I wanted to share a precursor to my RSAC 2019 talk. Join me Friday, Mar 08 | 11:10 A.M. – 12:00 P.M for Retaining and Growing Cybersecurity Talent: A Proven Model. RSVP to this session here.
As 2019 begins and companies ramp up their Q1 cybersecurity staffing initiatives, hiring data reveals that filling an open position, a process that normally takes between three and six months, is only half the battle. At CyberSN, the leading cybersecurity staffing firm in North America, we have found that retaining cybersecurity talent is even more difficult than finding the “right” candidate.
The intersection of these trends has created an industry-wide problem, where companies invest significant time and capital pursuing, on-boarding and training cybersecurity talent, only to watch new hires leave after a year. Conventional cybersecurity HR practices only ensure that this vicious cycle repeats itself ad infinitum.
With enterprises increasingly under attack from cybercriminals, and hemorrhaging trillions in hacking-related losses, these hiring gaps leave companies exposed to an unacceptable spectrum of risk. In fact, industry research firm Cybersecurity Ventures projects 3.5-million unfilled cybersecurity positions by 2021. In the U.S., it is CyberSN’s view that this talent gap constitutes a national security crisis.
Given these sobering statistics, the development of a strategic framework to ensure long-term talent retention is a New Year’s resolution that every cybersecurity hiring manager should make in 2019.
This blog post will explain the rhyme and reason behind each tactic, and how integrating the three into one cohesive hiring strategy can help organizations achieve better cybersecurity talent retention.
According to trade certification organization (ISC)² only 15 percent of employees have no intention of leaving their current employer. This may be due to the fact that cybersecurity talent are looking for more than a job. They want a career with an organization that invests in their continuing education and rewards their evolving value.
Yet a 2017 survey of 300 cybersecurity professionals conducted by Endgame’s Andrea Little Limbago found that over 50 percent of respondents cited lack of career advancement as the primary reason for ditching their previous employers. These findings dovetail with a 2018 Capgemini survey, which found that lack of career progression was the number-one reason cited by cybersecurity professionals for being dissatisfied with their current job.
Meanwhile, 59 percent of (ISC)² survey respondents cited continuing education and investment in new cybersecurity technologies as the most important factors, when evaluating current job fulfillment.
In 2019, hiring managers must take the hard data into account and invest more in employee training, while staying up to date with the most cutting-edge cybersecurity tools.
This approach will help cybersecurity professionals see a runway that nurtures their professional development and enables them with the resources to grow within the company and beyond. This is especially important for younger cybersecurity professionals. According to the Capgemini study, new entrants into the cybersecurity labor market from Generations Y and Z are more inclined to stay with employers that help them “visualize a career path.”
According to Capgemini, 83 percent of cybersecurity professionals cite work-life balance as the most important consideration when switching jobs. On a related note, Limbago’s 2017 survey found that 38 percent of cybersecurity professionals cited burnout as the main reason for leaving their jobs, while another 28 percent cited stress.
Limbago’s data is not all that surprising, seeing that the topic of an August 2018 Black Hat Conference panel in Las Vegas: “Burnout, Depression and Suicide in the Hacker Community.” This discussion identified burnout as a “monumental mental health crisis” afflicting cybersecurity professionals.
Part of the reason for this pervasive burnout is that organizations often fail to provide clearly defined roles for their hires. As a result, security talent may find themselves juggling multiple responsibilities and tasks that deviate from their initial understanding of the position, for which they were on-boarded. By bombarding personnel with divergent workloads that may not be specific to their expertise, enterprises risk overwhelming cybersecurity talent, pushing them to leave their jobs or worse.
Beyond creating well-defined responsibilities that are aligned with the skill sets and core capabilities of cybersecurity personnel, organizations must also be receptive to their needs as people.
According to Capgemini, “Flexible work arrangements have become an important factor for employee satisfaction, helping reduce absenteeism, increase productivity, and enhance employee engagement.” As such, hiring managers should be willing to accommodate flexible work schedules and remote working.
According to trade organization Society for Human Resource Management (SHRM) “women and minorities remain significantly underrepresented in the cybersecurity profession.” In fact, 2017 survey data published by SHRM found that women and minorities only make up 11 and 12 percent of the cyber workforce, respectively.
To make matters worse, the cybersecurity community has long been plagued by cultural toxicity that has fomented a hostile environment for talent that is not white and male. In fact, Limbago’s survey found that 85 percent of female respondents reported being discriminated against at professional cybersecurity conferences.
The good news is that the culture is gradually changing, as evidenced by Black Hat, which last summer, invited speakers to discuss gender discrimination – a topic that had never before been addressed in the conference’s 21-year history.
Overcoming these cultural problems is key because research is increasingly demonstrating that a diverse workforce delivers better business results. In fact, research from McKinsey & Company revealed that firms in the top quartile for racial and ethnic diversity are 35-percent more likely to have financial returns above their respective national-industry averages.
The same principle applies to cybersecurity, where increasingly diverse threats demand new approaches and ideas to combat them. Speaking to this point is Javvad Malik, security advocate at AlienVault, who told Information Age, “ Security teams need diversity because of the diversity of challenges that it faces. Cyber/information security isn’t a narrowly-defined field, where one skill set can cover the entire spectrum.”
Therefore, by promoting healthier workplace cultures, companies can prevent the alienation of women and minorities, which has caused many to leave their job or the industry altogether. Cultural progress may require firing a workplace jerk or two, but the end results will yield better employee retention, which ensures better cybersecurity for the organization.
Ultimately, these historically marginalized groups represent an untapped resource that can help enterprises avoid the cybersecurity talent crunch.
With nearly half of all cybersecurity professionals being contacted weekly by recruiters, according to (ISC)², these specialists are some of the most coveted candidates in the job market. The dearth of skilled talent creates a situation, where cybersecurity personnel have no shortage of new job alternatives if their current employers fail to meet their expectations.
CyberSN’s three keys to cybersecurity talent retention can help organizations change this paradigm and create a more strategic human resources framework. While career advancement, work-life balance and diversity are not the only three factors that infosec talent consider when evaluating job fulfillment, together they form a sound foundation for successful retention.
We hope you enjoyed reading this post and be on the lookout for more CyberSN content in 2019. For more information about CyberSN and how we can help your company fulfill its security staffing needs, please visit our website.