The “Great Resignation”, or the “Big Quit”, is one of the biggest challenges for employers and professionals in all industries right now. Is it a temporary trend as we recover from the unrest of a global pandemic, or is it symptomatic of a larger employment problem? And how does the cybersecurity industry, which was suffering from a labor shortage even before the pandemic, keep their staff engaged, productive, and happy?
For 20 years, from 2000 to 2020, the US resignation rate never surpassed 2.4% of the total workforce. During the height of the pandemic in April 2020, the quit rate plummeted to just 1.6%, with employees plunged into lockdown and either unable to job hunt or laid off by employers. As the pandemic continued into 2021, the number of resignations has been steadily climbing, reaching 2.9% in August 2021, the highest on record. Tech is one of the hardest hit industries, with resignations increasing by 4.5%.
Many are attributing this employee exodus to the pandemic shifting priorities in both our lives and careers, with professionals delaying transitioning out of their roles until the pandemic eased, requiring more flexibility or better work-life balance. Half of professionals surveyed in ISACA’s State of Cybersecurity Report felt that cyber employees are leaving their current jobs due to lack of promotion opportunities and poor financial incentives, with 40% also blaming high stress levels at work. Stress amongst cybersecurity teams is common, with 91% of CISOs stating that they suffer from moderate or high stress and 57% of employees currently in a burnout state.
ISACA’s report also cited limited remote work responsibilities, poor work culture, and lack of management support as key factors contributing to cyber resignations. While a small number of cyber resignations were attributed to the professionals’ desire to change career path (i.e. 8% stated that cyber professionals leave their jobs to switch industries), it’s clear that the vast majority of resignations were motivated by working conditions and employer practices.
Another factor driving cyber resignations is the ill-defined job descriptions used in the industry, which rarely reflect the real tasks, projects and working conditions of a role. This results in a misunderstanding of what is required from and expected of a cyber professional in their day-to-day duties, making them more likely to pursue a new role sooner.
After recognizing this, CyberSN developed our exclusive Job Taxonomy to provide the cybersecurity industry with a common language. Our Job Taxonomy categorizes every single cyber job in the US into our 45 functional roles, streamlining job description creation and making roles far easier for professionals to find. This means companies can more accurately portray what it’s expecting from its cyber professionals.
The best way to avoid being affected by soaring resignation rates is to focus on employee retention. The work doesn’t stop once the right professionals have been found and hired — to keep them engaged and enjoying their role, employers must commit to improving team communication, developing diversity, equity, and inclusion policies, investing in emotional intelligence (EQ) training, and even reskilling current employees to promote internally. By providing consistent career planning and investing in company culture, organizations will see retention flourish.
CyberSN have identified that all people want the same 7 things at work:
By understanding and implementing these 7 things, employers can see improved retention and avoid the negative impacts of the Great Resignation.
A certain level of employee churn is expected. People grow and change, making way for fresh perspectives. However, it’s important to ensure that employees are never leaving for the wrong reasons. The Great Resignation does have a silver lining — the spike in resignations will hopefully cast a spotlight on retention and cause a shift in hiring and continued employment practices, giving the job seeker a more equitable experience and putting retention on the front-burner of employer policies.
For support with employee retention, training, and all things cyber recruitment, reach out to a CyberSN consultant.
At the RSA Conference in San Francisco last week, I spoke with many, CISOs, and cyber leaders about the tough hiring market for cybersecurity professionals today and what companies can do to improve their recruiting efforts. While there are many methods companies can use to recruit better, operating a well-staffed cybersecurity team also requires retaining the people you have.
CyberSN Founder and CEO Deidre Diamond spoke about the importance of talent retention during the RSAC seminar, Personnel Management and Building Successful Cybersecurity Teams. Her talk, “Talent Exfiltration - An Insider’s Guide To The Talent Attack Lifecycle,” focused on how culture, professional development, and diversity can be real difference-makers in retaining top talent. If you didn’t catch Deidre’s talk, here are the key takeaways you can use to ensure you’re retaining and advancing your most talented cybersecurity team members.
We find people ultimately leave their jobs most often because of two reasons: the culture and the leadership. Generally, cyber professionals have passion for their work and enjoy what they do, and despite cyber being a technical field, it’s still a people-centric profession.
