Enterprise Security


5 Effective Talent Retention Strategies for Security Teams

In IT, we’ve been hearing about the “cybersecurity skills shortage” for a few years. There is no shortage of statistics and data about it: More than 70 percent of participating organizations reported being impacted by the skills shortage, according to the ESG/ISSA research report, “The Life and Times of Cybersecurity Professionals 2018.” Likewise, more than half (58 percent) of the organizations surveyed for ISACA’s 2019 “State of Cybersecurity” report acknowledged unfilled cybersecurity positions. The majority of those (62 percent) were expected to take three months or longer to fill (of those, 32 percent were expected to take longer than six months to fill).

Even without the data, we can tell experientially that there’s something going on. If we’re trying to fill a position, we know that there’s a dearth of skilled professionals, specifically because we have a hard time finding qualified candidates for open positions.

In an environment like this, the astute manager will realize quickly that maximizing the organization’s talent base is a useful strategy. In an environment where we can’t hire quickly (or cheaply), talent acquisition and talent retention are a competitive advantage when done well — and a competitive drag when done poorly.

Retention Saves Money

There is quite a bit of attention on acquisition strategies for cybersecurity in the media and professional guidance outlets (e.g., conferences and such), but one area that gets less focus is retention. Why is retention important? Because it is almost universally true that it is more expensive to replace a resource than it is to retain one.

For example, the total costs of employee turnover can be as much as 90-200 percent of an employee’s salary, according to the SHRM (Society for Human Resource Management) “Retaining Talent” report. Compare this with what it might cost you to retain that same employee — it’s almost certainly going to be more, right?

If it’s true that retention is cheaper than acquisition, and if it’s also true that personnel management is a key success factor and competitive advantage because of ambient conditions in the cybersecurity world, then it follows that anything you can do to bolster your own staff retention efforts is time well spent. With that in mind, following are a few things you can do to help optimize your efforts in this area.

Now, it bears saying that some turnover will always be normal: People have their own reasons for leaving the organization that sometimes are out of the company’s control (retirement, life changes, relocation) — but in many other cases, there is something about the organization or team that they’re reacting to. Those are the ones that, with a bit of focus and perhaps some re-examination of your team’s culture and makeup, you potentially can reduce.

It also bears saying that this isn’t intended to be an exhaustive list; there are many retention strategies, and your organization’s context, culture, team dynamics, etc., all need to be taken into account for any plan to be maximally effective. That said, the following strategies can work well in many situations to help bolster retention and, in some cases, enhance acquisition as well.

Strategy 1: Cultivate Skill Development Opportunities

It may seems as though there’s never enough money or time to give staff the kind of training that you’d like to provide. How often have you had to have “hard discussions” with staff because they wanted to attend a training opportunity and you just didn’t have the budget or time for them to do it? Over time, this can have a retention impact as employees want to stay marketable, build their skills, and advance.

Now, obviously it’d be great if you had infinite funds to send every employee to every training they wanted to attend, but that’s unrealistic. Rather than having employees completely forego training because of lack of resources, one strategy is to look for alternative ways to build skills. For example, you can leverage cross-training to share skills among team members, you can look for lower-cost training opportunities, or you can share internal knowledge via lunchtime sessions to cross-pollinate skills.

Strategy 2: Support Flexible Working Arrangements

The ability to work remotely, work alternate hours, or even change office locations can be a huge boon for some folks (e.g., those with a long commute or a sick family member). Don’t underestimate the value that it can have when, through a little bit of flexibility in how staff do their job, an employee can gain a major increase in quality of life.

This is particularly true for high-performing resources — i.e., the type of resource you most wish to retain. After all, if they are high performing, they’re not likely to be people who need you over their shoulder to complete their work.

Strategy 3: Cultivate Team Competence

Sometimes people will stay in a job just for the opportunity to work with talented, motivated and highly skilled people. Peers and managers they can learn from and be mentored by actually can be an active retention aid.

Now, you don’t always get to control staff — but if you’re tempted to hire a sub-par resource just because you need a warm body in a hurry, keep in mind that this can work to the long-term detriment of your team. Likewise, any time you can bring in highly competent folks, you foster competence and thereby aid retention.

Strategy 4: Cultivate Team Culture

Much like companies and large organizations have their own culture, individual teams can have culture too. Much like organizational culture, this team dynamic can act to the betterment or detriment of retention efforts. Therefore, paying attention to the culture and morale of the team is useful.

Leveraging HR resources can add value here. For example, a “sliced” report of the employee satisfaction survey data that compares satisfaction for your group relative to the rest of the organization can be valuable. HR also may have suggestions about how to hone the team dynamic to be more inclusive, supportive and nurturing.

Strategy 5: Reinforce Value

People like to know that the work they do is valuable. They like to know it specifically and tangibly. It is always a good idea to let staff know how the work they do advances the organization, provides value to customers, or otherwise advances the mission of the organization.

Any way that you can reinforce this point to staff is valuable. Even if it’s just sharing metrics and dashboard that you’re creating anyway for reporting up to executives or the board, providing that information back to staff can help demonstrate why the work they do is important.

For all of the strategies listed above (not to mention the myriad of other strategic possibilities), keep in mind that your best data source is often employees themselves. If you’re ever in doubt about how to make your organization a better place to work, an honest, candid conversation can be a good way to start.

The opinions expressed in this article are those of the author and do not necessarily reflect the views of ECT News Network.

Ed Moyle

Ed Moyle is general manager and chief content officer at Prelude Institute. He has been an ECT News Network columnist since 2007. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as author, public speaker and analyst.

1 Comment

  • HR digital transformation sure is here but what matters is how your organisation introduces it for the betterment of human resources.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels