WP How CISOs can Find and Retain Security Staff During the Great Resignation | Imperva

How CISOs can Find and Retain Security Staff During the Great Resignation

How CISOs can Find and Retain Security Staff During the Great Resignation

The rising demand for cybersecurity professionals

As if the skill shortfall in cybersecurity wasn’t bad enough, the employment landscape is shifting rapidly. This shift is due, in part, to historically low unemployment claims, unrivaled quit rates, and swathes of baby boomers and older Gen X experts retiring – commonly known in HR circles as The Great Resignation.

The demand for cybersecurity professionals has soared since the advent of the new work-at-home culture, with far greater numbers of skilled IT security staff required than the currently available pool of talent has to offer. Education and training still need to catch up with demand, and there are fewer cybersecurity professionals leaving university than there are businesses with the need for their skillset. Sometimes, when a person leaves, this can act as a wake-up call for other staff and start a wave of resignations. When budgets are tight and demand is high, recruiting and retaining good staff is becoming a major headache for busy CISOs with enough plates to juggle and fires to fight.

Attracting talent in an ultra-competitive IT labor market

To attract strong talent, you have to pay the right rate for the job you are advertising. Different roles demand different salaries. The words “competitive salary” are a turn-off for many, and people like to see what you are offering within the job description. Potential staff want honesty and fair pay for their time and effort, especially if you are going to demand a testing process or multiple interviews during recruitment. People love benefits and bonuses, and bonuses can encourage some applicants, but in today’s economy cash (as they say) is king. People have rising fuel and utility bills, see looming supply chain shortages, soaring supermarket prices, and are looking for financial security for themselves and their families. Prospects don’t want to play the usual corporate game as you try to work out what salary they are currently on, then what they are expecting, vs what the company is willing to pay. What you are willing to pay will always be the bottleneck, regardless. Take a look at what other positions in similar companies are offering and, ideally, match it or beat it – and include your salary offer in your advertisements.

HR is now a PR exercise. People see behind the curtain into your organization via social media, and this is how they will judge you and what it is like to work for you. LinkedIn is often their first port of call, followed by a Google search and (if appropriate) Wikipedia. Take a look at your online presence. Does it reflect your brand and culture accurately? Are you seen as a thought leader, offering a great place to work? Do you have a poor rating on Glassdoor? Are there moaning posts on Twitter from staff about working conditions? If the answer to the latter two questions is yes, this will call for some reputation management and a proactive campaign to boost your public image through your available marketing channels. Encouraging positive commentary and content sharing by your existing staff is always a help in this area, but this is a conversation you need to have with your marketing department or agency, and recruitment should be a consideration in the marketing mix.

Quality time is precious, and people value their work/life balance. What can you offer to make your organization more attractive? Do you operate hybrid or remote working systems? Be clear with what hours you require for security coverage and detail those boundaries in the job description. Flexible working hours are a draw for many people. Starting an hour later so that you can drop off the children at school is priceless for some people. For others, being able to finish early on a Friday may be the thing that seals an employment deal. Make the “flexibility factor” clear in any advertising. If people believe your organization is respectful to their interests and individual requirements, you are already on the way to making a bond with them before their interview.

Also, tread gently with your onboarding process. Cybersecurity is notoriously rules-heavy, but new hires are at their most impressionable during the first couple of months of their new job. They may still feel as though they are in a state of transition, where they could jump to another role if it were offered to them.

Keeping talent

Research shows that 94 percent of executives and 88 percent of employees think that a distinct corporate culture is important to a business’s success [Deloitte], and a big part of that is a positive workplace way of life. People want to have fun at work, but they don’t want “forced fun’. Even when tackling serious challenges, like the cybersecurity of the organization, it doesn’t mean you have to be serious all the time. Remember, there’s a big difference between insisting everyone wear fancy dress for Comic Relief (and donate for the privilege) and subtly leaving a few Nerf guns in the canteen. The odd pizza lunch, celebrating staff milestones, and making the speaker hold a rubber chicken talking stick in Scrum meetings, can do wonders towards fostering a more friendly and pro-active workplace culture. I once worked for a company that had an excellent after-hours LAN gaming group that we still talk about on Facebook. If employees are friends with the people they work with instead of just being colleagues, they’ll communicate more effectively, be more dedicated to their teammates, and work better together – as well as stick around.