When hiring in highly specialized fields where the labor pool is tight, companies must put in effort to counter exfiltration. Check in with people to see if they are unhappy and how the company can address their pain points. Remember, people don’t change jobs, they change leadership and companies. Here are some of the most common complaints my colleagues at CyberSN and I hear:
We’ve all seen how companies respond to a security breach or adverse industry event. The company takes a new found focus, announces investment in cybersecurity and additional people to show the issue is being taken seriously. The staffing efforts inside the building may tell a different tale. Funding for new cyber positions doesn’t always translate to new team members. Without a budget for HR support or for professional services of an external recruiting team, those positions go unfilled and the team feels overworked and disrespected.
No one wants their work to be seen as low priority or less important. Cybersecurity leaders must be willing to go to bat for their teams to get the resources they need or valuable people may be headed for the door.
While respect from company leadership helps improve work culture, having the respect of peers and direct managers is just as important. Managers must be diligent when it comes to ensuring mutual respect among employees and that all voices are heard. Unfortunately, the cybersecurity community, and the tech industry in general, still has hostility toward talent that is not white and male, as a few high-profile employment lawsuits have revealed. Even at companies that say they are making efforts to increase diversity, the diversity of the team doesn’t always line up with stated goals. Hiring a diverse team and addressing issues of workplace hostility quickly will make non-white and female employees feel valued.
This is something we see all the time. Working long hours, staying current with trends, constantly being asked to do more with less, and a poorly defined role can leave staff feeling overwhelmed and burned out. When 68% of cyber professionals say their job can be taxing on balance between personal life and work life, it’s no wonder nearly three-quarters of cybersecurity professionals are open to a job change.
What attracts people to cybersecurity is also what gives them the desire to keep moving forward in their careers, such as a wanting to solve problems and challenge themselves. A 2018 Capgemini survey found that lack of career progression was the number-one reason cited by cybersecurity professionals for being dissatisfied with their current job. Conducting regular performance reviews, setting a defined career path, and providing relevant training will show people the company is invested in their success and wants them to stick around. In turn, people will feel more invested in the company if they believe it will help advance their careers.
As a cybersecurity recruiting firm, we’ve become skilled at finding the cracks in an organization and its cybersecurity team. Keeping an eye on the news and maintaining a deep network within the cyber community lets us know who’s happy and who’s not—sometimes even before they do. Coaxing talented but unhappy people away to another company is the secret to success.
I wanted to share a precursor to my RSAC 2019 talk. Join me Friday, Mar 08 | 11:10 A.M. – 12:00 P.M for Retaining and Growing Cybersecurity Talent: A Proven Model. RSVP to this session here.
As 2019 begins and companies ramp up their Q1 cybersecurity staffing initiatives, hiring data reveals that filling an open position, a process that normally takes between three and six months, is only half the battle. At CyberSN, the leading cybersecurity staffing firm in North America, we have found that retaining cybersecurity talent is even more difficult than finding the “right” candidate.
The intersection of these trends has created an industry-wide problem, where companies invest significant time and capital pursuing, on-boarding and training cybersecurity talent, only to watch new hires leave after a year. Conventional cybersecurity HR practices only ensure that this vicious cycle repeats itself ad infinitum.
With enterprises increasingly under attack from cybercriminals, and hemorrhaging trillions in hacking-related losses, these hiring gaps leave companies exposed to an unacceptable spectrum of risk. In fact, industry research firm Cybersecurity Ventures projects 3.5-million unfilled cybersecurity positions by 2021. In the U.S., it is CyberSN’s view that this talent gap constitutes a national security crisis.
Given these sobering statistics, the development of a strategic framework to ensure long-term talent retention is a New Year’s resolution that every cybersecurity hiring manager should make in 2019.
This blog post will explain the rhyme and reason behind each tactic, and how integrating the three into one cohesive hiring strategy can help organizations achieve better cybersecurity talent retention.
According to trade certification organization (ISC)² only 15 percent of employees have no intention of leaving their current employer. This may be due to the fact that cybersecurity talent are looking for more than a job. They want a career with an organization that invests in their continuing education and rewards their evolving value.
Yet a 2017 survey of 300 cybersecurity professionals conducted by Endgame’s Andrea Little Limbago found that over 50 percent of respondents cited lack of career advancement as the primary reason for ditching their previous employers. These findings dovetail with a 2018 Capgemini survey, which found that lack of career progression was the number-one reason cited by cybersecurity professionals for being dissatisfied with their current job.
