June 25, 2021 | 10 minute read
The foreshadowing of increasing cybercrime, coupled with the talent shortage, often includes the topic of retention. Retention is a pillar of solutions that would systematically help bolster the cybersecurity workforce, ensuring that organizations of every size have a strong security posture.
At each level within a security team, there is a revolving door. Poaching, burnout, lack of promotional incentives, and toxic or uncomfortable work environments are among the many reasons for employee attrition, or the voluntary exiting of an individual from a company. A high turnover rate can lead to unmitigated cyber threats, put an organization at risk to be severely compromised, and impose substantial costs to respond and recover from an attack. Likewise, there are costs that come with hiring a new candidate; from recruiting, interviewing, and assessing, to hiring, onboarding, and training.
Retention and attrition, both, reflect the human factor in job satisfaction, which is paramount to the success of an organization’s cybersecurity posture. Cybersecurity is about the people who handle the people’s data, more so than the computers where the data sits. Technology, itself, is a byproduct of human aspiration, creativity, and passion. How can industries translate these sentiments, and all human aspects of working in IT and security, into structured and effective team management programs? People need compassionate leadership, mutual connection, and vision, not overlords and timestamps, for job satisfaction rates among cybersecurity professionals to go up.
Below, we take a look at current reasons for the difficulties surrounding talent acquisition and retention progress, as well as incentives that actively lure cybersecurity professionals from one company, to another. Lastly, we’ll cover some examples of what executives, program managers, and security directors are doing to fuel retention, and reduce employee attrition.
Missing Links and Motivation
For executives and hiring managers, in both private and public sectors, the constantly changing landscape of cyber threats, as well as inconsistent or nonexistent frameworks for skills development leave organizational decision makers struggling to recruit and retain top cybersecurity talent. In the 2021 Hays US Cyber Security Report, from a survey of US cybersecurity professionals and employers conducted between December 2020 and January 2021, the recruiting experts found that only 39% of respondents feel they have the ability to retain cyber staff. However, a little over half (55%) of organizations surveyed say they are capable of developing cyber security talent. Moreover, when asked how difficult it is for their organization to recruit cybersecurity talent, on a Likert scale of ‘Not Applicable’ to ‘Difficult’, over half (60%) of respondents replied with, ‘Difficult’.
These findings point to the missing links between HR, management, and leadership teams, that organizations have yet to address internally. When there are structured processes in place to ensure the talent acquisition, training and development, well-being, and retention of cybersecurity professionals, only then will we begin to see any improvements in the talent shortage.
Perennial urgencies, and calls-to-arms, to motivate employers and government entities to lean in and explore what solutions and frameworks can aid their talent acquisition and retention, are suffocated by, what Hays US also found in their survey, the three biggest security challenges organizations identified.
Insufficient Funding– Not having enough money is a common reason, or excuse for businesses and government agencies to put off investing in, or improving cybersecurity skills development. Even President Biden’s proposal of $9.8 billion in federal civilian cybersecurity spending, an increase from previous budgets, is receiving feedback that that number is simply not enough to develop the level of security our nation’s infrastructures and organizations will require in years to come. Rethinking cybersecurity budgets to fit a specific plan of action, and not the other way around, might be a key determinate of its future success.
Increasing sophistication of threats- There are more devices connected to the internet than ever before, and the way we work is rapidly changing in the aftermath of COVID-19. The sophistication of threats has increased, especially from the previous years’ collective move to remote work, where personal cyber hygiene and re-engineering company security protocols became new priorities. Lack of security talent, hybrid work environments, insider threats, and human error are serious security concerns. From social engineering, to undetectable, widespread cyber incidents, private companies and government sectors’ flexibility and agility are being further tested by threat actors.
Protection of Customer Data- This is a top priority for every organization because customer satisfaction, in the age of digital transformation, relies heavily on trust with personal data. For this reason, companies will deploy encryption, the technicalities of which, are always shifting due to new emerging technologies, increased customer awareness, and compliance requirements. Protection of customer data is a very important aspect of security posture, one where a steady burnout of security talent and ongoing employee attrition would be damning to business survival.
