Building and retaining your security team

If you are a cybersecurity leader/hiring manager, you are probably getting tired of being reminded that there aren’t enough skilled cybersecurity staff to fill your open positions.  We know already, can we stop complaining about it?  Yes, there are currently 500K open cyber positions in the US and nearly 3 million open positions globally,(1)and the need is definitely not expected to shrink in the coming years.  So maybe it’s time to think outside of the box when it comes to staffing our teams.  

The Cybersecurity Unicorn may exist but we can’t find them, and even if we did we can’t afford them.  How are we supposed to keep our SOC or our security engineering teams fully functional if we don’t have anyone that can do the job?  We consider our options. While it is always prudent to recruit new talent from recent college graduates at reputable IT and security education programs, and there always seems to be the regular musical chairs of security staff that shift from organization to organization, I don’t think that’s the only answer.   As security leaders, what are we doing to help ourselves?

Most organizations already know that it’s cheaper to keep staff than replace them.  Once an employee becomes familiar with an organization’s activities and operations they are more effective even with just the skills they already have.  So rather than investing in a few of the most expensive security resources on the market, maybe we should invest even more in those employees we already have.  And I’m not just talking about the current members of the security team, we need to expand these options to all of our employees (think other IT staff and business lines), and even consider hiring new employees that have strong IT aptitude but maybe not the lofty required level of experience we typically list in our entry-level security analyst job postings.  Training the needed technology skills after a promising but inexperienced employee joins the organization (from another department or outside the organization) may seem counter-intuitive but can result in more effective results, including fully staffed teams.  It also shows staff that there are opportunities beyond the role they are entering at the moment, which is another boost to staff retention.

Mature security programs have been including training opportunities in their weekly activities for some time now, and that is why they continue to have effective programs, reduced turnover and strong staff knowledge and expertise.  Training at these organizations isn’t just the standard “Learning Management System” videos or outside classes (although they both have a place), but include active learning through internal exercises like capture the flag or red team/blue team competitions, time during the week for reading and self-directed learning, and job shadowing/skills transfer activities.  

Providing training opportunities to your teams on an ongoing basis can improve both their skills and retention numbers.  It also establishes a more robust security culture, as all employees can see by your actions that security is important to the organization.  And even if some of the staff are already highly skilled, the world is changing fast.  The continuous influx of new business technologies, new security regulations and requirements, new security tools and technologies, and new threats and vulnerabilities requiresthat your teams update and refresh skills and knowledge constantly.  And don’t forget about non-tech skills like effective communication and business acumen, both of which can improve the success of business impacting implementations and processes.

“The only thing worse than training employees and losing them is to not train them and keep them.” – Zig Ziglar

While improving the skill level of your existing employees may take time, effort, and money, and some will use their new skills to find jobs elsewhere, it will also give you the resources to continue to have an effective security program and may be the only way you can keep all those seats filled.

2018 (ISC)² Cybersecurity Workforce Study

Contact TLI admissions at tli-info@umn.eduor 612-624-5747 for more information on the Technological Leadership Institute.

About the Author:

Mike Johnson

Mike Johnson serves as the director of graduate studies for the Master of Science in Security Technologies degree program at the Technological Leadership Institute at the University of Minnesota. In his role, he oversees, develops and teaches graduate level courses in security technologies innovation, management and leadership. He also delivers custom short courses and professional development programs for businesses. He has 25 years of risk management experience in security and financial services, serving as CISO and Operations Risk Director at Bremer Bank.