Hiring and Retaining Top Talent

Jarred_LeFebvre · ‎03-05-2018

(ISC)² recently published the report Hiring and Retaining Top Cybersecurity Talent: What Employers Need to Know About Cybersecurity Jobseekers.

Let us know your thoughts about what we learned from the security professionals we surveyed. It is currently the featured research report at www.isc2.org/research.

Some key findings from the study include:

When asked what’s most important for cybersecurity professionals’ personal fulfillment, salary (49%) is not the top priority
- 68% want to work where their “opinions are taken seriously”
- 62% want to work where they can “protect people and their data”
- 59% want to work for an employer “that adheres to a strong code of ethics”
When asked what’s most important for cybersecurity workers’ professional goals, respondents identify the following:
- 62% want to work for a company with “clearly defined ownership of cybersecurity responsibilities”
- 59% want an employer that “views cybersecurity more broadly than just technology”
- 59% want to work for an organization that “trains employees on cybersecurity”
When asked what best describes the value they bring to an employer:
- 81% say “developing cybersecurity strategy”
- 77% say “managing cybersecurity technologies”
- 69% say “educating users about cybersecurity best practices”
- 67% say “analyzing business processes for risk assessment

Much more in the report.

Direct link to the PDF: https://www.isc2.org/ISC2-Hiring-and-Retaining-Top-Cybersecurity-Talent

CISOScott · ‎03-05-2018

I think that is only half of the equation. Why do people stay? In order to get a more complete and accurate picture you also need to ask why people leave. I will give you my reasons below and you see if you see any trends.

Most of my first entry level jobs were because I moved.

1st "real" job - Promotions

2nd job - Change of career to my passion

3rd job - promotion

4th job - Better location but inspired to start job search due to by bad management

5th job - Promotion but inspired to start job search due to bad HR practices limiting promotion

6th job - Family medical condition requiring relocation

7th job - Promotion

8th job - Promotion and family relocation need - Hated to leave because I actually loved my co-workers but my promotion potential was severely limited

9th job promotion. Job search spurred by bad management

So for me it was either a promotion because I was good at what I do or it was bad management practices that caused me to start looking.

Also sometimes you can do everything right and still lose good people. Why? I call it the management dilemma. Do I hire great people with great skills who I know will have more opportunities to move on to other jobs in the future because of their great skills, or do I hire the person who has average or below average skills but who I know won't go anywhere for 20 years? The second person you have to hold their hand, show them how to do things the right way and probably have to deal with some HR/adverse actions through their career, but at least you won't have to put out another job announcement! I always pick the first one. Use the super star to make improvements before the leave and wish them well on their way.

It seems like we want the rainbow unicorn. A great team player who has awesome skills and will work for peanuts and stay 40 years. I think it will be very hard to do that, especially in certain employment vectors that are constrained by legal rules and requirements (i.e. federal and state government jobs) whose antiquated rules and regulations do not allow for extra rewards for the super stars. I know in my federal career it was very frustrating to have a contractor working beside me, whose work I had to approve and sign off on, making $50K more a year than me.

What do I think works? Promotions, training, work-life balance, recognition, those all work for me. Having good management that supports their employees is just a basic level requirement and what I expect out of an organization.

Early_Adopter · ‎03-05-2018

'A great team player who has awesome skills and will work for peanuts and stay 40 years.' This person is quite likely to be:

a) A Japanese national;

b) Or a spy.

I doubt very much if the two are mutually exclusive, but you need either the Esprit de Corps or ulterior motive to take the peanuts. Both Japanese Salary People and Spies tend to be in it for the long haul.

Very sage - I've had seven roles non-withstanding service.

So this is very subjective...The thing that has tended to make me stay in roles has been the people on the team(team balance is probably the biggest factor before getting career focused), my immediate boss(so very important) and was it cool/did it make a difference? Things that made me leave are my (fair or unfair) perception of incompetence of those I worked with, feeling we were not doing right by the customer and wanting to travel. I've also been the contractor on the outside, getting paid more than some others but also not feeling I fitted in because of it.

