Tuesday, November 1, 2016

On recruiting and retaining talented Cyber Security professionals

I recently read the Center for Strategic (CSIS) International Studies report on Recruiting and Retaining Cyber security Ninjas and have to agree, that in this industry where cyber security professionals are in high demand, we need to find creative ways of not just recruiting but definitely retaining. It also definitely confirmed my view that money is not all when it comes to retaining talented personnel. Things such as having a challenging workplace and definitely training to keep our skillset relevant are absolutely more important.

What I did find surprising was that talented cyber security professionals don't want to have to assume management responsibilities to advance in their careers. This is understandable, as even I was not sure if I wanted to go the management route when it was proposed. However, I've embraced it and have no regrets. This is something though organizations will have to continue looking at. Maybe there will be a need to create more technical paths that runs parallel to the management path. 

Most importantly and as the report stated, most of us prefer to have a flexible work environment. I believe this becomes even more relevant when a family has to be considered. That flexibility, be it the ability to work from home or work alternate hours, etc is way more important than money.

The biggest takeaway though is that as stated "... even in organizations that pays and treat their employees well, there can be a great deal of disappointment and early turnover." This is further emphasized by "No matter how good a job may be, there are many other employers willing to pay more and promise greater responsibility ...". This definitely should come as no surprise as talented cyber security professionals are truly in great demand. I'm a witness to that on both sides of the fence. On one side being, recruited and the other watching my team members being recruited.


  1. I'll happily submit to a management position since they pay $300K/year with a 15% bonus and annual-equity of $200k/year in the Bay Area. Meanwhile, Palantir (and other Bay Area startups) pay infosec experts way-less than $120K/year with zero bonus and zero equity -- http://fusion.net/story/365009/if-palantir-really-cared-about-diversity-it-wouldnt-pay-its-employees-like-this/

    CISO (and Big-four accounting firm Managing Director) positions in the Bay Area and in NYC pay over $500K/year base. I didn't read into the CSIS report and see where it said that infosec positions don't want to move up. The Mercer Intelligence report (even more-recent than CSIS) demonstrated that many professionals are looking to move up but that orgs are not providing the opportunities fast enough -- http://www.brinknews.com/fighting-for-cyber-talent-in-a-competitive-market/

    This has also been my experience.

    1. Dre,
      Thanks for the link to the Mercer Report. It's definitely a good read and adds more context to the conversation.

  2. Well written! I think it is not just true for Cyber Sec professionals but for several other streams too. Yet I see the churn happening more in IT field in general than others. One obvious reason is technology changes way too fast than one can comprehend and keep clinging to the position. Very often we see engineers (CCIE R&S especially as I have my friend suffer from this) unable to cope with the changing trends in technology and find their roles/positions getting less and less relevant as days pass. This would continue to be so at least in the near future as the delta of change is only increasing.

    For Cyber guys: the challenge is to understand a variety of stuff that goes on. Not only would Cyber professionals need to understand basics of host (application/language) or network (Firewalls/IPs) or Cloud (that bad Hybrid thing) to comprehend the challenges of the field, at the same time I guess they need to be given time to be better at some of these. The old models to do security has failed. The Security teams are a bunch of guys of different streams (ISACA wants philosophers in Cyber teams to get maximum returns) and that's the best approach without any doubt. But it makes all the more challenging to first comprise such a team of different individuals who have a common goal to "defend client's network) and then to decide an agreed approach of doing security. Now if one of the guys changes job, it messes up a balance which was built with tremendous effort. Not only does it harm the security approach that the team was following, but also, the new tweakings would be slow and bothering if these were to happen every now and then.
    So it is up to management to retain their talents. It is the company's loss more than of any one individual. So if anything were to blame it should be the management who either couldn't see what was happening down the covers when they could have easily gotten the hints, just like it was just the management that was credited in the first place when they had the vision to hire different persons from different streams and ran business successfully. Give or take, people who can see the line of future and mark the changes are certainly to do better than their competitors.

    In the end, I put the onus on management. The guys whoever they are or were trusted the management to make decisions on their behalf. Not only did they trust for their own personal development, but also their careers, too.

    PS: it is hard to get a WIN-WIN! But still managers should make it a game to retain talent by making it hard for the people to go, perhaps by making the work fun for their employees which could convince they won't get the same anywhere else may be a bit of extra money which we agree is already irrelevant.