cybersecurity workforce

Cybersecurity Workforce Retention: Keep Top Talent with the Secure Methodology

February 4, 2023 by Christian Espinosa

Finding qualified and skilled talent has been a struggle in cybersecurity for years. According to data, that’s only getting harder. Exasperating the cybersecurity workforce shortage is the fact that retaining employees is challenging. Cybersecurity workforce retention is as important as your recruitment strategies.

So, how do you keep cyber professionals on the job? It’s not an easy answer, as so many factors impact this. However, you can build a retention plan alongside your recruitment strategy. In this post, we’ll uncover why turnover occurs and how to create a culture and environment that will make them stay.

The Cybersecurity Workforce Retention: State of the Industry

A study from the ISACA found that 60% of cyber leaders said it was difficult to retain cybersecurity professionals, up 7% year-over-year. The survey outlined why it’s happening, with these being the top reasons:

Recruited by other companies (59%)
Compensation and incentives (48%)
Few promotion and development opportunities (47%)
The high stress of the job (45%)
No management support (34%)

Some of these challenges are easier to combat than others. Currently, cybersecurity jobs are greater than those available to fill them. A study estimated that over 3.4 million cyber jobs are available, which will only increase. As a result, other companies will try to lure away your employees, even if they aren’t actively looking for another job. How they respond to this will depend on how they feel about working for you in terms of money, autonomy, support, and satisfaction.

Compensation is another tricky area. Competitors may be offering more money. While that’s a critical part of why people work, money may not be the top factor in retention. Regardless, depending on their experience, role, and market, you should pay your team a fair wage. With the cost of living increasing, you must keep up with this.

Next is development, which is something you can control. Continuing to train and upskill your team shows you’re investing in them and their future. You should also be clear with them about the opportunities to advance.

Stress is inevitable in almost any job. Cybersecurity is a dynamic industry with fire drills all the time. Focusing on ways to destress workers should be part of your culture. It could be rewarding your team with social or team-building activities. Having an open door for employees to share their experiences with you and their stress can also be helpful.

Finally, you have complete purview over management support. As a leader, you have to earn and keep the respect of your team. Being a great leader requires you to communicate honestly, listen intently, acknowledge their work, and support them in any way you can.

Addressing these common reasons for turnover is critical for your organization because its impact is considerable.

The Impact of Turnover

An inability to retain staff affects many aspects of operations. Being understaffed creates more risk because everyone’s stretched thin. It’s easy to miss key things when someone is overwhelmed. Turnover also prevents your ability to be more strategic because you’re in a reactive mode versus a proactive one. Productivity suffers as well.

Turnover also costs you money. The average cost of hire is $4,700 and could be even greater considering how in demand these roles are. It’s in your best interest to retain your technical folks, which isn’t easy. You may be looking at many methods to decrease turnover, including increasing wages and benefits, allowing for flexible work, asking for feedback from your team to propel improvement, and providing the right tools to do the job.

Those are all good things to have, but retention has much to do with engagement, satisfaction, feeling valued, and having respect for leadership. These things can mean more than money, which is why applying the Secure Methodology™ to cybersecurity workforce retention makes sense. It’s a seven-step guide that defines a roadmap to transform technical people into highly communicative and collaborative professionals.

Let’s see how each step can support retention.

Applying the Secure Methodology to Cybersecurity Workforce Retention

With every step of the Secure Methodology, there are lessons to learn that impact retention. Here’s how to use these in your organization.

Step One: Awareness

Tapping into awareness is an important attribute to have in life and work. We all have blind spots, but some are bigger than others. Without being aware of these, there are consequences. It negatively impacts relationships and erodes trust. Without being aware, your team doesn’t realize how their behavior affects others and the environment. Things can become toxic very fast. If those things are lacking, it’s easy to see why some would want to leave.

Awareness means being cognizant of your blind spots and working to address them. A more aware team will be more collaborative and communicative. Here are some ways that this can support retention:

Coaching

Coaching is vital to broadening awareness. If you can open the eyes of your team in a conducive way, they may have “aha” moments. Shifting their stance from being self-centered allows people to get a better perspective.

