After all of the time, effort and work organizations do to attract top quality cyber security talent, the journey of keeping the best of breed talent in your organization is just beginning. As many who are in the field can attest, the day to day role of a cyber expert is ever evolving and the external search for cyber security talent is just as aggressive. Employees put their best efforts forward during their day to day and have come to expect the same out of their employers. When an employee starts to have doubts about their job security, feel overwhelmed or perceived to be unheard, the risk of them going to “better’ pastures increases. Unfortunately, all of the hard work that was done by the company to recruit their cyber superstar has to start all over again. Understanding what some of the top pain points cyber security professionals feel during their employment will allow organizations to get ahead of employee discontent before the employee walks out the door.
I always enjoy talking to cyber security professionals when I interview them about why they are seeking employment elsewhere. It sometimes turns into an exit interview during the on-boarding interview process! I have noticed during this part of the on-boarding interview process, candidates can be thoughtfully candid about why they are thinking of leaving an organization. I appreciate them being upfront because it is also an opportunity for me to better understand how to keep top quality talent on my team as well. Some of the top reasons cyber security professionals are looking to leave their jobs are the following:
The nature of the cyber security business requires vigilant 24x7 coverage. Whether it is identifying a threat in an environment as quickly as possible to take the necessary triage steps or if it is understand what the new threat of the day that requires an investigation, cyber security professionals need to be on their toes at all times. Unfortunately, these reactionary next steps come at a cost. Work that was slated to be completed by the employee may need to be pushed off. Yet the requirement to complete that work does not go away. In order to complete the new “action required” items plus their existing workload, employees work before and after their shift. Rethinking workloads for the teams is a must in the cyber industry.
Suggested Improvements to Long Hours
- “Follow the sun” model: Global staffing model that also enables employees in their home locations to work a in a typical 8x5 model
- Managed service/third party for select functions: Transferring execution of business requirements to be worked through by a trusted vendor.
- Appropriately distribute training to all team members in the roles: Cross-train your team to ensure more than one person can confidently operate a tool or business process
- Potential help from non-security teams: Look creatively at other teams such as engineering, infrastructure or networking to assist in parts of your security requirements.
Cyber security professionals have to investigate types of events and incidents that come their way. Unfortunately, some of these investigations expose the worst parts of humanity. Working through these incidents can take a serious mental toll on a cyber professional. As leaders and HR professionals, it is important to be proactive with employees to ensure they have the company’s support and backing as they work through these investigations.
Suggested Improvements to Investigation Fatigue
- Having managers check in with directs after concerning incidents: Managers should have scheduled conversations with employees who have worked through an incident to understand their thoughts and how they feel after an incident
- HR can work closely with cyber security team to re-review any medical/health benefits available to them: Many organizations have health benefits that include mental/health benefits employees may not know about they can confidentially use. Make sure employees know these services are confidentially available to them
- Time off and or stipend after long and grueling incident: For time intensive incidents, think about rewarding those who worked hard on the incident by talking to your management about allowing additional days off or a financial stipend as a special thank you.
Lack of Training Opportunities
The best cyber security professionals understand one of the keys of attempting to get ahead of a bad actor is stay abreast of the latest TTPs (tactics, techniques and procedures) bad actors are utilizing. However, between the long hours many professionals put in for the BAU (business as usual) work and the extra work on incidents, having time to take training can seem like a luxury. Additionally, unless management specifically allocates budget for training, a professional may have to ask for a specific training. Unfortunately, many employees may not feel comfortable asking for an organization to pay for their training even though they really wanted to take a training. This may make the employee look around at other employers who make it a point to consistently send their employees to training. Employees who want to continue to develop their skills want to know their employer supports them on their journey.
Suggested Improvements to Lack of Training Options
- SANS Free Cybersecurity Community Resources and Programs: resources such as webcasts, whitepapers from the SANS Reading Room, SANS Summits, podcasts and newsletters such as Ouch!
- SANS Cyber Range Capture the Flag Challenges and Cyber42 events: Great ways to engage the whole team in real world exercises that will challenge and prepare them for their day to day requirements
- Product specific training options: When bringing new products or toolsets into an environment, understand what training comes with the product. The employees will have a much better understanding of how to apply their cyber security knowledge through the toolsets procured through the organization.
