5 tips to retain great security talent

Career experts offer advice on retaining your highest-quality talent so they don't leave to work for your competitor

You want the best on your security team. And once you've got them, you want to keep them happy and keep them in your organization.

Three security career and management experts weigh in on what security managers need to do to retain top-notch security talent.

First, figure out whether you have the right team

"Don't assume the people you currently have in place are the people you need to have on your security team," said Lenny Zeltser, a senior faculty member with SANS Institute and a product management director at NCR.

Zeltser has hired many people over the years, and he believes the first step to retaining great talent is to ensure you have highly skilled, well-matched team members first.

[5 secrets to building a great security team]

"It is very difficult to admit to oneself that people are on the borderline in terms of personality and match --and may not be the best for your organization. As human beings, we tend to want to stay with the status quo and say, 'This is the team I have here. If I have lemons, I'll make lemonade.' But that's not the right strategy."

That may mean changing job descriptions, restructuring departments or shuffling employees to places where they are better suited. Or, in a difficult situation, letting some people go.

"Just like you provide feedback and review to employees once or twice a year, as a manager you want check in with yourself, too, on whether who you have on the team is right for its goals. Your security team may have had different goals when first created."

Evaluate your pay structure

If you've evaluated where your team stands, and what kinds of skills you want to see in your department, it is time to look at whether your organization's compensation structure is up to market standards.

"Recruiting and retaining are essentially married," says Lee Kushner, founder and CEO of LJ Kushner and Associates, a recruitment firm for information security professionals. "Your current state of the organization has a lot to do with who you can bring in."

Kushner says one of the battles organizations face when trying to build their security team is the concept of internal equity. When recruiting for a security position, often it turns out that talent outside the company is earning more than the people inside the company. Obviously, this creates conflict between human resources, the recruitment team and the security department.

"I think it's important today for CSOs and CISOs to have better understanding of the market value of the skills of their security employees and be able to make the case to their management for reexamining their compensation, so they aren't put in position where they have retention issues."

Kushner also says the poor economy has given many organizations the false impression that they can get talent for lower salaries.

[4 skills CISOs need now]

"I'm not going to be as bold as to say there is no unemployment among security professionals, but there is negative unemployment for highly skilled security professionals. When people are starting to add to their team, they have this nirvana, Shangri-la profile they want to recruit for. It's kind of like having champagne tastes and beer budgets. You get what you pay for."

In other words, make sure you're paying your current talent, and any future talent, what they are worth -- or someone else will.

Provide training and education

"Training and education must be a continuous process for all security staff," according to Hord Tipton, executive director of information security education and certification firm ISC2. "Technology is changing so rapidly -- no one can keep up with everything that is changing and evolving. To a degree, a well-rounded security program must have specialization. Although organizations need people who understand the entire security process, they also need people who are specialized and totally up-to-date in the many areas that must be well understood before security can be implemented."

Offering your security team the chance to take professional development and education courses keeps them feeling refreshed and challenged. And it obviously benefits the organization, too. Well-rounded security professionals look forward to the opportunity to further hone their skills. If an organization neglects their need for frequent training, they will go elsewhere, says Tipton.

"For example, the amount of technologies that have emerged in the last year surrounding cloud-based applications, social media, virtual servers, and mobile devices has been overwhelming," says Tipton. "We must continually develop technical training that is specific to the jobs performed and matched to continuing professional education [CPE] requirements. Obtaining quality CPE [courses] is more important now than ever."

Offer opportunities for growth

Sure, everyone wants a raise and a promotion after proving themselves on the job, but that's not always easy, or even possible, says Zeltser. Organizational and financial constraints often put the brakes on desired title changes.

Instead, offering a security team member the chance to work with new technologies, or be exposed to new challenges, can provide a different kind of career growth that can also be satisfying and fulfilling, says Zeltser. It's really up to the individual to decide if they want to take on more responsibility without an actual promotion, but many will want to do it for the challenge.

"You might have a person who started as an entry-level help desk technician, became really good at trouble-shooting desktop-related problems, started dealing with malware in sections, and then gradually became interested in malware analysis and incident response."

In that scenario, Zeltser points out, the employee has rounded out their skill set and, consequently, gained career benefits, even if it didnt come with a title change.

However, it is a rare employee who will keep taking on new roles without at some point expecting rewards.

"If someone keeps adding to their responsibilities but knows there is no chance for promotion and knows they have hit a ceiling, they will eventually end up leaving."

Avoid burnout

Security is a career well-known for being high-stress and a likely path to burnout. That perception is backed by a 2010 survey conducted by the group of industry experts who founded SecBurnout.org. While the researches felt that the 124 valid responses they got weren't enough to allow them to draw statistically meaningful conclusions, they were nonetheless able to make some interesting observations.

[RSA Conference 2012: Stress and burnout in infosec careers]

The data revealed that almost 13 percent of those surveyed were in what was referred to as a "red flag" area for burnout and were clearly in need of some intervention. A majority of respondents noted that they thought security was more stressful than other industries.

A variety of industry-related stressors contribute to this problem. For one, security professionals worry about the impact to the organization if there's a serious security event. For another, they're worn down by the tiresome task of constantly having to tell employees and management "no."

Zeltser suggests one way to address this is to educate security team members on how to better approach these situations.

It's rarely useful to simply tell someone "no," says Zeltser. "Useful advice is, 'You can't do it this way, and here are the reasons why.' And encourage them to find and offer alternatives, too, to the issue, so it's not just saying 'no.'"

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycareersIT management

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts