You want the best on your security team. And once you've got them, you want to keep them happy and keep them in your organization.
Three security career and management experts weigh in on what security managers need to do to retain top-notch security talent.
First, figure out whether you have the right team
"Don't assume the people you currently have in place are the people you need to have on your security team," said Lenny Zeltser, a senior faculty member with SANS Institute and a product management director at NCR.
Zeltser has hired many people over the years, and he believes the first step to retaining great talent is to ensure you have highly skilled, well-matched team members first.
"It is very difficult to admit to oneself that people are on the borderline in terms of personality and match --and may not be the best for your organization. As human beings, we tend to want to stay with the status quo and say, 'This is the team I have here. If I have lemons, I'll make lemonade.' But that's not the right strategy."
That may mean changing job descriptions, restructuring departments or shuffling employees to places where they are better suited. Or, in a difficult situation, letting some people go.
"Just like you provide feedback and review to employees once or twice a year, as a manager you want check in with yourself, too, on whether who you have on the team is right for its goals. Your security team may have had different goals when first created."
Evaluate your pay structure
If you've evaluated where your team stands, and what kinds of skills you want to see in your department, it is time to look at whether your organization's compensation structure is up to market standards.
"Recruiting and retaining are essentially married," says Lee Kushner, founder and CEO of LJ Kushner and Associates, a recruitment firm for information security professionals. "Your current state of the organization has a lot to do with who you can bring in."
Kushner says one of the battles organizations face when trying to build their security team is the concept of internal equity. When recruiting for a security position, often it turns out that talent outside the company is earning more than the people inside the company. Obviously, this creates conflict between human resources, the recruitment team and the security department.
"I think it's important today for CSOs and CISOs to have better understanding of the market value of the skills of their security employees and be able to make the case to their management for reexamining their compensation, so they aren't put in position where they have retention issues."
Kushner also says the poor economy has given many organizations the false impression that they can get talent for lower salaries.
"I'm not going to be as bold as to say there is no unemployment among security professionals, but there is negative unemployment for highly skilled security professionals. When people are starting to add to their team, they have this nirvana, Shangri-la profile they want to recruit for. It's kind of like having champagne tastes and beer budgets. You get what you pay for."
In other words, make sure you're paying your current talent, and any future talent, what they are worth -- or someone else will.
Provide training and education
"Training and education must be a continuous process for all security staff," according to Hord Tipton, executive director of information security education and certification firm ISC2. "Technology is changing so rapidly -- no one can keep up with everything that is changing and evolving. To a degree, a well-rounded security program must have specialization. Although organizations need people who understand the entire security process, they also need people who are specialized and totally up-to-date in the many areas that must be well understood before security can be implemented."
Offering your security team the chance to take professional development and education courses keeps them feeling refreshed and challenged. And it obviously benefits the organization, too. Well-rounded security professionals look forward to the opportunity to further hone their skills. If an organization neglects their need for frequent training, they will go elsewhere, says Tipton.
"For example, the amount of technologies that have emerged in the last year surrounding cloud-based applications, social media, virtual servers, and mobile devices has been overwhelming," says Tipton. "We must continually develop technical training that is specific to the jobs performed and matched to continuing professional education [CPE] requirements. Obtaining quality CPE [courses] is more important now than ever."
Offer opportunities for growth
Sure, everyone wants a raise and a promotion after proving themselves on the job, but that's not always easy, or even possible, says Zeltser. Organizational and financial constraints often put the brakes on desired title changes.
Instead, offering a security team member the chance to work with new technologies, or be exposed to new challenges, can provide a different kind of career growth that can also be satisfying and fulfilling, says Zeltser. It's really up to the individual to decide if they want to take on more responsibility without an actual promotion, but many will want to do it for the challenge.
"You might have a person who started as an entry-level help desk technician, became really good at trouble-shooting desktop-related problems, started dealing with malware in sections, and then gradually became interested in malware analysis and incident response."
In that scenario, Zeltser points out, the employee has rounded out their skill set and, consequently, gained career benefits, even if it didnt come with a title change.
However, it is a rare employee who will keep taking on new roles without at some point expecting rewards.
"If someone keeps adding to their responsibilities but knows there is no chance for promotion and knows they have hit a ceiling, they will eventually end up leaving."
Security is a career well-known for being high-stress and a likely path to burnout. That perception is backed by a 2010 survey conducted by the group of industry experts who founded SecBurnout.org. While the researches felt that the 124 valid responses they got weren't enough to allow them to draw statistically meaningful conclusions, they were nonetheless able to make some interesting observations.
The data revealed that almost 13 percent of those surveyed were in what was referred to as a "red flag" area for burnout and were clearly in need of some intervention. A majority of respondents noted that they thought security was more stressful than other industries.
A variety of industry-related stressors contribute to this problem. For one, security professionals worry about the impact to the organization if there's a serious security event. For another, they're worn down by the tiresome task of constantly having to tell employees and management "no."
Zeltser suggests one way to address this is to educate security team members on how to better approach these situations.
It's rarely useful to simply tell someone "no," says Zeltser. "Useful advice is, 'You can't do it this way, and here are the reasons why.' And encourage them to find and offer alternatives, too, to the issue, so it's not just saying 'no.'"