Employee Retention is Critical to Solving the Security Skills Shortage

Employee Retention is Critical to Solving the Security Skills Shortage

The skills shortage in IT security is a very real problem, even though companies have become more creative in how they attract talent. But there’s more to consider: A report from AlienVault argues that retaining the talent once acquired should also be a keen focus for HR departments.

“One can hypothesize that companies no longer offer ‘jobs for life,’” said AlienVault security advocate and former 451 security analyst, Javvad Malik, in the report. “Or indeed blame millennials for being self-entitled and lazy workers who need constant baby-sitting.”

But the reality is that the retention concern is common. Only about 65% of participants are happy and content in their current jobs. And even those that say they’re happy admit that the idea of challenging and exciting work would be a motivator to move somewhere else—thus setting up a competitive environment among companies looking to hone their IT security departments.

“Retaining staff can be a fine balancing act that needs the precision of a NASA engineer landing a rocket on a comet,” Malik said. “On one hand employers need to provide appropriate compensation and working environments. While on the other hand, remaining mindful that other companies will make high offers in attempts to acquire the right candidates.”

Better pay, better perks, flexible working, the promise of training and certification, more challenging and exciting work and a better work culture were all cited as reasons to go to another company. Based on the number of responses and ranking of each option, ‘more challenging and exciting work’ was the most popular reason (33.9%) to want to move jobs.

Not surprisingly, pay came in at second (23.14%) and flexible working (16.81) came in third. Training, certification or general learning was the leading reason as a second and third ranked choice.

But this is not a simple black and white case of which company can make the best offer. Not all employees have a mercenary attitude towards work, and a multitude of other factors come into play.

In order to get ahead in the game, the report showed that things like office location matter. Having offices situated outside of major cities will not only attract local talent, but the chances of retaining them increase significantly due to lack of competition.

Also, company culture is a big intangible. “Being unhappy with boss or company culture was an underlying theme across the survey,” Malik said. “Yet, several participants, particularly those in larger organizations, felt a distinction should be made between the company culture and team culture. Noting that one can be very satisfied with one's colleagues and boss but dissatisfied with the company culture.”

Employees often suffer from a “grass is always greener” problem, AlienVault director of solutions architecture Joe Schreiber told us.

“The key is maintaining a fun and rewarding environment,” he stated. “The fun part is deliberate; a lot of folks just leave because they are burned out. They think a new job will alleviate this; often it doesn't work that way. We had what I called a ‘high rate of recidivism’ in the SOC, which proves this. Operations is tough, it just is.”

Another retention tactic is providing career development opportunities.

One respondent summed up the problem and the allure of migrating to another employer: “IT is quite a movable field in my opinion. You always want to grow your skillset and it seems the best thing for that is to move after a certain amount of time and have more exposure to different areas. The technical people that I have seen go a bit stale with their knowledge are generally those that have stayed at one place for much of their career and have been happy to stay put. Nothing bad about keeping a job for a long time, but if you want to stay on top of your game, you need to be constantly studying and looking at different technology.”

Schreiber said that this issue takes personalized attention to solve.

“Knowledge is the key, generating and sharing it,” he said. “Training is the obvious, but it can also be an internal activity. A good infosec professional is insatiably curious, a job that attempts to satiate them will have the most success. There should be freedom around this acquisition too. Employers should be cognizant of cross-training, but also letting people find new areas of interest. Maybe your IDS guy turns into a pen tester? You may need that in the future, you just can't restrict them.”

Photo © Goodluz

Source: Information Security Magazine