Meanwhile, 59 percent of (ISC)² survey respondents cited continuing education and investment in new cybersecurity technologies as the most important factors, when evaluating current job fulfillment.
In 2019, hiring managers must take the hard data into account and invest more in employee training, while staying up to date with the most cutting-edge cybersecurity tools.
This approach will help cybersecurity professionals see a runway that nurtures their professional development and enables them with the resources to grow within the company and beyond. This is especially important for younger cybersecurity professionals. According to the Capgemini study, new entrants into the cybersecurity labor market from Generations Y and Z are more inclined to stay with employers that help them “visualize a career path.”
According to Capgemini, 83 percent of cybersecurity professionals cite work-life balance as the most important consideration when switching jobs. On a related note, Limbago’s 2017 survey found that 38 percent of cybersecurity professionals cited burnout as the main reason for leaving their jobs, while another 28 percent cited stress.
Limbago’s data is not all that surprising, seeing that the topic of an August 2018 Black Hat Conference panel in Las Vegas: “Burnout, Depression and Suicide in the Hacker Community.” This discussion identified burnout as a “monumental mental health crisis” afflicting cybersecurity professionals.
Part of the reason for this pervasive burnout is that organizations often fail to provide clearly defined roles for their hires. As a result, security talent may find themselves juggling multiple responsibilities and tasks that deviate from their initial understanding of the position, for which they were on-boarded. By bombarding personnel with divergent workloads that may not be specific to their expertise, enterprises risk overwhelming cybersecurity talent, pushing them to leave their jobs or worse.
Beyond creating well-defined responsibilities that are aligned with the skill sets and core capabilities of cybersecurity personnel, organizations must also be receptive to their needs as people.
According to Capgemini, “Flexible work arrangements have become an important factor for employee satisfaction, helping reduce absenteeism, increase productivity, and enhance employee engagement.” As such, hiring managers should be willing to accommodate flexible work schedules and remote working.
According to trade organization Society for Human Resource Management (SHRM) “women and minorities remain significantly underrepresented in the cybersecurity profession.” In fact, 2017 survey data published by SHRM found that women and minorities only make up 11 and 12 percent of the cyber workforce, respectively.
To make matters worse, the cybersecurity community has long been plagued by cultural toxicity that has fomented a hostile environment for talent that is not white and male. In fact, Limbago’s survey found that 85 percent of female respondents reported being discriminated against at professional cybersecurity conferences.
The good news is that the culture is gradually changing, as evidenced by Black Hat, which last summer, invited speakers to discuss gender discrimination – a topic that had never before been addressed in the conference’s 21-year history.
Overcoming these cultural problems is key because research is increasingly demonstrating that a diverse workforce delivers better business results. In fact, research from McKinsey & Company revealed that firms in the top quartile for racial and ethnic diversity are 35-percent more likely to have financial returns above their respective national-industry averages.
The same principle applies to cybersecurity, where increasingly diverse threats demand new approaches and ideas to combat them. Speaking to this point is Javvad Malik, security advocate at AlienVault, who told Information Age, “ Security teams need diversity because of the diversity of challenges that it faces. Cyber/information security isn’t a narrowly-defined field, where one skill set can cover the entire spectrum.”
Therefore, by promoting healthier workplace cultures, companies can prevent the alienation of women and minorities, which has caused many to leave their job or the industry altogether. Cultural progress may require firing a workplace jerk or two, but the end results will yield better employee retention, which ensures better cybersecurity for the organization.
Ultimately, these historically marginalized groups represent an untapped resource that can help enterprises avoid the cybersecurity talent crunch.
With nearly half of all cybersecurity professionals being contacted weekly by recruiters, according to (ISC)², these specialists are some of the most coveted candidates in the job market. The dearth of skilled talent creates a situation, where cybersecurity personnel have no shortage of new job alternatives if their current employers fail to meet their expectations.
CyberSN’s three keys to cybersecurity talent retention can help organizations change this paradigm and create a more strategic human resources framework. While career advancement, work-life balance and diversity are not the only three factors that infosec talent consider when evaluating job fulfillment, together they form a sound foundation for successful retention.
We hope you enjoyed reading this post and be on the lookout for more CyberSN content in 2019. For more information about CyberSN and how we can help your company fulfill its security staffing needs, please visit our website.