You lose people by increments and once they have committed to leaving that's it really. I've seen teams damaged by counteroffers trying to retain people.

Switching back to the OP if 59% of respondents wanted a strong moral code were 41% OK with situational ethics? OK cheap shot, but that's what jumped out at me.

Jarred_LeFebvre · ‎03-06-2018

Thanks for comments and the question!

For a little more context into those responses. The question asked was "As it relates to your own personal fulfillment, how important are the following qualities when looking for an employer?"

There were 10 options, including:

- strong mission that benefits society
- pays the best salary
- is in a particular field or industry
- near my home and family
- where I am no expected to work more than 40 hours a week
- that has flexible working arrangements
- where I can protect people and their data
- where my opinions are taken seriously
- that adheres to a code of ethics
- produces a cool product or service

The qualities cited in the report scored the highest rate of being called "very important" qualities by respondents.

mgoblue93 · ‎04-04-2018

Just curious, how was this study conducted? I'm hearing a lot of people like the report; I'm not hearing of anyone who actually participated.

Thanks!

Jarred_LeFebvre · ‎04-05-2018

@mgoblue93

Sorry for the delay.

Findings are based on a blind survey of 250 cybersecurity professionals within the United States and Canada conducted by Market Cube, LLC, on behalf of (ISC)² in December 2017. Our intent was to get a broad view from a blind sample and not rely on our membership database for survey participants.

Hope that helps clarify, and thanks for the feedback. We found a lot of the data very interesting.

Caute_cautim · ‎04-05-2018

Capgemini also did a similar study across 1200 senior executives:

https://www.capgemini.com/2018/04/is-your-greatest-cyber-vulnerability-a-lack-of-cybersecurity-talen...

You can compare their results with the ISC2 findings.

Results from our research with 1,200+ senior executives and employees show that:

Cybersecurity tops the list of technical skills in high demand
Cybersecurity has the most pronounced gap between demand and supply: 68% of organizations say they need this skillset, while only 43% of employees say they are proficient in it (see Figure 1).
Today, 68% of organizations say that their demand for cybersecurity talent is high, and this is expected to rise to 72% in the next two to three years. Moreover, the war for that talent is an intense one. Traditional organizations have to compete for talent with tech firms such as Google and Facebook, who present an attractive proposition for cybersecurity professionals.

Beads · ‎04-06-2018

Particularly moving is how proficient (effective) security people perceive themselves at 43 percent while the highest rating was merely 51 percent. Doesn't say much for us a workers does it? Still the overall spread wasn't ridiculously out of balance when you look a bit deeper into the graphic.

Still a very telling article for what it both says and doesn't say.

jordanpw · ‎04-07-2018

As a 'worker' (Senior Analyst) the report finings resonate well for me - in all three of the noted areas in your post, and also with the deeper dive findings within the report.

The only other thing I'd note is with regard to salary. I once had a girlfriend who said that when sex is good it's 20% of a relationship, when it's bad it's 80%. I fee like that may apply here too. The noted areas are the most important, but I would say most of us take being compensated well as a given - as in, not likely to even look into roles that don't match what we'd like to be paid.

mgoblue93 · ‎04-10-2018

> Particularly moving is how proficient (effective)

> security people perceive themselves at 43

> percent while the highest rating was merely

> 51 percent. Doesn't say much for us a

> workers does it?

I don't know about that. Personally, I rate myself low even though my peers consider me better than that.

I think for smart security professionals, our job, our experience, changes daily. It's hard to keep up and stay relevant.

I have a lab environment in my basement, I probably spend 5-10 hours a week there (in addition to office work) and I STILL feel like for every 1 item I learn there's 10 more things I need to improve on, or there's a new method/technique to learn, or there's more code to write, or an exploit changes. Sigh.