At the RSA Conference in San Francisco last week, I spoke with many, CISOs, and cyber leaders about the tough hiring market for cybersecurity professionals today and what companies can do to improve their recruiting efforts. While there are many methods companies can use to recruit better, operating a well-staffed cybersecurity team also requires retaining the people you have.
CyberSN Founder and CEO Deidre Diamond spoke about the importance of talent retention during the RSAC seminar, Personnel Management and Building Successful Cybersecurity Teams. Her talk, “Talent Exfiltration - An Insider’s Guide To The Talent Attack Lifecycle,” focused on how culture, professional development, and diversity can be real difference-makers in retaining top talent. If you didn’t catch Deidre’s talk, here are the key takeaways you can use to ensure you’re retaining and advancing your most talented cybersecurity team members.
We find people ultimately leave their jobs most often because of two reasons: the culture and the leadership. Generally, cyber professionals have passion for their work and enjoy what they do, and despite cyber being a technical field, it’s still a people-centric profession.
When hiring in highly specialized fields where the labor pool is tight, companies must put in effort to counter exfiltration. Check in with people to see if they are unhappy and how the company can address their pain points. Remember, people don’t change jobs, they change leadership and companies. Here are some of the most common complaints my colleagues at CyberSN and I hear:
We’ve all seen how companies respond to a security breach or adverse industry event. The company takes a new found focus, announces investment in cybersecurity and additional people to show the issue is being taken seriously. The staffing efforts inside the building may tell a different tale. Funding for new cyber positions doesn’t always translate to new team members. Without a budget for HR support or for professional services of an external recruiting team, those positions go unfilled and the team feels overworked and disrespected.
No one wants their work to be seen as low priority or less important. Cybersecurity leaders must be willing to go to bat for their teams to get the resources they need or valuable people may be headed for the door.
While respect from company leadership helps improve work culture, having the respect of peers and direct managers is just as important. Managers must be diligent when it comes to ensuring mutual respect among employees and that all voices are heard. Unfortunately, the cybersecurity community, and the tech industry in general, still has hostility toward talent that is not white and male, as a few high-profile employment lawsuits have revealed. Even at companies that say they are making efforts to increase diversity, the diversity of the team doesn’t always line up with stated goals. Hiring a diverse team and addressing issues of workplace hostility quickly will make non-white and female employees feel valued.
This is something we see all the time. Working long hours, staying current with trends, constantly being asked to do more with less, and a poorly defined role can leave staff feeling overwhelmed and burned out. When 68% of cyber professionals say their job can be taxing on balance between personal life and work life, it’s no wonder nearly three-quarters of cybersecurity professionals are open to a job change.
What attracts people to cybersecurity is also what gives them the desire to keep moving forward in their careers, such as a wanting to solve problems and challenge themselves. A 2018 Capgemini survey found that lack of career progression was the number-one reason cited by cybersecurity professionals for being dissatisfied with their current job. Conducting regular performance reviews, setting a defined career path, and providing relevant training will show people the company is invested in their success and wants them to stick around. In turn, people will feel more invested in the company if they believe it will help advance their careers.
As a cybersecurity recruiting firm, we’ve become skilled at finding the cracks in an organization and its cybersecurity team. Keeping an eye on the news and maintaining a deep network within the cyber community lets us know who’s happy and who’s not—sometimes even before they do. Coaxing talented but unhappy people away to another company is the secret to success.