From industry perspective, nothing is more counterproductive and limiting than expressing a problem is too grand, that there are bigger challenges, and that it can’t be done because there is no money. Furthermore, getting various departments, or hiring authorities, to work together to come up with effective solutions is a challenge in and of itself, and needs third-party support. Investing in upskilling, reskilling, and methods to retain top cybersecurity talent alone would significantly impact the talent shortage, the overall confidence of America’s corporations in cyberspace, and save organizations diabolical costs in the future.
On the flip side, of the same coin, cybersecurity professionals have been sending distress signals of burnout for a long time, prior to the pandemic. In the third quarter of 2019, many news sources began citing a security operations center (SOC) study, authored by the President of Ponemon Institute, Larry Ponemon. The baiting statistic gracing headlines, was more than half (65%) of IT and security professionals considered quitting their job. Around the same time, McAfee published a blog that cited statistics from their 2018 report, “Winning the Game”, in which they surveyed 950 cybersecurity managers and professionals in public and private sector organizations with 500 or more employees, on the topic of cybersecurity defenses. Similarly, they found only 35% of respondents were “extremely satisfied” with their job, and a whopping 89% would consider leaving their roles if offered the right type of incentive.
Kevin Coston, Cloud Security Architect II at Akamai Technologies, in a blog piece for Dark Reading, candidly wrote, “Now it is up to organizations to adopt a motto that we as cybersecurity professionals live by: “The goal is simple: Protect the human and their well-being at all costs.”” This statement, from, “What Has Cybersecurity Pros So Stressed—And Why It’s Everyone’s Problem”, sums up the neglect still felt by an entire community of professionals. Coston begins his proclamation by highlighting the arduous hours, constant response to cyberattacks, dated strategies, thanklessness for service, lack of educational support, and skewed work-life balance. It is an honest and thought-provoking plead for attention to the matter, and call for change from leadership and development teams moving forward.
“Now it is up to organizations to adopt a motto that we as cybersecurity professionals live by: “The goal is simple: Protect the human and their well-being at all costs.””
Security professionals leaving their work roles, and even quitting the industry entirely, is a disaster for everyone. An unstable cyber defense strategy opens the floodgates for threat actors to expand upon their criminal enterprises and targets. In the last quarter of 2020, ISACA’s “State of Cybersecurity 2021 Report”, which surveyed 3,659 cybersecurity professionals spanning 120 countries, found that over half (53%) of respondents indicated difficulty retaining talent. In an inventory of reasons for employee attrition, 58% of respondents cited being recruited by other companies as the number reason, while 47% attributed limited promotion and development opportunities as the second greatest factor. In the same report, findings showed that 56% of hiring managers still cite Soft Skills (e.g. communication, flexibility, and leadership) as the biggest skills gap seen in today’s cybersecurity professionals. Followed by 36% of hiring managers seeing gaps in Security Controls (e.g. endpoint, network application, implementation). Those numbers increased to 64% and 56%, respectively, when asked the same question regarding recent university graduates.
Additionally, Coston questions the reality and extent of the skills gap. People in IT and cybersecurity want to develop the skills they will need to fulfill specific work roles, and be supported in that promotional quest, financially and holistically, by the company they work for. The industry concurs more people and skills are needed, too, but the actual methods put into practice leave a lot of individuals and security workers to deal with the cost of training and education all on their own, oftentimes, on top of an already demanding job. To call this logic backwards and overwhelming for security professionals everywhere, and for individuals looking to enter the industry, would be an understatement.
In November of 2020, Infosec released a series of twelve podcasts discussing career strategies, hiring best practices, team development, security awareness essentials, and the importance of storytelling in cybersecurity. One in particular that stood out, titled, “Upskilling to Deepen Employee Engagement & Retention”, takes a detailed look at the models and structures enterprises are using for security training and development programs. The podcast features guest interviewees, Jessica Amato, Operations Manager at Raytheon Technologies, and Romy Ricafort, Senior Director for Sales Engineering at Comcast Business. Both Amato and Ricafort agree that retention is achievable through the combination of establishing a learning and career growth path for employees, fostering curiosity with open communication between employees and managers, and implementing cross-functional working groups between HR, leadership and development teams, and third-party partnerships.
