Protecting the security of key corporate assets requires skilled individuals and teams. The reality at the moment, is that there are not enough qualified security professionals to fill all of the demand for open positions. How does a small business, or any security shop compete and attract and retain qualified team members?
While this article focuses on security talent, many of the same principles apply to other technology talent. Turnover is a serious risk to any business, and particularly so when key talent cannot be retained. Gone are the days where employees stayed at a job for five years or more; the trend now is that employees move every 18 to 24 months. This trend means that businesses do not realize returns on investments training and developing skilled security staff. Competitors quickly swoop in and pick off top talent for a few dollars more and headhunters are calling into organizations daily seeking to poach top talent. I once even caught a recruiter whom I had previously used to fill position calling into my team enticing them to leave for other positions she was seeking to fill. What can be done?
There is a mantra I have learned over a couple of decades managing technical teams, and that is to get up every morning and say to myself: “must feed the dogs!” Technically inclined staff have an insatiable appetite for new challenges and new technologies. Allowing them to stagnate leads to boredom and frustration which results in that recruiter picking off your talent. Your team needs red meat!
There are many human resources studies about the top ten things which employees want. However for technical talent, the list can be condensed to a top three: (1) Career Advancement; (2) Challenging Work; and (3) Learning New Skills. Of course, money is also a factor, although I have found salaries are relative and the top three motivators mentioned here are the real drivers. Neglect any or all and the organization is at risk of turnover or worse, a disgruntled employee who may become an insider threat.
The ease or difficulty of offering technical employees career advancement opportunities varies with size and type of business. Too often, technical staff are type cast into a strictly technical role in some organizations and this is a mistake. Technology and security are no longer niche disciplines as they are instead mainstream functions of any business. Almost any organization can find creative career paths for technical and security staff.
For example, each member of the team should have a professional development plan which is kept up to date. Besides acquiring new technical skills, which are always of interest to technical staff, the plan should set objectives designed to align technology and security with the goals of the business. Security staff should learn how their role impacts the business, and how their efforts add value or competitive advantage. Setting well rounded development objectives which also teach skills needed for sales, marketing, finance and human resources positions the security team for broader career advancement when opportunities arise.
Over the years, I have had many technical employees reporting to me in various capacities, mostly in support or operational roles. Keeping them pinned down in such roles is never a good thing, and there are always discussions about taking things to the next level. The next level for each individual, and I have seen individuals come to the team fresh out of school, and develop, moving on the many diff3erent roles. Some have gone on to start their own business, others have moved into sales, or into consulting, or become security architects. Others have progressed their career into management roles.
The point here is that there is good turnover and bad turnover. Bad turnover is when that recruiter poaches your staff because that means your investment in developing that individual is lost. Good turnover is where your staff move on to other areas and positions of greater responsibility within the organization, because that means that the business has recognized value and a return on the investments in developing the person.
Too often, I have seen organizations take the IT or security team and treat them as if they are factory workers or servants, expecting them to be at the beck and call 24 hours a day. To a certain extent, the long days and strange hours come with the territory, and especially for newer team members just building their career, this can be considered dues, or a rite of passage. However, mundane and repetitive work is not interesting and will quickly lose the attention of technical workers.
If we ask the question: “What is an IT or IT security worker?” the answer leads us to where we should go. At the core, technical people are problem solvers and thrive on solving problems. Give them a problem to solve, and they are engaged and interested.
Try giving the team non-technical problems to solve such as challenges related to process o procedure. You may be surprised to see some of the creative solutions the team can come up with. At the core, good engineers are lazy engineers, because seek to work smarter and not harder. By harnessing this innate trait, the organization can reap some interesting benefits in the areas of efficiency gains and process improvements.
The next time one of your team members complains about a task or a process, throw it back at them and ask how they could design it better. You might not always implement every one of their ideas, or implement entirely the way they design the solution, but they will respect you for valuing their input and also stay engaged with the challenge. This engagement also plays well with the career advancement and development plans discussed above.
Learning New Skills
The information security and technology fields change rapidly at the blink of an eye. New exploits are discovered daily, and there is a never ending parade of new vendors and technology coming into the marketplace. Even software and operating systems are subject to frequent change and updates as companies implement rapid and agile development life cycles. Keeping up with all of this change and learning new things on top of change is a top concern for any security or technology professional.
One big mistake many organizations make is failing to invest in training the staff. Over the years, I have heard many managers express views that it makes no sense to train their team because they then use that training to go find another job. While this can be a risk, and certainly is if we are not focusing on the other motivators discussed above, such a view is not necessarily true.
Earlier I mentioned that salary is an underlying concern, although not the deciding factor in where employees choose to work. We should be aware that our technical employees consider training as an element of salary along with the total benefit package. In order to thrive as a security or IT professional, ongoing investment must be made to stay current. This ongoing investment can be expensive and thus, employees value employers who pay for training. A good rule of thumb which I have found common through conversations with managers across many industries and organizations, is to budget $3000 to $5000 per employee each year for training. Selection of training can then be tied to career advancement and the professional development plan.
Also recognize that not all learning takes place in a formal classroom or online setting. Do not underestimate the impact of in house led training opportunities. A person can really learn a topic in depth when they are tasked with the responsibility to teach it to others, so encourage your teams to hold regular lunch and lean sessions where they take turns teaching each other new skills and technologies. (You buy the lunch!)
Focusing on the top three drivers of career, challenge, and learning can help an organization reduce the risk of turnover as well as the risk of insider threat from a disgruntled technology employee. Besides reducing risk, minimizing staff turnover can also add value to the organization and transform what may be considered expenses into assets.
The turnover of a technical or security professional costs an organization approximately 100% of that person’s annual salary; a number which is staggering. Why not transform some of that expense into value creation? Build the thundering herd where the value of the team is greater than the sum of the individuals on that team. Retaining good security talent takes effort and attention, but the payoff can be substantial.
– Ted Lloyd, CISM