Pretty much everyone HATES micromanagement, especially older and more experienced staff. According to The Micromanagement Survival Guide by Harry E. Chambers, 91 percent of managers were unaware that their employees left their job due to their close observation and tightly controlling management style – so you probably don’t know if you are. While micromanagers usually have the best intentions, their behavior often affects team performance and morale. It also slows down productivity when a manager doesn’t trust individuals to do their jobs and when they focus on the wrong priorities. New managers moving into established companies can often be guilty of this, usually unconsciously. Stop sending multiple emails to check employees’ progress. Encourage independent decision-making. Don’t avoid delegation. Respect people’s expertise. Ditch the requests for unnecessary and overly detailed reports, and automate the essential ones. Don’t sweat the tiny details. An honest and thoughtful self-assessment of your own behavior will tell you if you’re being too controlling and need to step back to preserve morale and improve staff retention.

Investing in your team through training and by giving them responsibility shows trust and gives them ownership. Tasking people with leading red team exercises, awareness training, or phishing testing is a great way to show you value them and encourages growth that can be rewarded come appraisal time. Remember though, no one likes taking on extra tasks, no matter how well-meant, for nothing.

Eliminating roadblocks to success is vital for staff well-being. Having the right tools to do their job and offering them the path of least resistance towards success lets them know you’re on their side. If your team is wading upstream through a barrage of alerts and fighting against the app development team to police best security practices, that soon gets tiresome and will invariably lead to them looking for opportunities elsewhere. Investing in your team by investing in the right tools and the training to use them is essential. Having clear and actionable insights, plus easy reporting, can streamline cybersecurity workflows and relieve some of the pressure from busy teams. When people feel invested in, they feel valued. Consider putting some money into cybersecurity automation, which will also relieve some of your overall capacity/recruitment problems, and (especially for less experienced teams) can greatly lower any chances of error compared to a manual approach.

People like perks and a bonus, but these are short-term benefits and there is no evidence to suggest that they are effective for long-term retention. They are rarely more attractive than the actual reason an employee may have to look for employment elsewhere. These are one-time payments and don’t foster loyalty. Regular salary increases, however, show progress and advancement. A yearly salary review allows for discussion around career advancement and sets goals and targets, and the simple act of rewarding a college with a senior title to reflect their expertise can go a long way to giving them justified acknowledgment. It should be noted, however, that extra responsibility should come with extra financial rewards – on its own a change in job title is not a suitable reward for an increase in liability or workload.

The little things mean a lot

The little things are more important to some individuals than we might initially think. When buying a car we may look for Bluetooth connectivity, a DAB radio, a certain color, aircon, a sunroof, or parking sensors, instead of fuel economy or brand. Details like this, in the context of the workplace, can make a big difference to staff retention and can make people stay or leave. Ask your team how you can make their work-life better. For some people, it might be as simple as a certain brand of coffee. For others, they may need a new office chair. You don’t have to bend to their every request, but if you look after your team – especially on a personal level – they will feel valued and look after the business.

Don’t praise mediocrity; this undermines excellence. People don’t like it when everyone is treated equally. Some produce more, and some achieve lesser results; that’s just how it is. Treating everyone the same makes your best players feel undervalued and can lead to job dissatisfaction.

Not acknowledging first-class performance and employee contributions can be just as detrimental to keeping hold of staff. It is essential to offer employees feedback and to highlight positive behavior we want to encourage. Outside of any regular formal review, “Thank you,” “Well done”, and “Much appreciated” can go a long way, especially in front of their peers. It also builds confidence and clarifies expectations. When employees are thanked and rewarded for their contribution to an organization, they feel pride and ownership.

Employees hate unnecessary rules. Organizations sometimes go too far when drafting their mandatory employee guidelines – to the extent that they can seem ridiculous and even oppressive. IT security is notoriously the domain of intelligent free-thinkers, and restrictions on dress code, the use of mobile phones or the internet, and even anti-moonlighting policies can be stumbling blocks to staff retention. Let people be people. Trust and respect are two-way streets.

Prevention is better than cure

Sometimes staff will choose to move on, and it’s just unavoidable. They may have other priorities. They may want to work in a start-up environment or move into consultancy and work for themselves. They may want to work with former colleagues who have previously moved on. Usually, they have already decided by the time they come to hand in their notice. Offering more money, a promotion, or other incentives may be too little, too late. The grass may well actually be greener on the other side, and there’s nothing we can do about that, but preemptive care and action like that above can dissuade our employees from looking over the fence into pastures new.