CIO upfront: Secrets to retaining cybersecurity professionals
- 12 December, 2018 06:00
Given the chronic shortage of cybersecurity professionals that organisations of all sizes face, you would assume that there would be a maniacal focus on retaining individuals with these critical skills. But it seems this isn’t the case, with many wanting to move on to other opportunities.
According to a recent survey of over 9,000 IT security professionals by tech recruiter Mondo, 60 per cent of respondents report they’re looking to leave their job.
A lack of growth opportunities and job satisfaction are tied as the top reasons to leave a job, followed by unhealthy work environment, lack of IT security prioritisation from C-level or upper management, unclear job expectations and lack of mentorship.
Now those issues are always a factor when it comes to retaining any employee. Given the fact that recruiters are constantly trying to lure cybersecurity professionals with higher paying job offers, it’s safe to assume the phrase “growth opportunities” in part at least is a euphemism for money.
It’s hard in most organisations to get a decent raise without some level of promotion being involved. But there are only so many senior manager spots available and not every cybersecurity professional, no matter how talented, is cut out to be a manager.
In an ideal world, there would be a two-track path for advancement that would allow cybersecurity professionals to earn more money without having to move into the ranks of management. But not enough organisations are that enlightened.
The Mondo survey indicates that issues such as work-life balance, having security concerns taken seriously, increased sponsorship of certifications/courses, increased investment in emerging tech and CISO leadership/defined ownership of security needs, are all significant factors when it comes time to convince cybersecurity professionals to stay longer in a job.
Cybersecurity professionals want to work for employers committed to continuous cybersecurity education
Of course, not every organisation has leaders that take cybersecurity seriously enough to appoint of CISO or, for that matter, invest the right amount of money in cybersecurity.
Smaller companies are always going to have budget limitations. The sad fact is that the cost of a single cybersecurity breach often exceeds what a small-to-medium business (SMB) invests in cybersecurity on an annual basis.
Stressful and challenging environment
Cybersecurity professionals generally want the same things that most employees crave. The difference is the amount of inherent stress that comes with the job.
Not only is there a constant stream of threats that need to be thwarted, but employees are also constantly engaging in behaviours that make it more challenging than it necessarily should be for cybersecurity professionals to succeed. A breach may not be the fault of the cybersecurity team, but every security breach takes its toll on morale.
When everything goes right, there’s not much praise because most people inside the organisation are unaware of how many cyber attacks have been thwarted. When things go wrong, however, much of the blame gets attached to cybersecurity professionals.
Most cybersecurity professionals tend to be adrenaline junkies. Just like being a soldier in any war, being a cybersecurity professional is often marked by long periods of boredom punctuated by sheer terror once a cyberattack is detected.
Today, most of the adrenaline high when it comes to cybersecurity is being channelled into threat hunting in the hope that malware can be detected before its payload become activated. There’s still the thrill of the combatting an actual attack.
But most organisations are trying to reduce the number of live attacks that need to be thwarted as much as possible. The best battle is often the one that was never fought.
One way to alleviate some of this stress is to evolve your security teams from being protectors of all infrastructure and data into facilitators of risk-based decisions throughout the organisation. Fully integrate cybersecurity practices into the fabric of the organisation, rather than being just an afterthought linked to firewalls and antivirus software.
No longer can the cybersecurity team be solely responsible, especially with the prevalence of social engineering attacks (such as spear phishing) that require broader behavioural change. Share accountability for protecting enterprise resources with other corporate, business and IT teams. Many security functions can be “delegated” to these other teams, particularly user awareness and training.
Need to be valued
Most of all, skilled cybersecurity professionals want to work for organisations that value their efforts. Unfortunately for many, their organisations could be more secure. The number of organisations that have all four areas of cybersecurity – information security, network/infrastructure security, application security and cloud security – under control are very few and far between.
Of course, that’s also why many cybersecurity professionals ultimately decide to stay where they are. The next organisation they may work for isn’t likely to pay any more attention to cybersecurity than the one they work for now. The cybersecurity weaknesses of that organisation amount to at the very least being the devil they already know best.
To retain and motivate your cybersecurity staff, you must have a vested interest in maintaining job satisfaction. While competitive compensation is a must, there are other incremental factors that will ultimately determine job satisfaction.
Cybersecurity professionals want to work for employers committed to continuous cybersecurity education. Provide support and financial incentives that enable them to develop their technical skills and participate in training.
A general organisational culture that promotes and supports strong cybersecurity is also important. There must be commitment from the top. In many cases it’s still treated as a technical problem, handled by technical people, despite the significant impact an attack can have on all aspects of a business. Ensure cybersecurity’s part of the business planning and led by participation from executive managers and the board.
Andrew Huntley is the regional director for ANZ and the Pacific Islands for Barracuda Networks.
Follow CIO New Zealand on Twitter:@cio_nz