The most important thing that we do as cyber security leaders is recruit high quality talent. The second most important thing that we do is work to retain that talent.
How does a leader retain talent in an often crazy market with a shortage of cyber security professionals?
To me, there are three fundamentals to success. Each is so fundamental that, in my mind, they can’t be prioritized into an order.
Compensate people fairly. Doesn’t have to be top of market but can’t be bottom of market either. Compensation also can be accomplished through meangful things to employees - company ownership, benefits, flexible hours, remote opportunities, etc. "Fairly" also means that people understand the criteria for more pay (either annual increases or promotions) they’ll be evaluated against that will be equally applied across similar cyber security disciplines.
Perhaps when focused on building maturity,“consistent independent delivery of meaningful, well thought out scoped work relative to their level without security friction” is high on my list. The closer that employee results are to that standard and relative to their level and peers, the larger spoonful I work to give them. The team has to know the standard and you have to stick with the standard that you’ve communicated. Your best people, the linchpins to your program’s success, shouldn’t have to be constantly begging for raises if they are consistently performing at your standard.
Details matter: Never underestimate the ability of the team to know if you have a vision. Also, don't underestimate their ability to see through your real motivations. Do you have a clear plan and priorities that make sense to the team? Can the team see where they are against the execution of that plan? Are you transparently contributing to your team’s success? Playing favorites? Are you working to make them more successful? Making or supporting decisons that reduce or increase their distracting work? When you have a chance to push back against an issue that impacts the team negatively, do you push back with some level of risk to you? Does the team feel like you have your own skin in their game? The key here is that it is easier to retain top talent when they feel that you are directly involved in helping them be more successful.
Train the team: Cyber security is a field in which the level of training that practitioners have matters, especially to the employees on your team. That means, "every team." Of course, the issue is that cyber security isn’t cheap. First, there are a lot of local and regional training opportunities and conferences that aren’t expensive. Make time for team members to attend those whenever possible. You can also bring instructors to your facility to train your team and even partner teams in key cyber security topics. His way, you’ll only pay for travel for the instructor. We did this to bring a baseline cyber security certification training course to our facility with great success. For the more expensive training, again, stay consistent to your criteria within your available budget.
Great talent can be retained. I also truly believe that people want to stay in organization in which they feel challenged, appreciated, and trained while at the same time, expectations around pay and training are consistently communicated and followed by a leader that has their interests and career growth in mind.
The levers to keep your talent are yours to pull as a cyber security leader.
Make a difference for your team today.
Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.