3 Tips for Reducing Security Staff Turnover

Differing approaches to pleasing in-demand talent can keep security employees happy and reduce attrition

The cybersecurity skills shortage that is so widely discussed is forecasted to result in 3.5 million unfilled positions by 2021. Research from ESG found 51 percent of organizations currently believe they have a “problematic shortage” of cybersecurity skills—an increase of seven percent from the year prior. This situation is problematic and its impact is seen and felt by staff on security teams worldwide.

In addition to the challenge of recruiting and finding cybersecurity talent, companies also have trouble holding on to it. Figures from ISC2 find cybersecurity professionals are constantly approached by recruiters, with 13 percent saying they are contacted multiple times daily, 8 percent are contacted once a day, 16 percent are contacted a few times a week and 34 percent are contacted a couple of times a month.

Competitive benefits and salary are given expectations for these infosec employees in demand today. What other factors can help keep security employees where they are in a job market here they have their pick of opportunities? 

Check in with Employees on Their Advancement Plan

Many security employees are looking for challenging work, professional development opportunities and a path to advancement, but not necessarily into a management role. Those specifics are important for organizations to know about their employees to keep them feeling valued and satisfied.

Research from the Consumer Technology Association finds 74 percent companies think professional development programs to develop soft skills will be a top benefit in retaining employees’ services over the next five years. The security leader should take the lead in connecting with staff to learn where their career and development priorities lie and map a plan to make it happen, according to insight from security veteran Ernie Hayden in searchsecurity.com.

“A CISO should take the time to learn the career interests of his or her staff so as to provide them with opportunities to grow,” he said. “A talented security analyst probably won’t want to remain in that role forever, so providing that person with a chance to work on architecture design or policy development will not only help prepare him or her for a more advanced position, but also demonstrates that the organization is committed to the growth and development of its employees.”

In a job market where infosec employees can go just about anywhere, this emphasis on helping them develop their path inside the organization brings focus to how much they are valued and leads to enhanced job satisfaction.

Focus on Work Culture and Make Changes Where Needed

Sometimes the answer to why employees leave is as simple as “because the company is not an enjoyable place to work.” Omar Khawaja, CISO at HM Health Solutions (HMHS), outlined in an article on CSOonline how his company went from a 30 percent attrition rate to one that is less than 5 percent by taking a hard look at company culture and revamping it.

“Often we start with, ‘What does a customer want, or what does the business want?’ The reality is, it should all start with the employees,” he said in the article.

Khawaja convinced HMHS to launch a three-year program to spark change in how the company interacts with its staff and “make the company a place they want to work in.” By hiring an organizational change management expert to examine the security function, HMHS got to the core of why people were unhappy—an assessment through surveys and focus groups identified barriers to change within the organization. From there, a new vision for the security team was built for the future.

Tim Johnson, CEO of Mondo, noted in Forbes that tech-driven companies need to work harder to develop an inclusive work culture:.“It should be focused on producing results and allowing employees to do their best work, free from discriminatory comments or behavior,” he said. “To revamp your company culture, the most effective strategy starts from the top down.”

Johnson recommended company leadership first outline the employee-first culture they hope to offer by soliciting input from a wide swath of employees with different backgrounds and levels of experience. Then, introduce the new expectations with clear guidelines on how future issues will be handled.

“You may be surprised by just how effective this can be in reducing turnover rates,” he said.

Think Outside the Box for Hiring

If employees with deep information security backgrounds are too difficult to recruit and retain, maybe it is time to consider hiring talent with untraditional work histories to take on security roles in your organization.

In this roundup of desirable traits for cybersecurity job candidates, hiring managers named several attributes, including persistence, curiosity and being a continuous learner. None of these characteristics require a security-specific background to develop.

In an interview with CNBC, Vyas Sekar, an associate professor of electrical and computer engineering at Carnegie Mellon’s Cylab, noted the idea of what it takes to be a security professional is misunderstood.

“I think we have perpetuated this myth that cybersecurity is based on this hacker stuff, sitting in a basement and only working on technical things,” he said. “In fact, it’s those with an analytical mindset that can do very well in the cybersecurity field. The sort of basic computer science that is necessary can be taught later. It’s maybe more useful to think of cybersecurity as solving a bunch of interesting puzzles.”

Security leaders and hiring managers who are willing to recast their expectations and look to candidates with a wide range of competencies may find it is easier to fill roles and keep talent happy. An employee who sees the job as an opportunity to develop new skills and shift gears in their career is more likely to invest in staying longer term with a company—something to consider next time you’re looking to add to your security team.

Joan Goodchild

Avatar photo

Joan Goodchild

Joan is a veteran journalist, editor and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

joan-goodchild has 37 posts and counting.See all posts by joan-goodchild