This blog was written by Grant Bourzikas, previous CISO at McAfee.
The demand for cybersecurity talent is outpacing supply across the entire business landscape. Depending on what research you reference, experts predict that by 2020 there will be around 1.5 million to 2 million cybersecurity roles unfilled. This makes employee retention more important than ever before to ensuring the stability and security of your organization.
When thinking about how to build a model for talent development and management that’s sustainable for the long-term, it’s critical to focus on building the right team, not just hiring more people. While technical skills are important, creativity, problem-solving ability, and diversity are also key indicators of strong candidates and should not be underestimated when evaluating resumes. Investing in building the right team with different skill sets will be more valuable to the big picture in the long run.
However, this is no easy feat as the pressure to secure an organization against the ongoing barrage of today’s many and varied threats has never been greater. Professionals must fight day-to-day security threat responses while staying ahead of the next threat and keeping up with training. The stress of limited time, resources, and training can lead to burn out. On top of that, as people become more skilled, they’re also more attractive to competing resources and willing to consider offers. To avoid excess turnover of your top performers, you must be strategic about retention and prioritize a positive working environment.
Build a motivating environment
It’s probably obvious that an employee satisfied in their current job is less likely to leave for another opportunity than one who is dissatisfied. But what are the factors that influence true job satisfaction? Data from our recent Winning the Game study shows key reasons people switch jobs are better financial incentives and pay, opportunity for promotion and development, flexible hours, and opportunities to work with exciting new technologies. This demonstrates the value of taking time to evaluate your compensation packages to be sure they’re competitive, and working with HR to ensure staff see clear career pathways and professional development opportunities available.
The study additionally highlighted the type of work cybersecurity employees are engaged in as adding to the level of enjoyment experienced at work. Top of the list were threat hunting, resolving threats, and preventing threats, with just over a fifth of survey respondents indicating a threat hunter position is a career aspiration, either at their current organization or elsewhere. There’s also a clear correlation between companies using gamification and higher job satisfaction. More than half the respondents that are extremely satisfied in their roles say their organization uses competitive games, such as capture the flag, once or more a year to help train teams to respond to current threats and keep their skills honed. On the flip side, 80% of extremely dissatisfied employees whose companies do not use gamification say they wish they did run games.
Provide support structures for success
Providing teams with the right technology alleviates them from time-intensive tasks. Automation is the obvious tool for this and has shown clear benefits to cybersecurity organizations on multiple levels. In terms of strengthening retention practices, it provides employees the chance to work with new technology, which ranks high in influencing job satisfaction. Automation also reduces the time staff needs to spend on repetitive tasks such as day-to-day monitoring of logs and policy enforcement, freeing them up to focus on more challenging and higher-value tasks that lead to greater enjoyment.
Evolving machine learning to human-machine teaming leverages the advantages of intelligent automation of many tasks while emphasizing the importance of people to perform strategic analysis and problem solving. This approach provides staff with opportunities to focus on tasks they find most rewarding and reminds them of the value they provide the organization in their critical role. We need machines to process the volume of data security teams manage every day, but we need humans too, to outthink the people behind the code on the other side.
Educate all staff on the responsibility of security
IT and SOC teams have traditionally been the primary guardians when it comes to keeping an organization secure. But in the face of advanced threats at every angle, the duty must be shared by everyone to be truly effective against cyber threats. By educating the entire employee base about the role they play in keeping the business safe, leadership can build a culture of security that takes some of the pressure off one department. Giving your IT and SOC staff the support of the rest of the company will go a long way to boost morale and share the responsibility of organization-wide security.
Hiring more staff may be challenging with the looming talent shortage, so taking a more strategic approach that focuses on retention and education of current employees will go a long way to building a sustainable team of cybersecurity professionals. Spend the time and effort upfront to develop a thoughtful model for recruitment and retention, and it will reduce the wasted resources lost on dealing with staff churn. Focusing on building a positive environment, supporting with the right technology, and educating on everyone’s role in security will create a team of cybersecurity professionals that can help you build a strong culture of security across the entire organization.
In the face of a growing shortage of cybersecurity professionals, taking a strategic approach to retention is critical to sustaining your talent pool. Consider these three factors identified in the McAfee Winning the Game study when crafting your model for staff development.