ISACA’s recently released 2020 State of Cybersecurity survey report revealed some sobering findings around hiring and retention for cybersecurity teams. Sixty-two percent say their organization’s cybersecurity team is understaffed, 57 percent say they currently have unfilled cybersecurity positions on their team and 32 percent say it takes six months or more to fill an open cybersecurity position with a qualified candidate.
During a panel discussion last week at RSA Conference 2020 in San Francisco, California, USA, “Why Your Staff Leaves, and How to Retain, Retrain, and Build Leaders,” ISACA experts acknowledged that the issues that plague cybersecurity teams and staffing aren’t new, and pivoted to answering the question—what does better look like?
“Leadership can be the glue that makes employees stay,” said Todd Weinman, president and chief recruiting officer with The Weinman Group. “Managers can impact the culture of your department even if they can’t change the organization’s culture. Trust and transparent communication are two pillars to a strong culture.”
Pam Nigro, ISACA board director and senior director of information security with HCSC, agreed. “On my team, we have created a subculture within a culture,” she said. “In 15 years, I’ve had eight different bosses, but my employees have moved with me. We’re in it together, it’s not ‘us and them.’”
She explained she creates this environment for her staff by giving them as much flexibility as possible and making time each quarter to ask them about what they like or don’t like doing at work, help them work on their skills and give them tools to grow in their careers.
“As a manager, I make sure to schedule that time, and I make that time sacred. I know it’s an opportunity for them to feel heard, to grow and move up in their career,” she said.
Kris Rides, co-founder and CEO of Tiro Security, emphasized that “the ones who are happy aren’t picking up the phone when recruiters call,” and noted that job satisfaction is one of the three key reasons—along with salary and location—why people leave jobs, what he calls the “retention triangle.”
“If one area is an issue, but the other two are OK, then employees will stay. If there are two areas that are an issue, they will likely leave; if all three are issues, it’s shocking if they are still there,” said Rides. “By taking the time to understand what’s happening in your direct report’s life, you’ll find out what makes them stay.”
Weinman concurred, saying, “Staying plugged in and in touch with your team is something that you can’t outsource.”
He added that, unfortunately, many managers don’t receive proper training in leading people when they are promoted to that level, so they aren’t doing the right things to keep their staff feeling fulfilled and acknowledged. “We’re having a management crisis – we have managers who don’t know how to manage,” Weinman stressed. “In addition, there need to be paths to move up that aren’t tied to managing people.”
So how can managers begin to create these positive cultures that drive people to stay or join their teams?
The group noted that celebrating achievements can be a powerful way to make staff feel recognized and create a culture where they want to stay. “Make sure you’re celebrating wins and micro-wins,” Weinman said.
Rides added, “People can be so passionate about their work; support them in talking about their work externally at the chapter level or other outside events.”
Brennan P. Baybeck, ISACA board chair; vice president and CISO, Customer Services, Oracle Corporation; and moderator of the panel, noted that digital badging can be another way to give recognition. And Nigro pointed out that it is important to find out what recognition looks like to each team member—fanfare can be embarrassing for some, whereas a thank you note might be especially meaningful.
Most important, Nigro said, is to maintain a level of engagement throughout the year, in whichever way resonates best with your team.
“We go out and have fun with mini golf, bowling, museums, and make a trip to Taste of Chicago every year. During the work week, we have teatime together at 3 p.m.,” said Nigro, noting that she also brings in out-of-town employees twice a year to keep them engaged, too. “[My staff] is more important to me than the deadline.”
Being genuine and “plugged in” with your team goes a long way in helping staff feel valued and working toward building this strong team culture.
“I want my staff to know that I’m in my role for them,” said Baybeck. “You have to be sincere and demonstrate that through your actions.”