In the race to win the cybersecurity war, there are many components that you need to have at your disposal. Intelligent technology that extends your safety perimeter and strategic processes are a big part of the picture. However, your people will decide which way your cybersecurity future goes. Keeping your team consistent and proactive is hard if it’s a revolving door. So, what’s the key to cybersecurity retention?
Is it just a case of adding more dollars to their checks? This may be part of the story, but not all of it. People tend to leave jobs for reasons outside of money. In cybersecurity, the reason for churn includes lots of dimensions of the job—the environment, culture, stress, support, meaningful work, etc.
With so many factors impacting whether your people stay on board, you’ll need specific strategies to prevent turnover and keep employees engaged and satisfied. For a look at how all this is playing out, we’ll start with insights from a recent state of cybersecurity report from ISACA that surveyed over 2,000 cybersecurity professionals.
Cybersecurity Retention: What the Numbers Say
The report has some great insights that every cybersecurity leader should consider in their hiring and recruitment process.
Pandemic Still Impacting Staffing
First, the report indicates that the industry still suffers from the pandemic’s disruptions. At the beginning of the pandemic, remote work became the norm, and many in the profession appreciated the autonomy. Now, there seems to be a standoff between employers and staff. Companies want to return to the way work existed before Covid, while workers don’t want to give up their newfound flexibility.
There is a new expectation that remote work will be part of the norm, whether full-time or in a hybrid framework. Employees are pushing back on a total return to the office because they’ve just proved they can do their jobs at home. For companies that want such tight control over where people work, it could be impacting their ability to recruit and retain. It makes these jobs much less appealing.
The Struggle to Retain Talent Is Real
The numbers on retention look concerning, as 60% of respondents said their organization is struggling here. That number is up 7% over 2020. The report also notes that the numbers for 2020 need context. Uncertainty during the pandemic made people stay put even if they were unhappy. Now, those fears have subsided. The Great Resignation would indicate it has. The “event” describes the mass exit of employees, amounting to over 47 million Americans voluntarily quitting their jobs.
Technology was a hard-hit area, but there could be hope around the corner with new people entering the field. However, most companies remain understaffed.
Most Organization Say They Are Understaffed
Regarding current employee numbers, 15% of organizations replied that they were significantly understaffed, and 47% said they were somewhat understaffed. In looking at empty seats, 63% of companies said they had open jobs. The time to hire these roles improved but is still long, with three to six months as the average timeframe.
The roles that need the most people continue to be technical cybersecurity professionals. Future hiring demand has these roles as the ones that will increase. Additionally, they’ll look to hire more nontechnical cyber positions and managers.
These numbers represent a huge need in the industry, and many people see it as an opportunity to have an in-demand job that can be lucrative. The problem arises when too many see cybersecurity as getting a certification and memorizing jargon. I’ve talked before about the pervasiveness of paper tigers in cybersecurity. These folks look great on a resume but often lack the technical and people skills to be successful. This is just a friendly reminder that companies shouldn’t be so desperate to fill a role that they don’t hire discriminately. Paper tigers turn into employees with low performance and engagement, which makes turnover more likely.
Staffing, Retention, and Cyberattacks Appear to Be Interrelated
These three things seem connected, as 69% of respondents who work for organizations that experienced more cyberattacks than the prior year reported they were somewhat or significantly understaffed.
Additionally, 70% of this group indicated that their companies had challenges with retention. Those with less staff than needed also performed poorly with recruitment, with 73% saying such. That number rose 8%, with the probable cause tied to burnout.
Correlation doesn’t always mean causation. However, with fewer people on staff and the ones who are disengaged, the risk of cyber breaches could increase. If your people don’t care about the safety of data and networks, it’s a problem because the hackers on the other side certainly do.
So, how can talent pipelines improve?
The Talent Pipeline Isn’t Flowing; Qualified Applicants Are Scarce
To meet hiring demands for the future, we need new people entering the industry. Ideally, these candidates should have qualifications beyond paper tigers with certifications that don’t mean much. So, what does qualified mean to hiring managers? According to the report, they place prior experience at the top, but that soft skills are still the largest gap (54%)!
This data point is one of the most important from this research. It’s central to my philosophy on cybersecurity employment and what makes a person a good fit. Technical skills are, of course, critical. However, I contend that it’s easier to teach those when you have someone willing to learn and embraces soft skills of communication, collaboration, agility, and curiosity.
These people skills go much further than those in the technical basket. They are key to having a team that uses critical thinking to solve problems and does so in a way that’s effective and collaborative. There’s no “room” for one person to be the smartest one in it. Rather, a team with technical aptitude and a focus on soft skills is your best chance at strengthening retention and your security posture.
Moving to the point of hiring based more on soft skills versus degrees or certifications can be helpful. Many don’t give much credence to higher education, as 40% said they neither agree nor disagree that they have confidence that university graduates in cybersecurity are prepared for the role. Again, of these recent graduates, soft skills were the biggest skill gap.
The Challenges of Retention: Keeping Staff Engaged and Satisfied
If you have good people, you don’t want to lose them. If they are top performers, you’ll have competition. Recruited by other companies was the principal reason cybersecurity professionals left a job. Others could be targeting your best people right now, so you’ll have to ensure the role is competitive with wages and benefits, enables flexibility like remote work, provides a path for development, and helps workers manage stress. Those are all factors in resignations. Behind recruited by others, the top reasons for leaving were:
- Poor financial incentives
- Limited promotion and development opportunities
- High work stress levels
- Lack of management support
- Poor work culture
- Limited remote work options
- Inflexible work policies
Many of these reasons are about the environment you create. Cybersecurity is a high-pressure job, but it doesn’t have to be toxic. There are ways to develop a team that supports their mental health and reduces stress. If you want to improve cybersecurity retention, you’ll need to look at how your department runs to identify areas where things can improve. Encouraging open communication, providing acknowledgment for good work, and empowering people with autonomy are essential.
Developing this type of culture takes time. Your people have to be willing to evolve, too. The best way to find this ideal balance is by using the Secure Methodology. I developed a seven-step process to help turn cyber professionals into highly communicative and collaborative people capable of critical thinking.
Each step helps develop the soft skills necessary to be agile in the dynamic world of cybersecurity. The report’s section on must-have soft skills aligns with the Secure Methodology’s stance. They are:
- Communication (listening and speaking)
- Critical thinking
- Teamwork (collaboration and cooperation)
- Attention to detail
- Adaptability to change
All these attributes are extremely important in the cyber field. You can have someone with a brilliant technical mind, but if they don’t communicate or cooperate, they simply hold their knowledge as a point of leverage. They also won’t be adaptable to change, and that’s critical. The cyber technical skills of today aren’t a match for those in the future. Staying stuck in one way to do something creates adverse outcomes for all parties.
Companies are striving to improve the nontechnical skills gap, per the report. The tools they are using include online learning, mentoring, corporate training, and tuition reimbursement. However, 17% said they were doing nothing.
Do these tactics actually work? Of them, mentoring is the best of the bunch. Online learning for people skills seems counterintuitive because this should be more interactive. The exercises included with the Secure Methodology in my book offer this option. It could create a boost in cybersecurity retention that makes a difference. Learn more by reading The Smartest Person in the Room.