Cybersecurity Employee Retention and Management Culture

Cybersecurity Employee Retention
Author: Mike Saurbaugh, CRISC, CISM, CISSP, MSIA
Date Published: 24 July 2018

Ask security leaders if they have enough cybersecurity professionals on staff and the likely response will be “no.” But the demand is not just a numeric value; it also pertains to the abilities of the professionals. In other words, placing people in seats is only part of the challenge, alongside ensuring they are skilled to handle the rise in complexity and speed of change to counter well-funded adversaries. There may never be enough qualified people in cybersecurity to fill all the roles for which organizations long.

Conversely, what if a security leader does have enough people? What if every role that was open has been filled and the team is at full capacity? Now that the roles are filled, how does management retain staff? Is the culture where it needs to be to attract and retain people?

Leadership and a Strong Foundation

Creating a culture to which employees want to belong starts with leadership. This may seem obvious, but it can be overlooked. Many security leaders ended up in their leadership roles because they were great at managing technical systems and throughout their career they were promoted. Suddenly, they are managing people vs. spending time hands-on at the keyboard at a command prompt. But managing systems is not the same as managing people; a completely different set of skills is required.

Employees want someone who is invested in them and their career success, which means leaders must make time for employees and show an interest in their lives as well. A 2011 study conducted by Google sought to build a better boss.1 Google’s hypothesis was that its engineering employees would want someone who could do the job better than they could and solve tough problems for them when they ran into obstacles. Just the opposite was true. According to the findings, “What employees valued most were even-keeled bosses who made time for one-on-one meetings, who helped people puzzle through problems by asking questions, not dictating answers, and who took an interest in employees’ lives and careers.”2

Building the Team

Building a team requires getting to know people, which, again, sounds easy, but can be lost in the daily rush to get things done. A misstep some security managers have made along the way is believing they must be as good or better at hands-on security than their employees. This is not true. Yes, leaders need to be knowledgeable about all aspects of security, but they should not expect to keep technical pace with staff. This is easier said than done for many security leaders because their careers have been built on being highly technical. Thus, it is hard for them to let go of what got them there.

A key component for security leaders to keep in mind is that it is as important to find the right people as it is filling the role. In other words, it is about the chemistry with the team as much as it is the skill. Sometimes, a junior team is more willing to do the routine, mundane tasks that are needed (unless they are automated). A more senior member of the team is less likely to want to fulfill these duties, but can be great at mentoring and training the team.

All the technology in the world is futile unless the right team is in place. Looking at successful sports teams, it is interesting to watch teams that have the lowest payroll or the least well-known names beat the teams with the most all-stars and highest salaries. There is a chemistry that exists with some teams that others do not possess.

This does not happen by chance. Management recruits players who provide value and create a chemistry that does not revolve around an all-star or two. Everyone is a component, and no one player is the full key to success.

Determining Greatest Needs

The majority of organizations need incident response, security operations, vulnerability management and analysis. Depending on organizational size, the security team may perform multiple duties. Regardless, security leaders need to look at their pain points to determine where there is the greatest need.

Generally, security team members can help point out where the team is weakest and where the needs exist. Assuming managers are meeting with employees regularly, there should not be too many surprises and the needs should be well known.

Security managers looking for industry resources to help outline where their hires should be, based on a framework, can consider the US National Cybersecurity Workforce Framework.3 It is a resource to help security leaders with roles based on knowledge, skills and abilities (KSAs).4

Diverse and Dynamic Teams

It is tempting to attract people who are like everyone else. However, security is an industry that does better when there are diverse experiences and backgrounds. Not everyone can or should be a penetration tester. Yet this is a role to which many aspire.

Penetration testers, incident responders, business-oriented employees, employees with a marketing or communications background, engineers, and mathematicians, to name a few, are needed. The point is that building a team can and should include many diverse backgrounds. Women should also be among these professionals. Initiatives such as Women in Cybersecurity,5 the tech-focused Girls Who Code6 and ISACA’s SheLeadsTech are working toward bringing more women into the field. Younger, older, female, male and employees of different backgrounds create the diversity to help build stronger teams.

Management should hire and build teams that possess character that aligns with the culture, and then invest in the employees and train for skill.

Business Engagement

To build a stronger team, security employees must learn more about the business they protect. It cannot be done solely from behind the desk. Granted, some people do not want to and probably should not interface with the rest of the business, as they may lack tact. But, the other 90 percent who do or who have potential to grow in their career need to learn skills other than the technical ones, and this comes from coaching and engagement with nontechnical teams as part of their interpersonal growth and development.

Even if employees are not seeking leadership roles, they still need to learn the business. They will learn more as to the reasons why a business leader may choose to accept a risk, which will help them understand, communicate and go with the business decision. If nothing else, the security team is aware of what is going on and can potentially do things to monitor the decision.

Investing in the Team

Investing in the team is essential. Sometimes there is concern that the investment in people will enable them to find another job elsewhere. Perhaps, but what happens if there is no investment in building employees’ skills and they stay?

