Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/9/2018
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Signs You Are Heading for a Retention Problem

If you don't invest in your best security talent, they will look to burnish their resumes elsewhere. Here's why.

Anyone who has tried to recruit information security professionals in recent years knows how hard it can be to find qualified people. Unfortunately, while there has been quite a bit of dialogue around recruiting, there has been far too little around retention. Tragically, retention is most often overlooked, even though it is arguably more important than recruiting.

Over the course of my career, I've seen organizations do a variety of things that cost them their best security talent. There are some circumstances that are simply unavoidable. But in many cases, talent leaves for reasons that are all too preventable. Isn't a valuable resource that you've invested time and money in worth more to you than one that you haven't yet invested in?

It is in this spirit that I present to you 20 signs you are heading for a retention problem.

Problem 1: No board support: Retention success starts at the top. Talented security professionals have lots of choices when it comes to where they work. Who wants to work in an environment whose value is constantly questioned, that is constantly underfunded, and where one's existence needs to be constantly justified?

Problem 2: No executive support: If senior leadership doesn't believe that security is important to the organization, how can those working in the security organization be expected to see a future for themselves there?

Problem 3: Not enough funding: Security is hard enough when adequately resourced but when it is inadequately resourced, it becomes an unwinnable battle. Good people want to work, not wage war.

Problem 4: Lack of vision: The most successful security programs have a clear and concise vision. The best security professionals like to know in which direction they're headed. It helps them focus and perform to their full potential.

Problem 5: Bad boss: Studies have shown repeatedly that the boss is the most important factor when it comes to retention. Have an idiot or a jerk in charge of things? Kiss that security talent goodbye.

Problem 6: Lack of qualified team members: No one enjoys pulling five times the weight of everyone else. The more team members there are that aren't up to par, the harder it becomes to retain the top performers.

Problem 7: Failing technology: There are few things more frustrating than fighting with inadequate technology. Knowing exactly what needs to be done and how to do it only to find yourself held back by technology can quickly put top talent in a foul mood.

Problem 8: No collaboration between operations and engineering: The best security solutions are those that meet the needs of the operators. If there is no communication between those who deploy and those who operate, what hope is there for long-term success? The impact of this point on retention is greater than most people realize.

Problem 9: Micromanaging: As management, it is expected that you will communicate what you need from your staff. That's your job. But don't try and tell highly skilled professionals how to do what you need them to do. That's their job.

Problem 10: Not approaching security operations strategically: There is a limit to how much of a "Wild West" approach to security operations top performers can take. After a while, if there isn't some order to the chaos, they will lose their patience.

Problem 11: Failure to take incident response seriously: Sooner or later, every organization will face a serious or critical incident. Seasoned security pros know this, and thus each day that goes by without a serious approach to incident response makes their blood boil a bit more. At some point, they may conclude that the organization will never get serious about incident response and run for the hills.

Problem 12: Unpreparedness: No one likes getting caught with their pants down professionally. Concern about this is a big reason people move on to greener pastures.

Problem 13: More PowerPoint than PowerShell: Well-run security programs allow their staff to spend more time working and less time explaining what they're doing to others. If your best people end up spending more than half of their time explaining what they do to others, I think it's safe to say that their days with you are numbered.

Problem 14: Butts in seats: If you measure productivity by time spent in the office rather than by output, say goodbye to your best employees.

Problem 15: Warm bodies: Sometimes, employees need certain accommodations to allow them to balance work and life. For example, family commitments in another geographic area may prohibit them from being physically present all of the time. If you're not open to alternative arrangements, retention becomes that much harder.

Problem 16: Say one thing, do another: I have seen time and time again that people seek genuineness first and foremost. If a security organization preaches one thing and practices another, it hurts retention.

Problem 17: Lack of respect on the inside: If the security organization does not have the respect of other areas of the business, it can have a big impact on the morale of each employee. This, in turn, hurts retention.

Problem 18: Lack of respect on the outside: Security is an industry built on trust and respect. If an organization does not have the respect of its peer organizations, that matters to many security professionals.

Problem 19: Penny wise, dollar foolish: "How is there budget to fly management around the world 25 times, but I can't get a few days of training each year?" This line of thinking is all too common among security professionals with one foot out of the door.

Problem 20: Failure to invest in human resources: It is true that when you invest in your people, you allow them to improve their resumes. But, perhaps ironically, when people are in a constructive environment that allows them to grow professionally and sharpen their skills, they don't look to leave. Conversely, if you don't invest in them, they will look to improve their resumes elsewhere.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
thclinton
50%
50%
thclinton,
User Rank: Apprentice
5/14/2018 | 10:42:15 AM
True Indeed
What you have written is entirely true and spot on...but you're preaching to the choir.  The audience of "Dark Reading" already knows this implicitly.  This subject matter needs to be published in other periodicals where "business leadership" can possibly learn something from it.  
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/11/2018 | 8:59:57 AM
Investment starts at the top
And the C-Suite generally has zero appreciation of IT in general and security in specific.  Belief that all IT can be re-routed to Bangalore or H1-B visa types just based on salary and benefit cost is their concern.  Security concerns far less so and that is evidenced by reaction to a security breach.  (Like Equifax - shut up, say nothing, blame 1 guy and move on).  Security professionals are thus not respected in general and are always touchy.  
gdeangelis@gpcasiapac.com
50%
50%
[email protected],
User Rank: Apprentice
5/9/2018 | 4:49:39 PM
Another sign
Security professionals like to and in most cases need to collaborate with other security pros. If a business or manager makes it difficult to do this or they do not see the value in this type of collaboration, they will find companies that do support this and can be around other like minded individuals
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19750
PUBLISHED: 2019-12-12
minerstat msOS before 2019-10-23 does not have a unique SSH key for each instance of the product.
CVE-2019-4606
PUBLISHED: 2019-12-12
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 could allow a local attacker to execute arbitrary code on the system, caused by an untrusted search path vulnerability. By using a executable file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-For...
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.