Initiating from the Top-Down
It is clear that retention and high attrition rates aren’t just operational tantrums that neither side of company hierarchy has the motivation to work on. Also apparent is the importance of treating cybersecurity professionals as people, with the same aspirational desires, workplace needs, and human capacity for being burnt out and overworked, as anyone else.
Outlooks and methods on retention and lowering attrition, from the executive-level, vary greatly depending on what organizational aspects are deemed as priorities. John Chambers, former executive chairmen and CEO of Cisco Systems, and George Kurtz, CEO and co-founder of CrowdStrike, a leading endpoint protection platform, agree that executives should be “obsessed with culture”. An article by dot.LA mentions that during Chamber’s time as CEO of Cisco, he was given a 95% employee retention rating, well above industry average. On a panel for the 2020 Montgomery Summit in Santa Monica, he lamented, “Culture is as important as strategy and vision, and I did not understand that when I was a young CEO.” Both Kurtz and Chambers point towards the hiring process, including thorough screening, as a key driver in finding people who “fit” the company culture.
“Culture is as important as strategy and vision, and I did not understand that when I was a young CEO.”
Notable in comparison, Madhavi Bhasin, VP, Diversity and Inclusion at Okta, Identity Access Management providers, recently reflected on the company’s structure for retaining and developing talent, in the wake of racial justice reform and equality. In a blog post, Bhasin paints a picture of a culture hyper-focused on progress, diversity, inclusion, and belonging. Okta has worked over the past year, to make improvements to their commitment for systemic change, by providing a dynamic work model, unconscious bias prevention training programs for hiring managers, an Architect in Training Program for Engineering focused on training underrepresented minorities, clearer career pathway incentives for Black, Indigenous, People of Color talent aspiring to leadership roles, a robust and culture-based onboarding process, and an emphasis on demographics to enhance their overall strategy. Bhasin admits that Okta’s workforce and workforce development model is a work-in-progress, but asserts that diversity and inclusion will continue to be the core components of their strategies in the future.
Despite lingering discrepancies in what “culture” means to each private, or public organization executive, it will be interesting to see what future, data-driven results show of both the aforementioned, when it comes to retention, attrition, and job satisfaction.
CyberKnights for Talent Assessment, Development, and Retention
We understand that there are many obstacles employers face, when it comes to the hiring process and retention, and the need for job satisfaction among cybersecurity professionals is too great to put off until tomorrow. Our mission is to help bridge the gaps in your internal resources, so you can find, assess, and hire your ideal candidates, as well as continue to engage with your employees, by supporting their development and continuing career journey through our partnerships with leading industry training and education providers.
The CyberKnights portal is a conduit for employers ready to establish the right balance between hiring security talent, and upskilling or reskilling current employees. Our skills-centric platform is built on the NIST-NICE Framework, a widely adopted taxonomy of highly technical, as well as non-technical, defined cybersecurity work roles. By developing your security team with CyberKnights, and seeking to strengthen your organization’s security posture, for a fraction of traditional hiring and recruitment costs, you’ll be provided:
- Visibility to a talent pool of cybersecurity students, interns, apprentices, and experienced professionals, including details such as current KSAs, security clearances, certifications, and military experience.
- Ability to conduct Skills Gap Analysis for your company, based on current employee knowledge and skills, and discover which NICE Framework aligned KSAs are currently missing in your organization.
- Creation of detailed Skills Postings (a.k.a. Job Opportunities) to attract talented individuals seeking employment.
- Visibility of prospects and current employees’ Soft Skills and Cyber Range Hard Skills Assessments results
- Interactive employee, apprentice, or intern Career Journey Maps for career development processes
- Demographics to inform hiring and retention strategies
- Access to CAE curriculum and KSA aligned industry leading certification vendors