Sending employees offsite to hands-on training is expected. Employees expect some discretionary budget annually for training. However, if the budget is low (or nonexistent), what options exist to help teams get the experience they need? Some options include:

  • Tabletop exercises—A practice commonly used in disaster recover (DR)/business continuity planning (BCP), tabletop exercises are a good entry-level view into issues that may occur (such as a breach), walking through everyone’s roles and responses. They are often done in tandem with nontechnical departments to build understanding of business processes.
  • Purple teaming—Rather than just having a penetration test performed and then providing the security team with a list of items to fix, it is better to do the engagement in tandem. Red and blue teams work together on identifying and addressing issues. For the next penetration test, the organization should ensure the defenders of the business are engaged from the beginning. Can they detect the attack in progress? If not, this is a good place to begin.
  • Cyber range—A cyber range is invaluable to teams. The team gets to participate hands-on and identify threats and real attacks that are highly immersive and engaging for the team. Some commercial offerings in the market are emerging, and breach and attack simulation companies are coming forth to help teams know where they are weak and how to address problems.
  • Automation and orchestration—Security people typically do not like doing the same thing over and over, especially low-level tasks. They want personal growth and new challenges; they want to do something with purpose and meaning. In addition to the monotony of doing repetitive, manual tasks, security dollars are wasted when highly-paid security professionals are doing basic (but needed) analysis that can be automated. If security employees are provided a challenging environment, they will build skills and the team will get stronger collectively.
    Furthermore, the automation put in place helps some of the junior staff learn and grow more quickly and in a controlled environment. Employees can be rotated in and out, which helps to alleviate burnout and build skills at the same time.
  • Build, break, fix, teach—When employees learn something new or build out new infrastructure, there is an opportunity to have them take it a step further to help others and reinforce learning and communications skills. When employees build, break and fix, they are then able to strengthen their learning and comprehension. Additionally, they can teach those around them, which requires building communication skills. This is a blend of technical and communication skills in action.

Nontraditional Security Employees and Security Ambassadors

Security leaders have started to get creative with who they are hiring or, in some cases, how they are supplementing the team. Many still seek a typical security engineer or analyst. However, with supply and demand challenges, hiring managers have started looking at other nontraditional security employees who offer valuable skills and can help fill the void. These individuals are often referred to as security ambassadors.

Security ambassadors should come from not only the technical departments, but also other business disciplines. A few obvious areas outside of security for potential ambassadors include developers, system administrators, engineers and IT helpdesk. IT helpdesk is really a crucial ambassador because these are the people who are fielding calls and emails and need to be on board from the start. If the IT support team does not work well with other employees or possess a keen security mind-set, it is missing a real opportunity to help. This is an area that may see the first sign of an incident.

Aside from technical teams, ambassadors from risk management, legal, audit, physical security, communications and project management are good to have in the program. Think about the number of legal reviews of contracts, the number of projects that have security implications and the potential for a physical intruder. It is important to have others outside of the traditional security department to help with visibility, depth and nuances.

Employee Retention

With so much focus on not enough talent, what about retention?

The following data are from a survey conducted among undergraduate and graduate students planning to enter the security field.7 The focus was to ask students about their expectations in the workforce, what motivates them and what would cause them to look for a new employer. These data are important because the answers to these questions can enable an organization’s retention approach to be modified to meet their employees’ needs and retain them. High attrition rates are very costly.

The survey data results moved through a series of questions to help security leaders understand their future workforce. The results indicate that employers should pay employees a fair and competitive salary and then focus on accomplishments, career growth and retention.

Figures 1 through 6 show the responses from the research conducted to learn more about future employees’ expectations.

Type of Role Sought When Entering the Workforce
Early Year Salary Expectations in US Dollars
Most Important Career Factors, Compared to Salary, organized by Opportunity to learn and grow, Making a difference (defending against Hackers), Cool technology to play with, Flexibility (remote work vs. hybrid vs. in-office), Actually, a high salary is not that important, all of the other above choices are tops in my mind
Planned length of employment before looking for the next job
Types of Work Environment Sought (To work as a part of a team, Alone (individual performer), Constant management feedback and attention as to how I am doing, Just leave me alone and I will figure out how to solve the problem, I want to be told what to do, To be micromanaged.)
4 levels of Careers Aspirations

The responses to the question about reasons for seeking new employment sooner or later indicate that these issues are solvable when management spends one-on-one time with staff. People who feel appreciated will often do more than expected; recognition and a thank-you go a long way. Respondents indicated they would look for a new employer when they are in an environment that presents the following:

  • A lack of similar values
  • A lack of appreciation
  • A lack of respect for the leadership team
  • Poor management
  • A lack of respect for the employee
  • Work with little purpose and no growth
  • Unethical leadership
  • Micromanagement