Language

Using specific, relatable language helps technical people better understand expectations and culture. When there’s no confusion about where everyone should focus, they will likely feel more empowered.

Motivation

Understanding motivations is critical to unlocking awareness. Tapping into what makes them tick helps strip away some of the technical posturing cyber professionals often do. Knowing their motivations allows you to personalize how you support and coach them.

Step Two: Mindset

There are two types of mindsets — fixed and open. Many technical folks have fixed mindsets with no desire to change, learn, or grow. However, it doesn’t mean they have to stay that way. Fixed mindsets are poisonous to retention. Even if one in the group is this way, it can taint it for others. When we’re fixed, we refuse to move.

A growth mindset is freeing and enables people to be flexible and adaptable, which is necessary for cybersecurity. Evolving a fixed mindset to a growth one is possible, but it requires commitment from you and the employee.

Some key results of a fixed mindset include:

The ability to reflect on situations and understand how to handle it differently.
Healthier and consistent communication.
A culture that welcomes growth personally and professionally.
Growth mindsets can be a significant reason employees stay with your organization.

Step Three: Acknowledgment

Acknowledgment is scarce in technical fields. Yet, it’s so crucial to retention. Your employees want appreciation for the work they do. Its absence is because most cyber leaders only respond to things when they go wrong. The small wins everyday matter so much to your people, so you must become vigilant about feedback.

Your approach to acknowledgment should include:

Being positive by looking at what went right first
Specificity in your feedback
Immediately offering feedback in the moment
Praise in public and relay ways to improve in private
Consistency in how you address acknowledgment

Lack of appreciation and lack of feeling valued are two primary reasons why people leave their jobs. If your people don’t receive acknowledgment, they’ll actively seek another job.

Step Four: Communication

Communication is part of every step in the Secure Methodology, along with having its own step. It is, without a doubt, the most critical part of a thriving culture and support to retention. You probably know there are communication issues among your technical folks. It doesn’t mean they aren’t articulate. Rather, their communication styles are often too aggressive, overly complicated with geek speak, and always on the defense. They also suck at listening, the other component of communication.

This storm of dysfunction will have people, often your best, running away from your organization. Thus, it’s critical to make communication the foundation of your culture and retention strategy. Here’s how to use it:

Be honest and transparent as a leader.
Move away from overly technical language and simplify the message.
Encourage open discussion and dialogue that’s respectful.
Praise your people when they make adjustments in communication.
Practice active listening in exercises, so they grasp how crucial it is.

If you can lay out these tenets, your people will likely see the value and follow you. If some still don’t realize it, they may be dragging others down. In some cases, you may have to let those folks go, so they don’t make it unbearable for everyone else.

Step Five: Monotasking

Monotasking is focusing on one thing, the opposite of multitasking. Many describe multitasking as an excellent quality, but it can actually hamper productivity. Forcing multitasking can make your people feel pulled in many directions. Those feelings create animosity and dissatisfaction. So, remove this pressure and instead recommend blocking time for specific tasks, meetings without distractions, and saying “no” to some things that aren’t urgent.

Step Six: Empathy

Empathy is a valuable quality to have. In terms of cybersecurity, cognitive empathy is essential for a healthy environment. It means that others can understand the feelings and perspectives of others. Without it, you have no team or human connection, and you need those to retain your people. All the things you put in place to get to this step support the building of empathy. Developing this in your team enables a trust factor and creates more satisfaction.

Step Seven: Kaizen

The final step is kaizen, which is a Japanese term. When translated into English, it means “continuous improvement.” So, this step isn’t an end to the journey; it’s how to sustain it. If your team believes in this process, they’ll want to continue identifying ways to improve and follow through with them. When kaizen is part of your cybersecurity culture, your technical folks will evolve and realize that this is where they can continue learning and growing.

Retaining your workforce won’t be easy. With the Secure Methodology, you have a framework. You can go more in-depth by reading my book, The Smartest Person in the Room, and viewing the Secure Methodology course.

