Three factors have combined to make this one of the hardest ever times to staff and run a cyber security department:
- The cyber security industry is experiencing an enormous talent drain, exceeding the general rates of the so-called ‘Great Resignation’
- It’s currently extremely difficult to attract talent — in many cases it takes six months to fill a cyber security role
- Cyber attacks are on the rise, in number and type
Unfortunately, those three only exacerbate each other. As cyber attacks multiply, cyber security professionals experience more stress and burnout, quit their jobs, and either don’t re-enter the industry, or only do so if a job meets extremely high standards for pay, benefits, and employee experience. Meanwhile, departments are understaffed, vulnerable to attack, and experience more breaches and hacks, and the staff they have left suffer even more intense stress and burnout.
95% of cyber security leaders are experiencing something that could lead them to resign within a year.
42% believe that cyber-security breaches are inevitable, and they would prefer to quit than blot their record. For a business, the solution could be a very precise balancing act.
No company wants its employees to feel that success in their role is unattainable, or that it’s better to resign than to fail despite their best efforts. That might be especially true in cyber security, where resignations can be so high-stake.
The remedy could be largely cultural. If you’re in charge of the department, and the buck stops with you, the assumption is that if something goes wrong, it’s ultimately your fault. 87% of cyber security leaders fear losing their job because of a cyber security incident, and in many walks of life, those who think they’ll soon be pushed often conclude it’s better to avoid disgrace, and they jump first.
That’s a highly avoidable sequence of events. Employers can communicate to new or existing cyber security leaders that some breaches will be basically unavoidable, and that if they had taken all measures that could reasonably be expected of them, they shouldn’t expect disciplinary action or dismissal simply because of an incident.
Here is where the balance is delicate. You’d hope that nobody would interpret that level of understanding as permission to take their eyes off the ball, especially at senior levels, but there’s a risk that it has a cooling effect on the senses of urgency and responsibility. It takes very skilful leaders and communicators to create an environment of support and safety which also values and emphasises accountability.
40% of cyber security leaders feel that stress is heavily impacting their lives and could drive them out of their roles within a year.
You’d expect a degree of stress in cyber security work, especially at the top, but it’s worth considering whether your organisation creates unsustainable pressure. Once again, that’s largely a cultural question of pastoral and practical support.
Are you actively taking care of your leaders’ mental health, or at least enabling them to do so for themselves? Have you created a culture that encourages those at the top to admit they don’t have the answers without fear of judgment? Are you demonstrating that you understand that there’s a skills gap, you’re determined to support leaders in recruitment, and that any cyber security breaches under the circumstances cannot be simply the fault of one leader?
Many work environments become frantic and pressured by the nature of the work, especially in something like cyber security. It’s often something that develops organically, and it’s no fault of the organisation, but businesses should take a moment to step back, and ensure they provide support where it’s needed.
Frontline cyber security workers
The ICASA‘State of Cybersecurity’ report of 2022established the top reasons for poor retention of cyber security workers.
- Recruitment into other businesses: 59%
- Uncompetitive salary or bonus: 48%
- Too few opportunities for advancement: 47%
- Stress: 45%
- Insufficient support from management: 34%
You can tell from the percentages and the nature of those drivers that one or more factors easily coexist and influence each other.
Recruitment into other businesses
Here, employees are leaving for similar roles elsewhere, rather than leaving cyber security entirely. Any of the other drivers listed could be at play. If it’s happening a lot to you, examine what it is that other businesses have that you don’t.
Don’t be afraid to ask departing employees, or those who announce their departure, what drove their decision. Also, pre-empt and prevent some losses by asking your teams what might make them resign in future. Create an environment in which employees feel safe expressing dissatisfaction, and then be sure to address those concerns.
Stress and insufficient support
Unsurprisingly, stress features prominently, as it does for business leaders. Many of the same solutions apply, and just as having more staff can support leaders, management can improve its support for those working under them.
It highlights the need for senior employees who are not only cyber security experts, but also gifted and empathetic leaders. Sacrifice either of those qualities and the professional wellbeing of your security staff suffers immensely.
It’s a commercial reality that raising salaries is easier said than done, but organisations can at least have a strong sense of how competitive their pay is. If a better offer is on the table, many professionals will take it, and that’s no surprise. Not every business can simply raise their salaries, but if you’re paying much less than people could earn elsewhere, then addressing that should be part of your long-term strategy.
If it’s wholly unrealistic to ever match a market salary, there are other ways to retain staff, including lifestyle, support, and cultural benefits that mean employees are willing to forego more lucrative offers.
Too few opportunities for advancement
If this applies to your business, it’s either a problem with the structure of your hierarchy, or with the promotion culture. Specifically, there aren’t enough senior roles available, leaders are slow to promote, or they don’t enable or encourage employees to carve out roles and niches for themselves. That’s especially valuable and important in cyber security, since the sector is in a state of continual development and innovation.
Cyber security beyond the Great Resignation
Cyber security employee retention was a challenge before the pandemic, and it’ll be a challenge long after the job market settles. The fundamental principles haven’t changed — organisations need leaders who are not only cyber security experts, but who can also inspire and support all levels. They also need enough commercial awareness to create and maintain a business culture and working environment that employees prefer to stay in.
RPI has a network of exactly those leaders, and the sector expertise to match them with businesses where they will make the greatest impact. To plug your talent drain, or simply bolster your board with C-suite innovators, get in touch through firstname.lastname@example.org.