Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/9/2018
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Signs You Are Heading for a Retention Problem

If you don't invest in your best security talent, they will look to burnish their resumes elsewhere. Here's why.

Anyone who has tried to recruit information security professionals in recent years knows how hard it can be to find qualified people. Unfortunately, while there has been quite a bit of dialogue around recruiting, there has been far too little around retention. Tragically, retention is most often overlooked, even though it is arguably more important than recruiting.

Over the course of my career, I've seen organizations do a variety of things that cost them their best security talent. There are some circumstances that are simply unavoidable. But in many cases, talent leaves for reasons that are all too preventable. Isn't a valuable resource that you've invested time and money in worth more to you than one that you haven't yet invested in?

It is in this spirit that I present to you 20 signs you are heading for a retention problem.

Problem 1: No board support: Retention success starts at the top. Talented security professionals have lots of choices when it comes to where they work. Who wants to work in an environment whose value is constantly questioned, that is constantly underfunded, and where one's existence needs to be constantly justified?

Problem 2: No executive support: If senior leadership doesn't believe that security is important to the organization, how can those working in the security organization be expected to see a future for themselves there?

Problem 3: Not enough funding: Security is hard enough when adequately resourced but when it is inadequately resourced, it becomes an unwinnable battle. Good people want to work, not wage war.

Problem 4: Lack of vision: The most successful security programs have a clear and concise vision. The best security professionals like to know in which direction they're headed. It helps them focus and perform to their full potential.

Problem 5: Bad boss: Studies have shown repeatedly that the boss is the most important factor when it comes to retention. Have an idiot or a jerk in charge of things? Kiss that security talent goodbye.

Problem 6: Lack of qualified team members: No one enjoys pulling five times the weight of everyone else. The more team members there are that aren't up to par, the harder it becomes to retain the top performers.

Problem 7: Failing technology: There are few things more frustrating than fighting with inadequate technology. Knowing exactly what needs to be done and how to do it only to find yourself held back by technology can quickly put top talent in a foul mood.

Problem 8: No collaboration between operations and engineering: The best security solutions are those that meet the needs of the operators. If there is no communication between those who deploy and those who operate, what hope is there for long-term success? The impact of this point on retention is greater than most people realize.

Problem 9: Micromanaging: As management, it is expected that you will communicate what you need from your staff. That's your job. But don't try and tell highly skilled professionals how to do what you need them to do. That's their job.

Problem 10: Not approaching security operations strategically: There is a limit to how much of a "Wild West" approach to security operations top performers can take. After a while, if there isn't some order to the chaos, they will lose their patience.

Problem 11: Failure to take incident response seriously: Sooner or later, every organization will face a serious or critical incident. Seasoned security pros know this, and thus each day that goes by without a serious approach to incident response makes their blood boil a bit more. At some point, they may conclude that the organization will never get serious about incident response and run for the hills.

Problem 12: Unpreparedness: No one likes getting caught with their pants down professionally. Concern about this is a big reason people move on to greener pastures.

Problem 13: More PowerPoint than PowerShell: Well-run security programs allow their staff to spend more time working and less time explaining what they're doing to others. If your best people end up spending more than half of their time explaining what they do to others, I think it's safe to say that their days with you are numbered.

Problem 14: Butts in seats: If you measure productivity by time spent in the office rather than by output, say goodbye to your best employees.

Problem 15: Warm bodies: Sometimes, employees need certain accommodations to allow them to balance work and life. For example, family commitments in another geographic area may prohibit them from being physically present all of the time. If you're not open to alternative arrangements, retention becomes that much harder.

Problem 16: Say one thing, do another: I have seen time and time again that people seek genuineness first and foremost. If a security organization preaches one thing and practices another, it hurts retention.

Problem 17: Lack of respect on the inside: If the security organization does not have the respect of other areas of the business, it can have a big impact on the morale of each employee. This, in turn, hurts retention.

Problem 18: Lack of respect on the outside: Security is an industry built on trust and respect. If an organization does not have the respect of its peer organizations, that matters to many security professionals.

Problem 19: Penny wise, dollar foolish: "How is there budget to fly management around the world 25 times, but I can't get a few days of training each year?" This line of thinking is all too common among security professionals with one foot out of the door.

Problem 20: Failure to invest in human resources: It is true that when you invest in your people, you allow them to improve their resumes. But, perhaps ironically, when people are in a constructive environment that allows them to grow professionally and sharpen their skills, they don't look to leave. Conversely, if you don't invest in them, they will look to improve their resumes elsewhere.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
gdeangelis@gpcasiapac.com
50%
50%
[email protected],
User Rank: Apprentice
5/9/2018 | 4:49:39 PM
Another sign
Security professionals like to and in most cases need to collaborate with other security pros. If a business or manager makes it difficult to do this or they do not see the value in this type of collaboration, they will find companies that do support this and can be around other like minded individuals
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/11/2018 | 8:59:57 AM
Investment starts at the top
And the C-Suite generally has zero appreciation of IT in general and security in specific.  Belief that all IT can be re-routed to Bangalore or H1-B visa types just based on salary and benefit cost is their concern.  Security concerns far less so and that is evidenced by reaction to a security breach.  (Like Equifax - shut up, say nothing, blame 1 guy and move on).  Security professionals are thus not respected in general and are always touchy.  
thclinton
50%
50%
thclinton,
User Rank: Apprentice
5/14/2018 | 10:42:15 AM
True Indeed
What you have written is entirely true and spot on...but you're preaching to the choir.  The audience of "Dark Reading" already knows this implicitly.  This subject matter needs to be published in other periodicals where "business leadership" can possibly learn something from it.  
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...