Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/9/2018
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Signs You Are Heading for a Retention Problem

If you don't invest in your best security talent, they will look to burnish their resumes elsewhere. Here's why.

Anyone who has tried to recruit information security professionals in recent years knows how hard it can be to find qualified people. Unfortunately, while there has been quite a bit of dialogue around recruiting, there has been far too little around retention. Tragically, retention is most often overlooked, even though it is arguably more important than recruiting.

Over the course of my career, I've seen organizations do a variety of things that cost them their best security talent. There are some circumstances that are simply unavoidable. But in many cases, talent leaves for reasons that are all too preventable. Isn't a valuable resource that you've invested time and money in worth more to you than one that you haven't yet invested in?

It is in this spirit that I present to you 20 signs you are heading for a retention problem.

Problem 1: No board support: Retention success starts at the top. Talented security professionals have lots of choices when it comes to where they work. Who wants to work in an environment whose value is constantly questioned, that is constantly underfunded, and where one's existence needs to be constantly justified?

Problem 2: No executive support: If senior leadership doesn't believe that security is important to the organization, how can those working in the security organization be expected to see a future for themselves there?

Problem 3: Not enough funding: Security is hard enough when adequately resourced but when it is inadequately resourced, it becomes an unwinnable battle. Good people want to work, not wage war.

Problem 4: Lack of vision: The most successful security programs have a clear and concise vision. The best security professionals like to know in which direction they're headed. It helps them focus and perform to their full potential.

Problem 5: Bad boss: Studies have shown repeatedly that the boss is the most important factor when it comes to retention. Have an idiot or a jerk in charge of things? Kiss that security talent goodbye.

Problem 6: Lack of qualified team members: No one enjoys pulling five times the weight of everyone else. The more team members there are that aren't up to par, the harder it becomes to retain the top performers.

Problem 7: Failing technology: There are few things more frustrating than fighting with inadequate technology. Knowing exactly what needs to be done and how to do it only to find yourself held back by technology can quickly put top talent in a foul mood.

Problem 8: No collaboration between operations and engineering: The best security solutions are those that meet the needs of the operators. If there is no communication between those who deploy and those who operate, what hope is there for long-term success? The impact of this point on retention is greater than most people realize.

Problem 9: Micromanaging: As management, it is expected that you will communicate what you need from your staff. That's your job. But don't try and tell highly skilled professionals how to do what you need them to do. That's their job.

Problem 10: Not approaching security operations strategically: There is a limit to how much of a "Wild West" approach to security operations top performers can take. After a while, if there isn't some order to the chaos, they will lose their patience.

Problem 11: Failure to take incident response seriously: Sooner or later, every organization will face a serious or critical incident. Seasoned security pros know this, and thus each day that goes by without a serious approach to incident response makes their blood boil a bit more. At some point, they may conclude that the organization will never get serious about incident response and run for the hills.

Problem 12: Unpreparedness: No one likes getting caught with their pants down professionally. Concern about this is a big reason people move on to greener pastures.

Problem 13: More PowerPoint than PowerShell: Well-run security programs allow their staff to spend more time working and less time explaining what they're doing to others. If your best people end up spending more than half of their time explaining what they do to others, I think it's safe to say that their days with you are numbered.

Problem 14: Butts in seats: If you measure productivity by time spent in the office rather than by output, say goodbye to your best employees.

Problem 15: Warm bodies: Sometimes, employees need certain accommodations to allow them to balance work and life. For example, family commitments in another geographic area may prohibit them from being physically present all of the time. If you're not open to alternative arrangements, retention becomes that much harder.

Problem 16: Say one thing, do another: I have seen time and time again that people seek genuineness first and foremost. If a security organization preaches one thing and practices another, it hurts retention.

Problem 17: Lack of respect on the inside: If the security organization does not have the respect of other areas of the business, it can have a big impact on the morale of each employee. This, in turn, hurts retention.

Problem 18: Lack of respect on the outside: Security is an industry built on trust and respect. If an organization does not have the respect of its peer organizations, that matters to many security professionals.

Problem 19: Penny wise, dollar foolish: "How is there budget to fly management around the world 25 times, but I can't get a few days of training each year?" This line of thinking is all too common among security professionals with one foot out of the door.

Problem 20: Failure to invest in human resources: It is true that when you invest in your people, you allow them to improve their resumes. But, perhaps ironically, when people are in a constructive environment that allows them to grow professionally and sharpen their skills, they don't look to leave. Conversely, if you don't invest in them, they will look to improve their resumes elsewhere.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
gdeangelis@gpcasiapac.com
50%
50%
[email protected],
User Rank: Apprentice
5/9/2018 | 4:49:39 PM
Another sign
Security professionals like to and in most cases need to collaborate with other security pros. If a business or manager makes it difficult to do this or they do not see the value in this type of collaboration, they will find companies that do support this and can be around other like minded individuals
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/11/2018 | 8:59:57 AM
Investment starts at the top
And the C-Suite generally has zero appreciation of IT in general and security in specific.  Belief that all IT can be re-routed to Bangalore or H1-B visa types just based on salary and benefit cost is their concern.  Security concerns far less so and that is evidenced by reaction to a security breach.  (Like Equifax - shut up, say nothing, blame 1 guy and move on).  Security professionals are thus not respected in general and are always touchy.  
thclinton
50%
50%
thclinton,
User Rank: Apprentice
5/14/2018 | 10:42:15 AM
True Indeed
What you have written is entirely true and spot on...but you're preaching to the choir.  The audience of "Dark Reading" already knows this implicitly.  This subject matter needs to be published in other periodicals where "business leadership" can possibly learn something from it.  
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0242
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
CVE-2015-3424
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
CVE-2015-3425
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.
CVE-2015-7892
PUBLISHED: 2019-12-09
Stack-based buffer overflow in the m2m1shot_compat_ioctl32 function in the Samsung m2m1shot driver framework, as used in Samsung S6 Edge, allows local users to have unspecified impact via a large data.buf_out.num_planes value in an ioctl call.
CVE-2015-0841
PUBLISHED: 2019-12-09
Off-by-one error in the readBuf function in listener.cpp in libcapsinetwork and monopd before 0.9.8, allows remote attackers to cause a denial of service (crash) via a long line.