Anyone who has tried to recruit information security professionals in recent years knows how hard it can be to find qualified people. Unfortunately, while there has been quite a bit of dialogue around recruiting, there has been far too little around retention. Tragically, retention is most often overlooked, even though it is arguably more important than recruiting.
Over the course of my career, I've seen organizations do a variety of things that cost them their best security talent. There are some circumstances that are simply unavoidable. But in many cases, talent leaves for reasons that are all too preventable. Isn't a valuable resource that you've invested time and money in worth more to you than one that you haven't yet invested in?
It is in this spirit that I present to you 20 signs you are heading for a retention problem.
Problem 1: No board support: Retention success starts at the top. Talented security professionals have lots of choices when it comes to where they work. Who wants to work in an environment whose value is constantly questioned, that is constantly underfunded, and where one's existence needs to be constantly justified?
Problem 2: No executive support: If senior leadership doesn't believe that security is important to the organization, how can those working in the security organization be expected to see a future for themselves there?
Problem 3: Not enough funding: Security is hard enough when adequately resourced but when it is inadequately resourced, it becomes an unwinnable battle. Good people want to work, not wage war.
Problem 4: Lack of vision: The most successful security programs have a clear and concise vision. The best security professionals like to know in which direction they're headed. It helps them focus and perform to their full potential.
Problem 5: Bad boss: Studies have shown repeatedly that the boss is the most important factor when it comes to retention. Have an idiot or a jerk in charge of things? Kiss that security talent goodbye.
Problem 6: Lack of qualified team members: No one enjoys pulling five times the weight of everyone else. The more team members there are that aren't up to par, the harder it becomes to retain the top performers.
Problem 7: Failing technology: There are few things more frustrating than fighting with inadequate technology. Knowing exactly what needs to be done and how to do it only to find yourself held back by technology can quickly put top talent in a foul mood.
Problem 8: No collaboration between operations and engineering: The best security solutions are those that meet the needs of the operators. If there is no communication between those who deploy and those who operate, what hope is there for long-term success? The impact of this point on retention is greater than most people realize.
Problem 9: Micromanaging: As management, it is expected that you will communicate what you need from your staff. That's your job. But don't try and tell highly skilled professionals how to do what you need them to do. That's their job.
Problem 10: Not approaching security operations strategically: There is a limit to how much of a "Wild West" approach to security operations top performers can take. After a while, if there isn't some order to the chaos, they will lose their patience.
Problem 11: Failure to take incident response seriously: Sooner or later, every organization will face a serious or critical incident. Seasoned security pros know this, and thus each day that goes by without a serious approach to incident response makes their blood boil a bit more. At some point, they may conclude that the organization will never get serious about incident response and run for the hills.
Problem 12: Unpreparedness: No one likes getting caught with their pants down professionally. Concern about this is a big reason people move on to greener pastures.
Problem 13: More PowerPoint than PowerShell: Well-run security programs allow their staff to spend more time working and less time explaining what they're doing to others. If your best people end up spending more than half of their time explaining what they do to others, I think it's safe to say that their days with you are numbered.
Problem 14: Butts in seats: If you measure productivity by time spent in the office rather than by output, say goodbye to your best employees.
Problem 15: Warm bodies: Sometimes, employees need certain accommodations to allow them to balance work and life. For example, family commitments in another geographic area may prohibit them from being physically present all of the time. If you're not open to alternative arrangements, retention becomes that much harder.
Problem 16: Say one thing, do another: I have seen time and time again that people seek genuineness first and foremost. If a security organization preaches one thing and practices another, it hurts retention.
Problem 17: Lack of respect on the inside: If the security organization does not have the respect of other areas of the business, it can have a big impact on the morale of each employee. This, in turn, hurts retention.
Problem 18: Lack of respect on the outside: Security is an industry built on trust and respect. If an organization does not have the respect of its peer organizations, that matters to many security professionals.
Problem 19: Penny wise, dollar foolish: "How is there budget to fly management around the world 25 times, but I can't get a few days of training each year?" This line of thinking is all too common among security professionals with one foot out of the door.
Problem 20: Failure to invest in human resources: It is true that when you invest in your people, you allow them to improve their resumes. But, perhaps ironically, when people are in a constructive environment that allows them to grow professionally and sharpen their skills, they don't look to leave. Conversely, if you don't invest in them, they will look to improve their resumes elsewhere.