Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/15/2016
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Retain Good Security People: Keep The Work Exciting

Security managers should foster a challenging but rewarding work environment and invest in training to keep their security teams intact.

Acquiring talented IT security professionals is a big challenge for organizations grappling with growing skill shortages that impact every industry sector and government agency. Even more challenging, though, is retaining skilled workers amid a hot market where they can be easily lured elsewhere by more money or better opportunities.

It's a delicate balancing act that not only requires companies to offer appropriate compensations and work environments, but also opportunities for the workforce to learn new skills and tackle more challenging and exciting work, experts say.

According to an online survey of 132 security professionals conducted by AlienVault’s Javvad Malik, 33.9% cite “more challenging and exciting work” as the main reason they would move to another job.

“Not surprisingly, pay came in at second [23.14%] and flexible working environments [16.81%] was third,” says Malik, a-London-based IT security specialist with AlienVault, a developer of security information event management and threat management solutions. Promise of training, certification, or more education, also ranked high as an incentive for taking a new job.

One way to help make the work environment more challenging is to automate the mundane tasks, Malik says. “Every organization has boring and routine things to do, but if they [security managers] can try to automate it or give it as a project,” the security team could focus on more complex tasks, he says. 

Take vulnerability scans, which can be time-consuming: why not import them into a security information event management system or write correlation rules, he says. The outcome is two-fold: “You are removing the tedious tasks and giving them something meaningful to do. Once that is accomplished, you’ve ended up saving 10% to 20% of your time per week.”

Other key findings of the survey:

  • Having offices situated outside of major cities not only attracts local talent, but the chances of retaining that talent increases significantly due to lack of competition.  

Malik spoke to managers at two large international companies who preferred to set up their data centers or SOCs outside of major cities, ideally near a university. They knew they would get a steady flow of talented staff they could train. The staff would have few options geographically to actually leave. “They ended up with staff retention that way,” Malik says. 

  • Team culture can vary from company culture: don't assume both are the same. 

Some survey respondents enjoy working with their boss and colleagues, but thought their companies were atrocious. They’re staying in their jobs because of their boss and colleagues.  However, it is more difficult to stay in a company where your boss or immediate colleagues are unsupportive, Malik notes.

  • Nearly 65% of security pros are happy and content in their current jobs.

One security director said he had great success in finding non-security people from within the company and training them for IT or cybersecurity jobs, Malik says. Plus, the director structured the SOC team like a consultancy or cost center within the company. As a result, he could more effectively determine how many people he needed to support the various businesses.

He could say, “These are the businesses I’m supporting so where do you want me to scale back, rather than just increasing the workload on everyone,” Malik explains.

 

Top-Down

Retention initiatives start at the top, says Adam Vincent, CEO of ThreatConnect, a developer of threat intelligence platforms. Leadership must grow and foster a security team to meet their organization’s needs, and people who are being trained eventually become experts in their fields.  They are either going to grow into a new role within their organization -- or look elsewhere, he says.

“If you let them go because it is the next frontier for their career and learning experience, I view that as a win," says Vincent, who advocates training people and supporting their decision to go elsewhere for more challenging work if he couldn't provide that to them.

“However, I will also say that leadership of the security practice is what you need to look at so you don’t end up with all of your people job hopping.”

Security professional responding to The 2015 (ISC)² Global Information Security Workforce Study, meanwhile, also expressed satisfaction with their current jobs.

“Given the environment in which security professionals work, a certain amount of discontentment with their current roles would be understandable, if not expected,” according to the report, which was written by Frost and Sullivan analysts. But the study found that three out of four say they are "somewhat or very" satisfied, and 30% of the 14,000 professionals worldwide that responded to the survey say they are "very satisfied.” 

High job satisfaction facilitates employee retention, according to the report, as well as other factors. Employee churn remains a challenge for employers despite security professionals’ satisfaction with their current positions, the survey shows.

“In a single year, 2014, nearly one in five security professionals changed employers or employment status. Across the 2011, 2013, and 2015 surveys, churn of nearly 20% is the highest that has been seen,” the report says. “Correspondingly, having 14% of respondents reporting that they 'changed employers while still employed' was also the highest percentage across the three surveys. Rising churn is the first sign of rising security professional scarcity,” according to the (ISC)2 report.

Interop 2016 Las VegasFind out more about security careers at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

 

 

Offering training programs (61%) and paying for employee’s security certification expenses (59%) are the top two initiatives security managers surveyed have in place to retain professionals. Improving compensations (57%) landed third on the list. 

Offering flexible work schedules (55%) and supporting flexible working arrangements (51%) were fourth and fifth, “suggesting that employers can improve retention with initiatives that do not have a significant expense-line impact,” the reports states.

 

Related Stories

 

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...