The 2023 Cybersecurity Workforce Landscape

January 19, 2023 by Christian Espinosa

It’s a new year, and that means new challenges and opportunities for the cybersecurity workforce. Currently, the job market remains healthy, with another 223,000 jobs added in December 2022 and unemployment falling to 3.5%. Rumblings of a recession and an uncertain economy remain, and big tech, including Meta, Amazon, Twitter, and Google, issued layoffs. However, the landscape for recruiting, hiring, and retaining cybersecurity talent remains a significant problem.

So, how can organizations, big and small, address these problems, and where will the market shift?

The Workforce Grew But Remains Understaffed

The ISC 2022 Cybersecurity Workforce Study reported that the global cybersecurity workforce grew to over 4.6 million, an 11.1% year-over-year increase. The study estimated that over 3.4 million jobs remain unfilled even with this increase. This gap created genuine concern for staff, with almost 70% feeling there aren’t enough workers to be effective. Survey respondents also said that significant shortages increased risk. The cumulative effect of understaffing has real consequences, per the study, including:

Lack of time to perform proper risk assessment and management
Oversights in procedures and processes
Slowing down the patching of critical systems
Training deficiencies
Misconfigurations of systems

Another study found that 80% of organizations experienced at least one breach in the last year, attributing it to a lack of cybersecurity talent or awareness.

Any cybersecurity leader likely has the same concerns. When there aren’t enough people, everyone is stretched thin. Corners get cut, and people get defensive and burn out. It’s an environment that could expose any company to more threats while vulnerabilities go unnoticed. Additionally, those coming into the industry often don’t have the necessary skills to contribute. They may have the technical aptitude but need training in real-life cyber work and honing soft skills.

So, if there isn’t enough qualified talent, how do you fix it? You’ll need new candidates to enter the industry and retain your current employees.

Cybersecurity Talent Pipelines Are Running Dry

It would be easy to think that younger generations all want to work in technology. They are digital natives, but that’s not exactly true. Only 9% of millennials had an interest in the field. Gen Z isn’t flocking to the industry either, preferring jobs where they can shape company culture and have a social impact. They want to be recruiters or marketing or social media managers. For more context, the ISACA State of Cybersecurity surveyed cyber professionals, and only around 12% were 34 or younger.

Apparently, cybersecurity careers aren’t attractive to those entering the job market. Maybe cybersecurity needs a “makeover” to highlight the positives of being in demand, such as providing competitive wages and offering opportunities for advancement.

The key issue with generating interest in the industry is that these new candidates will come to the table unprepared. It could cause more “paper tigers” to infiltrate the ecosystem. Paper tigers are a rampant problem in cybersecurity. People look “great on paper” because they have this credential or that certification.

In reality, they usually don’t have the technical or people skills to be a good hire and an effective cyber professional. In fact, 55% of survey respondents stated they don’t believe applicants are well qualified, citing a lack of hands-on experience as the main factor in the unqualified classification.

In looking at specific skills lacking, the results indicated a gap in people skills as the greatest concern, followed by technical attributes of cloud computing, security controls, and coding.

So, how do we close the skills gap?

Closing the Skills Gap

The skills gap includes both soft and technical skills. As noted, people do not need one more certification or a college degree. Instead, they need practicality and real-world exposure to meet the technical requirements and support to develop interpersonal skills. For this to happen, the industry must shift how it recruits and trains.

The current tests focus on theory, not practice. It’s become easy to earn this “badge” through multiple-choice exams that anyone can memorize. Some certifying organizations still do things right, including CompTIA and EC-Council. Their programs are more practical.

The transformation that needs to occur in the talent pipeline has to be a movement that the entire industry supports. First, the field must showcase that it is one with job security, growth, and opportunity. Second, the training landscape must become consistent, teaching real-world technical and people skills. Third, employers could then make smarter hiring decisions not based on desperation.

In addition to challenges with new talent, organizations are also struggling with turnover, which is costly and disruptive. You have more control over this variable.

The Retention Problem: Is It Your Culture?

