Recruiting and Retaining Top Talent in a Zero-Percent Unemployment Market

Brian McGowan, CISM, VP Global Security & Privacy, SharkNinja

Brian McGowan, CISM, VP Global Security & Privacy, SharkNinja

Cybersecurity leadership professionals have experienced two very different sides of the growth and demand in security jobs. On one side, we’ve benefited from increasing salaries. According to a Salary.com study, the mean salary + bonus for a CISO in 2021 was $277K, while Fortune 500 CISOs in large cities made between $500K and $1MM. That’s the positive side of the cybersecurity job market – leaders are well paid. The other side is the challenges we face in recruiting and retaining top talent. Let’s take a look at what has led to difficulties finding new talent to join our teams and some ways to retain that talent.

The U.S. Bureau of Labor Statistics estimates a 31 percent growth in security analyst positions between 2019 and 2029 compared to an overall 4 percent growth rate for all occupations combined. The US Commerce Department estimated 500 unfilled cybersecurity positions in the US in August 2021 while ISC(2) estimated we’ll see 1.8 million unfilled positions globally in 2022. Consider the impact of “The Great Resignation” in 2021, which saw many workers change jobsas the demand for a more flexible work arrangement (predominantly workers demanded going full-time remote) became a key retention (and recruiting) criteria. While those numbers represent great opportunities for security professionals, it’s simultaneously a major challenge for leadership to build and maintain teams. There simply aren’t enough people to fill the open jobs.

What can we do to recruit and retain the talent we need to successfully operate our cybersecurity programs?Let’s face it, attrition hurts. Occasionally it turns out beneficial when under-performers move on but losing team members means we need to spend time recruiting, onboarding and training new ones – all of which are part of the leadership role but certainly take us away from executing our core cybersecurity missions.It’s a complex problem to solve and there’s no silver bullet. Nonetheless, let’s look at some tactics that can put us in the driver’s seat.

Gatekeeper or cheerleader?

Do you sell your company or program to candidates in the early stages of recruiting?Are potential candidates leaving the first interactions with feeling excited about the opportunity to join your team? If not, consider shifting the early stage of recruiting from screening candidates to actuallyrecruiting them. Often teams want to ensure a new member will fit in with the corporate culture – that’s always an important concern. Let’s get a candidate on the hook first before we pass judgment if they’ll fit in. In this market, those who sell the benefits of joining a company and their program, those who get the candidate excited about an opportunity, may see a better response and increase the likelihood of landing the candidate of choice.

If we put up barriers and make candidates feel like they’re being tested they may walk away feeling less enthusiastic about what we have to offer. Sell the position first, then screen for qualifications to get best candidates.Candidates have options – make yours the most attractive.

Pay thePeople

Let’s get compensation out of the way. If we’re not paying competitive salaries, then we’re setting ourselves up to lose employees to higher-paying jobs and we certainly won’t recruit top talent to join our teams. As cybersecurity professionals, we may enjoy what we do, but we do it to earn a living. Pay people competitively and take that consideration off the table.

Was it Me?

According to 15Five, a performance management software provider, a recent survey indicated “bad bosses” or “getting away from their manager” was theleading reason for quitting a job. As leaders, we need to take a close look in the mirror and ask ourselves if we foster a culture that increases retention or compels team members to leave. Focus on individual growth plans. Get to know team members and their personal interests. Recognize team memberaccomplishments. Operate with transparency and hold team members accountable for high-quality work. We have control over how we treat people and treating them well is at the core of creating lasting relationships and retaining team members. As Maya Angelou famously stated, “people will forget what you said, people will forget what you did, but people will never forget how you made them feel”. Let’s make our team members feel like staying with us.

Don’t Just Look Up

Cybersecurity leaders sit at the highest levels of the org chart withinorganizations. Peer groups include business leaders and executive management and many report to the board of directors. Fostering those relationships and driving value to top-level stakeholders is key to success. However, those who work in our departments - our team members -are critical to our success as well. They’re the ones doing the heavy lifting day-in and day-out. We rely on them when things go sideways, and they often work after hours and on weekends responding to alerts. Are we paying sufficient attention to our teams? They want to hear from us, hear about what’s going on in the company and get to know us. While our teams may feel connected to the business through business alignment, it’s likely not a factor for why they stay or decideto lookfor a new job. Let’s not lose sight of the challenges our teams face on a daily basis. Are they overworked and short-staffed? Do they have what’s needed to succeed? Connecting with our team members will lead to better engagement and likely better retention – we need to spend time with those stakeholders too.

As Leaders, We Need To Take A Close Look In The Mirror And Ask Ourselves If We Foster A Culture That Increases Retention Or Compels Team Members To Leave

Let Them Innovate

Many technical cybersecurity professionals thrive on innovating. They want to learn, expand their capabilities and deliver greater value to security programs. What if we empower team members to spend a portion of their time on programs outside of their core role so long as it delivers value to the program?Perhaps that’s a contributor to creating highly engaged team members who appreciate the opportunity to explore and innovate. That innovationleads to stronger programs by implementing new ideas and in turn helps retaintop performers. Give team members “free” time;it just might pay significant dividends.

The cybersecurity profession has a bright future. Let’s make it brighter for our team members every day and they’ll reward us for it.