What do security leaders need to know to protect against losing employees? What will entice them to stay in an environment that they enjoy? The following are the conditions the respondents suggested to encourage employee retention:

  • Flexibility
  • Fair treatment
  • Education and training
  • Cool technology and projects
  • Opportunity for growth
  • Strong management team
  • Company benefits
  • Culture

When looking at options to retain employees when there is little budget to work with, there are opportunities to consider. While everyone likes fair compensation, there is only so much money available, which means creativity is needed to find other ways to entice employees. A lot of times, it is about happiness. Money is short-lived. Employee’s who receive a 5 percent bonus today are likely to want more within 12 months and start looking elsewhere if they do not get it. Therefore, what are some unique ways to create a workplace that is appealing and that employees are not looking to leave for a bump in salary? Eventually, they may leave if they want to try something different or the role they aspire to is not realistic at the organization. Some other creative options to retain employees include:

  • Let them speak—Allow employees to be the voice and face of the security program. For example, they can lead team meetings or brief management on projects or security incident response.
  • Let them teach—Security people generally love to share what they know. Allowing them to get involved in (or start) a local security chapter is a great way to develop a strong community in the area. Additionally, local high schools and colleges can be contacted to allow employees to recruit and encourage students to get into the field. The US National Collegiate Cyber Defense Competition (NCCDC); BSides; science, technology, engineering, art and math (STEAM), and other volunteer efforts in the area can be involved as well.
  • Flexibility—Employees do not need to start their workday at a certain time or be physically in the office. More junior roles may require time in the office, but more senior employees may want flexibility.
  • Autonomy—Allow employees to solve issues their way. They do not need to be given the steps of how to do it, but rather just an understanding of the expected outcome. Provide them some direction and let them go at it.
  • Career paths—Career paths are very important, but they can be easy to change with so many projects and incidents that occur. Security leaders will get out of these what they put into them (and likewise for the staff). Set up mentors or coaches to help employees in their career. The mentors/coaches do not have to be in security; they could be experts in project management or communication. As long as employees are growing, it does not always need to be in the same discipline.
  • Reduce pain points—Automation and orchestration can take the routine, mundane tasks and give employees time back in their day. This can feel like an addition to headcount when analysts reduce their workload by no longer doing repetitive tasks that are automated.

Conclusion and Next Steps

The fact that attackers are evolving faster than teams can keep up requires immediate action, just like any good incident response team effort. While not an “incident” in the purest sense, this is an issue that will not fix itself. Management should look inward for opportunities such as:

  • Assess the current team dynamics and culture—To attract internal and external candidates, the environment in which they work needs to be positive. If a strong culture is not in place, one must be established or the organization may experience a revolving door of candidates. Security leaders who establish a strong culture will have a better chance at recruiting external talent and building from the internal talent pool because the organization is a good place to work.
  • Automate mundane security tasks—Automation is a necessity, especially for roles where there has traditionally been high turnover or a struggle to get qualified people. When time-consuming and mundane work is removed, analysts can focus on more challenging and value-add work.
  • Make the internal investments—Training dollars must be allocated in the same way organizations budget for new technology. Untrained employees who stay should be just as concerning as trained employees who leave. Organizations should hire the best person with potential and train for skill. Cyber ranges and security ambassadors are a couple of ways to achieve this.
  • Partner and build a pipeline with higher education—Seek out local higher education and even high school technical programs to build a pipeline of students. Even two-year community college students who are in a technology program can provide immediate help, and automation can help get them up to speed quickly. Generally, these students are eager and coachable.

Endnotes

1 Bryant, A.; “Google’s Quest to Build a Better Boss,” The New York Times, 12 March 2011, http://www.nytimes.com/2011/03/13/business/13hire.html
2 Ibid.
3 National Initiative for Cybersecurity Careers and Studies, “NICE Cybersecurity Workforce Framework,” http://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
4 NICE Framework Specialty Areas and Work Role Table of Contents, http://www.nist.gov/file/372581
5 Women in Cybersecurity
6 Girls Who Code, http://girlswhocode.com/
7 Teitler, K.; “Where Will You Find Your Next-Generation Workforce?” MIS Training Institute, 13 April 2016, http://misti.com/infosec-insider/where-will-you-find-your-next-generation-workforce

Mike Saurbaugh, CRISC, CISM, CISSP, MSIA
Serves as a director of technical alliances with business development solution integration responsibility for enterprise customers. Previously, he spent nearly two decades leading cybersecurity and technology in financial services and was the head of cybersecurity for 12 years. Saurbaugh is faculty with IANS Research and strategically advises Fortune clients on cybersecurity. Involved from the onset with Security Current when it launched, Saurbaugh served as the research director leading a number of strategic projects for global security vendors and chief information security officers. Also, Saurbaugh is a mentor with cybersecurity accelerators MACH37 and Queen City Fintech, and he owns a security consulting LLC where he conducts independent advisory and risk assessment engagements. Saurbaugh has served in various curriculum advisory committee roles for higher education.