In the ISC study, 21% of respondents changed companies in the last 12 months, an increase of 13%. Digging into why, it appears to be about the culture, not the work itself. Cybersecurity can be high-stress, but many in the field enjoy what they do. The ISACA study revealed that 60% of companies had a cybersecurity retention problem, and 63% said they had open roles.

The nemesis of cybersecurity retention is the environment. You have the ability to change that if you recognize the shortcomings.

Cybersecurity culture is often toxic. People often struggle to be open communicators. They can be uncooperative and aggressive. They act this way because they know they can, and when someone new shows up, they’re not unlike a group of mean girls. Such a situation isn’t sustainable, and it only increases risk. If you want to retain the qualified people you have, you must start by laying a foundation for an inclusive, honest, and respectful culture. In most circumstances, you need to help these people evolve with better people skills.

Not everyone will want to grow and change. It’s hard, after all, and uncomfortable. Even if it’s the best technical employee you have, you may be better off without them. Those left get a choice to go through the process. There’s already a blueprint for you on how to do that with the Secure Methodology™. It’s a seven-step guide to help cybersecurity leaders support employees in becoming better communicators, collaborators, and teammates.

The Secure Methodology™ applies to employees, new and senior.

Applying the Secure Methodology™ for Recruitment and Retention

We’ve established that the work isn’t the reason why people leave. We also know there are deficits in skills and that cultures can be toxic. This is the reality that inspired me to develop the Secure Methodology™. Here’s how each step can apply to the cybersecurity workforce challenges.

Awareness

Awareness applies to one’s self and others. It’s lacking in many technical folks, which causes their actions and behaviors to be abrasive or curt. There’s an energy to it, and when people aren’t aware, it causes conflict and animosity. Through exercises and direction, your team can become more aware of themselves and others. It can be a significant shift that gives them perspective.

Mindset

You want to help people move from a fixed to a growth mindset. Only in the latter can they evolve and improve. You also have to believe that change is possible. Additionally, there must be a commitment from people to welcome growth. One activity to support this is the 7 Levels Deep exercise, which can help people understand motivations and why they do the things they do. This knowledge can unlock a fixed mindset.

Acknowledgment

To acknowledge is to express appreciation, and it doesn’t happen enough in cybersecurity. So, first, leaders should begin to do this consistently. It builds trust and confidence. An organization also must accept that a cyber professional isn’t an expert in every technical area and shouldn’t put such extreme burdens on a single person or team. It requires a culture shift that recognizes growth and contributions while ensuring accountability.

Communication

Communication is the foundation for all soft skills and really every step in the Secure Methodology™. When communication is poor, nonexistent, or comprised of technical mumbo-jumbo, breakdowns happen in your risk posture and culture. Communication is also about listening to understand, not just responding. Developing these skills in your staff will pay big dividends for them and your organization. If communication is transparent, honest, and constant, the culture moves further and further from toxicity. Within this step, you’ll find exercises and best practices for cultivating communicators.

Monotasking

Monotasking is about dedicated attention to one task at a time. It’s likely at odds with current performance, where multitasking is the norm. Multitasking is bad for cybersecurity, as it can cause excess stress and errors. Monotasking isn’t always an option, but you’ll want to ensure that your employees know it helps them focus and be more productive.

Empathy

In the Secure Methodology™, I focus on cognitive empathy, which is understanding another’s feelings and perspectives. Empathy also means choosing to connect with someone and accept their views. In such a culture, empathy builds trust, and it all goes back to communication and how people interact. If your team builds empathy, you have an environment where people want to stay.

Kaizen

Kaizen is a Japanese term that translates to “continuous improvement.” So, this step isn’t the final one. It continues as part of the foundation of culture. The pursuit of continuous improvement applies to soft and technical skills. It also supports adaptability and flexibility — traits useful to anyone, anywhere. It keeps people engaged, and that supports recruitment and retention.

The cybersecurity workforce landscape needs some care. Many areas need to evolve, and you can be a voice for that in the industry and your organization using the Secure Methodology™.

Learn more about the Secure Methodology™ by reading my book, The Smartest Person in the Room, and viewing the online course on the guide.