Enabling the 'Great Retention' in CybersecurityJennifer Mitchell on Retaining Cybersecurity Staff Amid the Great Resignation
In the face of the Great Resignation, I predicted in late 2021 that the opposite would be true for cybersecurity personnel - a phenomenon I call the "Great Retention." A big part of retaining qualified specialists is ensuring that their work-life experience suits the company's needs and expectations.
While some might argue that you would use the same methods to retain technical and nontechnical roles, I have some insight to the contrary, having managed ActZero’s cybersecurity personnel for a number of years, coupled with my experience as our Head of People. Indeed, while some of these challenges apply elsewhere, the nature of cybersecurity roles tends to amplify them. In an effort to understand why, I highlight the specifics and nuances of making and keeping security personnel engaged and satisfied, positioned against the problems once thought of as hazards of the industry.
The first and most obvious challenge for security professionals is the notion that "the bad guys never sleep." Having 24/7 coverage is a tenet of the industry, reflected in practices of both security providers and companies with in-house capabilities. For those security staff at small to midsized enterprises, while a 24/7 SOC may not be in the cards, the expectation is that they are always on call. This can prove very taxing for security professionals, which often results in them making mistakes.
One of the ways we addressed this issue was with a “follow the sun” model. In an increasingly virtual world, where remote work is now the norm, your security professionals needn’t be in your office, nor even your country/time-zone.
Even if security professionals are part of a team or are scheduled during business hours, they live with the ever-looming possibility that an incident will occur and they will be called in to deal with it. This inherent unpredictability leaves staff unable to turn off, even when they aren’t at work. The "follow the sun" model helps with this too, but in order for it to work, trust is required. IT leaders can encourage trust.
Cybersecurity skills are rare and often expensive, which helps to explain why there are so many "one-body" cybersecurity teams at SMBs. Single-person dependencies increase the risk of working or being called in at odd hours as well as the stress level of the in-role person. They also render the trust element somewhat moot, as without a backup, whom can this person trust to cover them when they’re off?
The opaqueness within the security industry has furthered the notion that specialist skills are required across the board and has hidden the fact that generalist or other nontechnical, specialist skills may apply.
There are steps you can take to solve for this, at least during an incident. You may find - as I did while leading our SOC team - that many of the skills required to deal with an incident aren’t inherently "cyber." Examples are coordinating the response, communicating with the team and documenting the incident. By assigning such tasks that don’t require specific cybersecurity expertise to team members other than your single-person dependency, you can remove a lot of the stress and time required of that person - even if they are still necessary.
This method is often used as an exception - for example, with a startup that doesn’t have the technical bench or when the sole security person is on vacation. But you can plan for this all the time. It’s a matter of efficiency - making the best use of a highly in-demand skill. Sure, sometimes it can be more complex to manage a broader response team, but it’s much better for your organizational redundancy and resilience if you have folks that can apply their skills to extraordinary circumstances.
Ultimately, flexibility will be key to achieving a positive work-life experience for cybersecurity employees. The methods described above can help achieve such flexibility for a functional area that has long been seen as rigid. Some of them, such as the "follow the sun" model - are more expensive than others but that’s why we offer a Managed Detection and Response service that enables access to cybersecurity capabilities that do not require a dedicated cyber staff to manage them.
To learn more about our cyber predictions, check out the 2022 Cybersecurity Predictions white paper.
To find out other ways to not only retain but actively engage your cybersecurity pros, use the Technical Staff Retention Cheat Sheet.