Retaining Security Workers: What Works?
Offering Work-Life Balance and a Career Path Are Key FactorsSome cybersecurity leaders are finding that when it comes to retaining workers, offering a solid work-life balance and defining a career growth path is more important than salary.
"Most organizations have difficulty retaining cybersecurity professionals due to the lack of clear-cut career and growth path," says Rob Lee, chief curriculum director and faculty lead with the SANS Institute. "Additionally, many technical individuals aren't necessarily interested in moving up to management roles, but most organizations make the mistake of promoting the best technical experts to manager positions."
The cybersecurity staffing firm Hays notes in a recent report that only 39% of 1,200 senior cybersecurity leaders from firms of all sizes worldwide believe they have the ability to retain cybersecurity staff. Fifteen percent say they are rarely capable or incapable of retaining cybersecurity workers.
Industry insiders say organizations can use many methods to help retain cybersecurity workers (see: What Can Be Done to Overcome Cybersecurity Staff Shortage?).
"One approach is trying to provide a good culture - to be focused on the needs of each of the team members, which will differ among all of them," says Andrew Stein, vice president of information security at Gate City Bank.
More Than Money
Salaries in the cybersecurity field are generous, and with many job openings available, it's easy for individuals to switch positions.
This means companies must focus on softer aspects of the job, cybersec pros say.
"The industry should consider creating career paths that enable an individual to stay technical for their entire career, which is not how most organizations think about these positions today," Lee suggests. "Many in the technical world don't just leave their roles just for a higher paycheck. They leave for more significant technical challenges that are no longer offered to them in their current positions."
Stanger notes that most of those who take on a cybersecurity job enjoy the technical challenges it presents - and once those disappear, so does their willingness to stick around.
But Les Dickson, vice president and chief security, risk and compliance officer at BreakAway Loyalty, a loyalty rewards solutions firm, insists that salary still plays a role in retention. As team members gain skills and experience, they become more likely to leave for better-paying positions. Companies can counter this to some extent by increasing pay and responsibility as staff members gain certifications and abilities.
As an employee qualifies for a higher tier, "they automatically achieve new position responsibilities, titles and higher pay. This keeps our employees focused on the opportunities available in our company versus the potential greener grass elsewhere," Dickson says.
Stanger adds: "The companies that are best at IT worker retention find ways to challenge their workers to assume ever-more critical strategic roles in their organizations."
Dickson also notes: "Staff members have commented that they are unsure what opportunities might exist with a new employer for advancement, career progression, and higher pay over time, but they know what opportunities exist with us as their current employer. In that sense, they have a better potential 'future' with us than with other employers."
As cyber workers reach certain milestones in their lives, retaining them becomes more difficult, so managers should be aware of what is transpiring in their worker's lives, such as starting a family.
"When that [work-life] balance is disturbed for too long, the employee begins to look [for a new job]," Stanger says. "Sometimes that feeling of loss of balance is triggered by a sudden shock, such as a company merger or sociological change. I've seen talented people move from one company to another as they successfully find companies that allow them simultaneously to support their families and progress professionally."
Stein concurs that it's important for the employee to know that the company has their back when balancing life and work.
"As an example, a team member who wants to go to more of their kid's baseball games is an easy conversation," Stein says. "That person is trying to put their family first."
If the company accommodates a request to work hours to enable them to attend sporting events, it demonstrates that its priority is the worker's well-being, Stein says.
"The team member is excited to go to the baseball game, and the patch still gets installed later. Hopefully, that will outweigh the decision to leave for better pay," he says.
Pinpointing at exactly what career stage a person is more likely to begin looking for new opportunities is difficult.
Stanger says those working in governance, cloud security and security analytics are often tempted to move on. Those specializing in application security are particularly difficult to retain, he adds.
Lee sees entry-level employees as the most likely to leave for new opportunities. He blames this on companies with strict rules regarding pay increases tied to job title and time on the job, which can easily be sidestepped by moving to another firm.