It’s hard enough finding security talent, but losing the talent you already have can be a particularly painful blow. That’s why we’ve put together a quick guide to help you:
- Address some of the underlying causes of attrition
- Increase retention of your security talent
- Solve the security gap at your organization
Here are five common talent-retention challenges and how to address them head-on.
Challenge #1: Constrained Budgets and Disproportionate Strategy
According to Kaspersky Labs, 80% of company security budgets are spent trying to prevent breaches. That leaves just 20% for detection and mitigation strategies, or for prediction of future attacks. That’s an unhealthy balance that can ultimately lead to employee burnout.
Ask any security pro and they’ll tell you that, no matter how many defenses you mount, some attacks are going to succeed. When they do, it’s vital to have the right threat detection, investigation, and resolution tools in your arsenal. Experts recommend shifting toward a 60/40 spend: 60% on prevention, 40% on detection, resolution, and threat intel.
Making this kind of shift doesn’t require you to add more to your budget. It instead asks you to shift priorities and personnel allocation. This can also have a positive impact on employee retention, because many employees would rather spend their time on the strategic and proactive tasks that require more critical thinking (e.g. threat hunting, setting up automation systems) than on security alert monitoring.
Challenge #2: Education, Career Advancement, and Mentoring
This problem isn’t unique to security teams, but it certainly applies to them in equal measure. Often people leave their jobs because they don’t feel there is a clear path to advancement or on-the-job education and training to help them fine-tune their skills.
In the security world, there are a few things you can do to help employees feel like they are a valued part of your team:
Offer ongoing educational opportunities: Whether these are lunch-and-learn sessions or external training like SANS that you pay for, giving employees permission and support to increase their knowledge is a way of showing them you care about and want to invest in their careers.
Illuminate the path to advancement: Provide them clear direction on what the path forward looks like and what they should be striving to accomplish to move to the next rung of the ladder. Every company is different as far as the types and frequency of feedback that make sense, but be sure that no employee is ever unclear on where they stand.
Assign mentors (both up and down) for each member of your team: Give them someone to be accountable to—and to go to for real advice—when it comes to achieving their career goals.
Challenge #3: Talent Poaching
Considering the huge security talent gap today, for many companies the only opportunity to find good employees is to poach them from other companies. While this can work for you sometimes, it can also backfire when your own employees get stolen.
To help protect your company from talent poaching:
- Pay attention to rising salaries and strive to keep pace: If your top security talent could be making a few thousand more at another company, it's worth it to up their salary to retain them rather than lose them and be hard-pressed to find a replacement.
- Make your organization a place where security pros are valued for the work they do: Show appreciation for the work they do in preventing, mitigating, responding to, and predicting future attacks. Recognize them publicly at the company by highlighting the high-impact work they’re doing. (Shameless plug: we’re also working to provide public recognition for security practitioners. Check out our Defender Spotlight.)
- Give them meaningful work: As much as possible, load up your employees’ plates with work that they like to do. In many cases, when employees move on, it’s not about the money; it’s about having fulfilling and meaningful work. For example, employees should always have a clear team mission, and should have enough context to see how their work contributes to that mission. In security, this often means seeing a real and positive impact of efforts on an individual’s life.
Challenge #4: High Productivity Requirements
In a recent survey from Computerworld, 64.5% of security professionals reported being asked to increase their productivity and take on more responsibilities in the coming year. Meanwhile, 79% of those security pros said their salaries were not being increased to compensate for these added expectations.
For talent managers and security leadership, it can be tough when pressures mount from external attacks and internal directives yet the budget is not elastic. Of course you’d like to pay everyone more, but sometimes that’s not realistic.
Additionally, the combination of high productivity expectations and the mounting volume of alerts can lead to frustration and things slipping through the cracks. You want to balance challenging people with not setting them up to fail. Also, remember that people need fulfilling work. It’s not always just about salary alone, but about providing employees with work that they want to do—on top of a good salary, sound mentoring, and a clear path for growth.
To counter the pressures of productivity expectations, look to the power of security orchestration and automation, which can take a significant amount of busywork out of the equation. That way, employees can work smarter rather than harder, allowing the technological tools to support them and enhance their effectiveness rather than weigh them down. This can also free up time to focus on tasks that employees find fulfilling and challenging.
Challenge #5: Keeping the Pipeline Full
Of course, some talent loss is inevitable. But that’s exactly why you should have a full pipeline of candidates to help backfill positions when this happens. Here are a few ways to do this:
- Participate in hackathons and security contests: This can be a great way to increase exposure for your company while also helping you to identify and gauge talent in an open and friendly atmosphere.
- Speak at (or teach classes at) local universities and colleges that graduate top technical talent: Getting in front of these people early can help you recruit them for internships and later for full-time jobs. Plus, it helps bring real-world security knowledge and expertise into classrooms, where the curriculum can sometimes err on the side of the theoretical.
- Expand your search: Remember to look internally before you look externally. Is there someone in a lower position who could be groomed to take on the role? Or someone in a tangential spot who has expressed an interest in security and could make the transition to that team? (Think: Engineering, product, and beyond.) Not only will “hiring from within” help solve your talent crunch, but it also instills in employees that you value their contributions and care about their career trajectories.
- Always be recruiting: Keep a dedicated recruiter on staff or have one on retainer who deeply understands your organization’s talent needs. Even if there aren’t active positions open, a recruiter (or a member in security leadership actively searching) can build and maintain relationships with security practitioners to ensure a full pipeline at all times.
Hire the Right People for the Right Jobs
One last piece of advice we will offer is to hire the right people for the right jobs. That way, you avoid the frustration of unclear expectations or a bad skills/responsibilities match. To that end, it’s important to know:
- What types of security roles you need to fill
- What the ideal candidates look like
- What their responsibilities should be once they join
- What are their long-term career goals and how this position helps them toward that path