5 reasons security staff leave (and what to do about it)

We all know that finding talented cybersecurity professionals is not easy. Making matters worse, neither is keeping them.

According to ISACA’s State of Cybersecurity 2020 research, 2 out of 3 industry professionals (66 percent) report that it is difficult to retain cybersecurity talent.

The top five reasons cybersecurity staff tend to leave, according to the ISACA research, are being recruited by other companies, limited promotion and development opportunities, poor financial incentives, high work stress levels and lack of management support. Let’s take a look at each of these five factors and what organizations can do to counteract them.

Recruited by other companies

If a competing organization is in position to offer employees significantly more in compensation, there might not be much that can be done to prevent an employee from walking out the door. But more money is not always the chief selling point. If it is not about money, it is important to find out why the grass is greener.

When employees decide to join another organization — or confide that they are thinking about doing so — it is important for security leaders to have genuine conversations and find out which aspects of the other opportunity are appealing. Those insights can then be taken to the HR team and used in future job postings and hiring processes as criteria that might be useful in better attracting and retaining professionals in the future.    

Limited promotion and development opportunities

Investing in training security team members is essential on multiple levels, including from a retention standpoint. By providing ongoing, skills-based training related to the current threats and vulnerabilities that security practitioners face, not only will team members be equipped to perform better, they will also be appreciative of their organization investing in their professional development and, in many cases, more likely to stay as a result.

Security leaders also need to recognize the competitive climate for talent and identify high-performing people that they want to keep before it is too late. Even if a suitable promotion is not immediately available, by letting that person know he or she is being groomed for an advancement opportunity in the near future, that employee will be less likely to look outside the organization to make that next career step.

Poor financial incentives

While small and medium-sized organizations might not have the resources to compete with large organizations from a salary perspective, these organizations should at least strive to be competitive among their peers when it comes to pay and other employee benefits. It is not enough for business leaders to give lip service to the importance of security — they must back that up by making the needed investments in their security programs, and that includes offering security leaders and practitioners competitive pay to keep them around.

When making the case to leadership for the needed budget for security personnel, it is important to underscore that the alternative is untenable. The ISACA research shows that the majority of organizations have unfilled cybersecurity positions on their teams, and it takes one in three organizations six months or more to fill an open cybersecurity position with a qualified candidate. In today’s security environment, operating shorthanded for such lengthy periods of time is deeply problematic. The bottom line: when organizations lose talented performers, it can be very difficult — if not near impossible — to adequately replace them in timely manner. That point should be made clear to decision-makers when discussing the importance of competitive pay.

High work stress levels

Working in cybersecurity inherently comes with a certain level of stress. That is the reality of a rapidly expanding threat landscape and a line of work that can pose time-sensitive emergencies that extend well beyond normal office hours.

There are ways, though, that well-structured security teams can mitigate some of this stress that employees feel. This includes cross-training teams so a sole team member is not always on the hook to single-handedly mitigate certain types of threats, making team members feel supported when honest mistakes are made and, as referenced above, providing the needed training so that professionals are equipped to evolve their skills to counter emerging tactics used by cyber criminals.

Lack of management support

The CISO needs to set the tone of supporting his or her team, and that goes beyond providing the needed resources for the team to succeed. It also includes recognizing the degree of difficulty of keeping organizations secure in today’s environment and being willing to convey that reality to senior leadership when something doesn’t go right.

Management can also support their security teams by helping them pursue certifications, attend industry conferences and provide positive reinforcement for a job well done.