How to retain your cyber staff
As most organisations are painfully aware, cyber security skills are in short supply. But once you’ve developed in-house talent, how do you retain your staff, asks Steve Mansfield-Devine
"Staff retention is something that should be on every organisation’s radar, and ensuring your infosec staff feel happy and valued can pay dividends to your business,” says Lisa Ventura, founder of Cyber Security Unity and a member of the advisory council for International Cyber Expo.
And it’s not just a matter of pay and perks, she says.
Other key factors are: “giving your employees the tools they need to do their jobs more effectively, being transparent about the company and their role in the future of it; and providing opportunities for promotion and growth.”
Respect for security professionals and the work they do is important – and often missing.
Security is often seen as an inhibitor rather than an enabler, and security staff can be viewed as nagging nuisances who want to impose barriers in the way of getting the job done. This creates a gap between the security function and the business.
Some security specialists don’t help the situation by not doing their part to bridge that gap.
“While many do it well, far more struggle to be heard, to talk the language of business, to translate cyber risk into business risk that can be understood by peers,” says Sam Curry, chief security officer at Cybereason.
“A CISO friend of mine recently told me he was the only C-level executive who didn’t report to the CEO, and when a breach occurred, it was squarely on his shoulders, yet the team had no idea how to talk to him.”
For the most part, though, it’s up to business leaders to ensure that the security function is fully integrated with the business – and for sound business reasons.
“It’s a little like compliance,” says Grant Wyatt, COO at Miracl. ”If you think compliance is expensive, try non-compliance. The same is true with infosec – if you think it’s ‘too tedious’ and ‘irritating’, just wait until that breach becomes public.
Senior figures, like the CEO and COO, must give credence and support, both in their decision making, and in ‘within company’ forums, to infosec.”
This may sound like special pleading. But the responsibility they bear for the business can put a particular kind of strain on security professionals.
A report by VMware, released at Black Hat USA this year, says that 47% of incident responders had experienced burnout or extreme stress in the past year, leading to 69% considering quitting their jobs.
“Infosec professionals often have a thankless task of keeping organisations safe which is a 24/7 round the clock job, and if something does go wrong the blame often lands solely on their doorstep,” says Ventura.
“This leads to a large amount of stress and burnout. Organisations need to communicate how valued their infosec teams are not just to the members of the infosec team but to all other business functions.”
The broader business culture has an important role to play here, especially at a time when lack of diversity is a significant factor in the cyber skills shortage.
“Many organisations don’t see that their working environments have become toxic until it is too late, and this often manifests itself by way of poor communication, bullying and unreasonable behaviour from bosses,” explains Ventura.
Building for the future
Education can play a key role in keeping security staff engaged and feeling like they have a future with the organisation. Certification, for example, is often seen as a measure of a security professional’s skills.
“Many organisations see training as an expense and not as an investment,” says Venture. “In infosec, a lack of knowledge could be very costly later in the event of a data breach occurring.”
Some firms shy away from this because of the fear that they are paying for someone to gain the qualifications needed for their next job. But this is short-sighted, says Wyatt.
“If you train people and they leave, it’s not great, but it’s better than having an undertrained, unmotivated person who wants to stay,” he says. ”
Doing something that matters
According to Curry, the best cyber security professionals – the ones you most want to keep – believe that what they do is important, and the organisation needs to understand this and communicate this understanding.
“We are defenders. We are protectors. We are on the cyber wall, and our job matters,” he says.
“Working somewhere where the role of defender protects important work and the weak is an important core mission and trumps many other motivations for people.
“It’s the same reason some people go into government work or volunteer or take up a cause. Word to the wise CISO: make sure the work is about what matters and not just nine to five (or longer!) drudgery.”