to encourage it either. In order to work effectively within this field, these branches should be separate. They each perform unique actions and can support your business better when independent of one another.

How do you find the best candidates?

Once you’ve scoped out your needs, you can begin to look to the market. As a relatively new industry, professionals that work in cyber security can be elusive for a variety of reasons. Their previous position may not appear to translate to the role you’re trying to fill – you therefore have to recognise the transferable skills and values.

Technical individuals usually come from positions such as infrastructure and network engineers. Working on Windows or Linux, these employees will have had some involvement with a few security areas due to their previous companies not having a dedicated security engineer or function. They will have overlapping skills and start moving more and more into this role as the business and industry matures.

Those skilled in governance instead come from legal backgrounds, sidestepping into compliance and then specialising in information security. They enjoy working with businesses that need a great deal of maturing across information security.

What motivates cyber security professionals?

Challenge is a huge driver for professionals in this industry. In all likelihood, they’re coming into a company that needs a lot of improvement in security. Like all employees, they want to make an impact – able to change the processes that are currently in place and add real value to the business.

These are individuals who are motivated by problem-solving, so create an environment where they won’t just sit around. The majority are highly skilled and driven to progress by the industry’s generous salaries. Provide an environment where there is scope for big challenges, which in turn allow for personal development and financial reward.

In general, for mid-level technical and governance analysts, you will be looking at providing a salary of £40k-£65k. However, those in managerial, head of, or director positions who oversee both disciplines can range anywhere between £90k and £150k.

Does your business offer room to progress?

Consider how a new member of your team will complement the current protection you have in place and how they can use their knowledge of compliance to further your business objectives. Additionally, be conscious of their progression aims – are you able to offer them room to advance?

The size and infrastructure of your organisation will largely determine this. Bigger businesses are more likely to have a dedicated function for cyber security. In mature operations such as these, a chief information security officer will have the same recognition and influence as a chief technology or information officer.

; Meanwhile, in smaller businesses, the IT director would usually oversee the work of a cyber security engineer or information security officer. Consider the impact this has on career prospects, so you can demonstrate opportunities for personal development within the bounds of your organisation when speaking to candidates.

Remember too that as you grow, your cyber security needs will change. The more noticeable you become in the market, the likelier you are to attract the attention of cyber criminals. Instil candidates with confidence that you’re committed to cyber security, and you’ll be rewarded by the loyalty of those who practise it best.

Where we come in

While these considerations will support you in the process of employing a cyber security specialist, they’re not guaranteed to differentiate you in an industry struggling against a diminishing talent pool. Make sure your values and the benefits of working for you are firmly visible in your vacancies – speak to one of our consultants and start adequately protecting your business today.