- 1-1s to understand career goals: Get to know what an employee sees their career growing to. Having a good understand of their wants will allow the organization to train them appropriately in the right areas while showcasing the employer’s interest in building their career to the employee.
Lack of Career Advancement
Many cyber professionals want to continue to build upon their careers in the industry. Career advancement will look different to everyone, however much of the advancement is based on their growing technical knowledge and/or responsibility. Employees should have the opportunity to showcase not only the great skills they have now but also the even stronger skills they will have in the future. However, without understanding what each individual wants out of their career, it is hard for an employer to set the employee up for success. Often, employees may find this conversation to be an uncomfortable topic to bring up to their managers as well. The lack of communication may make the employee believe they will never have a chance at growing in the organization they are in and they may start looking elsewhere for their career advancement.
Suggested Improvements for Lack of Career Advancement
- Stretch goals: During individual one to one conversations, determine what the employee is interested in learning about. A possible way to help them on their journey is to encourage a “stretch goal” assignment that is outside of their day to day activity but they can be successful at. An example of a stretch goal is asking the employee to automate a task they find they do on a weekly basis when they are interested in learning more about scripting.
- Defined reviews and milestones to review criteria of promotion: Work with your HR and senior management to understand what is necessary to operate at the next level. Work with employees to foster their growth to help better support their chances at future promotions.
- 80/20 policy (originally developed at Google): 80% of the time, work on what is required of the role. 20% of the time, work on projects that help them better their role and the organization. These projects also will help showcase to employees the organization has their back to explore their intellectual muscles.
- Appropriate trainings/job shadowing: Identify trainings or opportunities for them to job shadow other departments based on your conversations with the employee on what their career future looks like from their perspective.
“People Leave Managers, Not Companies”
Almost always when I talk to people looking for another job, the conversation about how they are unhappy with their management seems to pop up somewhere in the conversation. Individuals want to work for an organization that supports them, fosters their growth and makes them feel like a valued asset. In particular, if they perceive their direct manager conflicts with that balance in any way, an employee is going to start looking around outside of the company.
Suggested Management Conflict Improvements
- HR and senior management can work with managers on key tenets of leadership: Messaging from the top of the organization on how vital a manager’s role is in an individual’s journey throughout the organization need to be communicated. Training for managers can be just as important as managers are for individual contributors to help support their leadership roles.
- 1-1’s need to be scheduled with goals in mind: Managers need to have constant communication with their direct reports to identify signs of content quickly to help figure out the best next step for the employee.
- “Skip level” 1-1: Sometimes an employee may feel uncomfortable talking candidly to their manager about any discontent they may have. Giving the opportunity for an employee to talk to their boss’ boss showcases a great “open door” policy and allows them to have communication lines to more senior management.
Employees are our most important assets in any organization. Employees also count on an employer to help foster their growth in an organization and to be recognized for their efforts. Listening to employees and their needs can help managers and HR professionals work together to help slow the revolving door of cyber security professionals in this competitive cyber workforce landscape.
The Rest of the HR + Cybersecurity Series
1. Listen to the corresponding webcast here.
2. Read the rest of the Blog series here:
- Skilling the Gap: Creative Ways to Recruit Top Cyber Talent
- Not in Cyber Security? No Problem! Creative Ways to Gain Experience With No Experience
- Knowing Your Applicants: How to Stay Current to Best Assess Your Cyber Applicants
- Transition to Cyber Security From a Non-Cyber Role: Creative Ways to Impress to Land Your Dream Cyber Role
About the Author
Kevin Garvey is the US IT Security Manager for an international bank responsible for overseeing incident response, vulnerability management, cyber threat intelligence, as well as the security operations center (SOC). Previously, he worked at New York Power Authority, JP Morgan and WarnerMedia (formerly Time Warner). Kevin has always had a passion to hunt down the adversary and has loved tackling the risk and threat challenges his responsibilities have thrown at him. Kevin teaches SANS MGT512: Security Leadership Essentials for Managers. Read Kevin's full profile here.