(ISC)² recently published the report Hiring and Retaining Top Cybersecurity Talent: What Employers Need to Know About Cybersecurity Jobseekers.
Let us know your thoughts about what we learned from the security professionals we surveyed. It is currently the featured research report at www.isc2.org/research.
Some key findings from the study include:
Much more in the report.
Direct link to the PDF: https://www.isc2.org/ISC2-Hiring-and-Retaining-Top-Cybersecurity-Talent
I think that is only half of the equation. Why do people stay? In order to get a more complete and accurate picture you also need to ask why people leave. I will give you my reasons below and you see if you see any trends.
Most of my first entry level jobs were because I moved.
1st "real" job - Promotions
2nd job - Change of career to my passion
3rd job - promotion
4th job - Better location but inspired to start job search due to by bad management
5th job - Promotion but inspired to start job search due to bad HR practices limiting promotion
6th job - Family medical condition requiring relocation
7th job - Promotion
8th job - Promotion and family relocation need - Hated to leave because I actually loved my co-workers but my promotion potential was severely limited
9th job promotion. Job search spurred by bad management
So for me it was either a promotion because I was good at what I do or it was bad management practices that caused me to start looking.
Also sometimes you can do everything right and still lose good people. Why? I call it the management dilemma. Do I hire great people with great skills who I know will have more opportunities to move on to other jobs in the future because of their great skills, or do I hire the person who has average or below average skills but who I know won't go anywhere for 20 years? The second person you have to hold their hand, show them how to do things the right way and probably have to deal with some HR/adverse actions through their career, but at least you won't have to put out another job announcement! I always pick the first one. Use the super star to make improvements before the leave and wish them well on their way.
It seems like we want the rainbow unicorn. A great team player who has awesome skills and will work for peanuts and stay 40 years. I think it will be very hard to do that, especially in certain employment vectors that are constrained by legal rules and requirements (i.e. federal and state government jobs) whose antiquated rules and regulations do not allow for extra rewards for the super stars. I know in my federal career it was very frustrating to have a contractor working beside me, whose work I had to approve and sign off on, making $50K more a year than me.
What do I think works? Promotions, training, work-life balance, recognition, those all work for me. Having good management that supports their employees is just a basic level requirement and what I expect out of an organization.
'A great team player who has awesome skills and will work for peanuts and stay 40 years.' This person is quite likely to be:
a) A Japanese national;
b) Or a spy.
I doubt very much if the two are mutually exclusive, but you need either the Esprit de Corps or ulterior motive to take the peanuts. Both Japanese Salary People and Spies tend to be in it for the long haul.
Very sage - I've had seven roles non-withstanding service.
So this is very subjective...The thing that has tended to make me stay in roles has been the people on the team(team balance is probably the biggest factor before getting career focused), my immediate boss(so very important) and was it cool/did it make a difference? Things that made me leave are my (fair or unfair) perception of incompetence of those I worked with, feeling we were not doing right by the customer and wanting to travel. I've also been the contractor on the outside, getting paid more than some others but also not feeling I fitted in because of it.
You lose people by increments and once they have committed to leaving that's it really. I've seen teams damaged by counteroffers trying to retain people.
Switching back to the OP if 59% of respondents wanted a strong moral code were 41% OK with situational ethics? OK cheap shot, but that's what jumped out at me.
Sorry for the delay.
Findings are based on a blind survey of 250 cybersecurity professionals within the United States and Canada conducted by Market Cube, LLC, on behalf of (ISC)² in December 2017. Our intent was to get a broad view from a blind sample and not rely on our membership database for survey participants.
Hope that helps clarify, and thanks for the feedback. We found a lot of the data very interesting.
Capgemini also did a similar study across 1200 senior executives:
You can compare their results with the ISC2 findings.
Results from our research with 1,200+ senior executives and employees show that:
Particularly moving is how proficient (effective) security people perceive themselves at 43 percent while the highest rating was merely 51 percent. Doesn't say much for us a workers does it? Still the overall spread wasn't ridiculously out of balance when you look a bit deeper into the graphic.
Still a very telling article for what it both says and doesn't say.
As a 'worker' (Senior Analyst) the report finings resonate well for me - in all three of the noted areas in your post, and also with the deeper dive findings within the report.
The only other thing I'd note is with regard to salary. I once had a girlfriend who said that when sex is good it's 20% of a relationship, when it's bad it's 80%. I fee like that may apply here too. The noted areas are the most important, but I would say most of us take being compensated well as a given - as in, not likely to even look into roles that don't match what we'd like to be paid.
> Particularly moving is how proficient (effective)
> security people perceive themselves at 43
> percent while the highest rating was merely
> 51 percent. Doesn't say much for us a
> workers does it?
I don't know about that. Personally, I rate myself low even though my peers consider me better than that.
I think for smart security professionals, our job, our experience, changes daily. It's hard to keep up and stay relevant.
I have a lab environment in my basement, I probably spend 5-10 hours a week there (in addition to office work) and I STILL feel like for every 1 item I learn there's 10 more things I need to improve on, or there's a new method/technique to learn, or there's more code to write, or an exploit changes. Sigh.