The well-reported cybersecurity skills shortage has worsened and now stands at almost 2.9 million. With too few cybersecurity professionals for the roles required, attracting talent is a key issue. But companies with mature cybersecurity teams are reporting another issue: Retaining their employees is a big challenge. Preliminary results of our salary survey, due out in 2019, tells us that employees achieve a bigger salary increase when moving jobs, and the 2018 report from (ISC)² shows that only 15% of employees have no intention of leaving their current employer.
Ensuring that salary levels are set to attract the best isn’t the only solution to your retention problem. These strategies can also help.
1. Allow project work outside of the day job.
Based on my experience, employees who have a real passion for the job and work on projects in their spare time are the most sought-after. They can demonstrate commitment to their work, and that shows through in an interview. These are the employees who are going to find a way to fix the problem because that’s what they love. They are going to innovate and find better solutions.
Helping them feed that passion benefits everyone. The business gets employees with constantly developing skills who may even find a solution with a business benefit. What we hear from these select few, time and time again, is that they don’t want to move jobs because they don’t think another employer will give them time for these projects. They are happy and motivated.
Employers can make it explicit in a job offer that a key benefit is that a percentage of their working time can be dedicated to personal security projects. It can also be used to attract candidates. Telling a penetration tester they aren't just going to be trying to break into a company, but will also get to try and break this new smart device is exciting and different. It’s my No. 1 tip to retain your technical employees.
2. Make sure cybersecurity is taken seriously by the business.
The best cybersecurity employees are really engaged with the industry and they look externally to find better solutions or to spot trends. If the trend they spot is that their organization is behind or not taking cybersecurity seriously, they will be tempted to move on. These candidates want to effect real change and do a good job. If they are prevented from doing this due to budget constraints, or a leadership team that hasn’t committed to cybersecurity, they will move to an organization where this exists.
To retain your employees, your business leadership need to engage with the security team. Recognition for successes can go a long way. Employees need to get support if business areas aren't cooperating with implementing security processes. The security leadership can also communicate better with the team on what the board is interested in, how budgets were agreed and highlight the successes they have had.
3. Demonstrate a route for career progression.
Respondents have listed career progression as the No. 1 reason for changing jobs almost every year in the six years I have been producing salary reports. It’s more important to candidates than a salary increase. Yet many candidates do not see how they can move up in their current organization. If they are provided with an opportunity to learn new skills and develop their career, if they can see the path, they will stay with your organization.
Regular one-to-ones explaining the opportunities that exist and examples of others who have progressed are both important tools to utilize. Make it obvious what skills (technical and non-technical) they need to obtain to move into the next role. If possible, offer funding and time off for further study to support continuous learning and future advancement. Sometimes, allowing employees the time to do that, can also have an impact on retention as they may be concerned they won't achieve that if they move roles externally.
4. Strong leadership is important.
Part of providing good career progression includes have a strong leader. Having a boss you enjoy working for resonates with everyone, not just those in cybersecurity. One of the nuances of cybersecurity is that some have risen to management very quickly, often as a result of being the only person available to promote. Providing strong leadership to your team really helps employees feel connected to the vision of the business and builds a connection for them in their role.
Having a well-respected cybersecurity leader will help you retain staff, and also attract new ones. This goes beyond gaining good leadership skills. Give your employees time, so that they can learn from you. A cybersecurity leader who is active on the speaking circuit or is seen in the industry as a thought leader will make your employees proud to be a part of your team.
5. Wait for employees to become fatigued with moving.
This isn’t a quick fix, but it will come. Candidates get approached about jobs on a regular basis — and with 2.9 million roles going unfilled, this isn’t going to change. The most sought-after might be getting approached five or six times a day, every day. After a while, this becomes boring and they stop listening. Employers will prioritize candidates with more longevity in their roles and moving jobs then becomes harder. As salary increases stabilize, moving becomes less attractive.
The cybersecurity skills shortage isn’t going away, but there are some key steps organizations can take to retain these hard-to-find employees and improve employee engagement along the way.
