Four essential mantras to keep your security all-stars from flaming out

We’ve all read the countless headlines about the Great Resignation over the past year. Most of these stories relate to the difficulty retaining frontline workers that industries like transportation and retail are having, but the cybersecurity industry has been facing its own staffing crisis that shows few signs of waning any time soon.

The dearth of skilled cybersecurity workers is evident at both ends of the supply and demand spectrum. The White House estimates that roughly half a million cybersecurity jobs remain open while the IT trade association CompTIA notes that cybersecurity jobs account for 20% of all open IT positions.

While these numbers are alarming, the greater concern for business leaders is their ability to retain the staff they already have as the demand for these individuals is only going to grow more intense in the coming years.

As the pandemic (hopefully) winds down, businesses must grapple with the reality that many of their employees aren’t interested in coming back to the office. Moreover, many of these individuals have proven they are more than capable of conducting their work remotely and shouldn’t be constrained by geography.

This increased mobility means that in-demand security staff will have far more high-paying employment opportunities to choose from. It also means that the C-suite will have to work that much harder to not only attract new talent but to keep their existing workers from burning out and seeking greener pastures.

TALENT RETENTION IN THE AGE OF THE ATOMIZED NETWORK

Not only has the nature of work changed dramatically—there’s also a doctrinal transformation underway in our network infrastructure that’s having a direct impact on the cybersecurity labor market.

The “Atomized Network” refers to the emerging hybrid computing paradigm in which more and more network resources that were once within our direct line of sight are now distributed across an array of public and private cloud infrastructure services.

While this type of shift may not seem like it would have a material effect on staffing issues, it absolutely does. That’s because securing the Atomized Network is more complex and time-consuming than securing the conventional network where one could more clearly distinguish where their network ended and another began.

Attackers now have a far broader surface to wage their assault as well as multiple surfaces with expansive gaps between them to poke and prod at. Consequently, those tasked with defending the network must spend an even greater portion of their day wading through a thicket of tickets, just trying to keep their heads above water.

FOUR MANTRAS TO RETAIN AND MOTIVATE YOUR FRONTLINE DEFENDERS

As the founder of several startups and as an investor in many others, I understand all too well the perpetual challenge of finding and retaining highly skilled security practitioners. These four mantras can help those who recognize that retaining talent is just as, if not more important than, attracting talent:

1. LOOK WITHIN BEFORE LOOKING OUT: Many of the security workers I know view their work as a vocation, and few things sap the spirit of an employee more than when an organization first looks outside rather than within to fill an open role. Be mindful of the fully-loaded costs of employee turnover and keep up with industry pay scales to ensure their compensation is in line. Persistent turnover will cost you more in the long run than a short-term bump up in pay.

2. VIGILANCE CAN ONLY BE SUSTAINED BY A QUIET MIND: Alert fatigue is real. A recent report by ESG Research estimates that false positives make up nearly half of all cybersecurity alerts, but 75% of companies spend as much time on these alerts as they do on legitimate attacks.

Spending the bulk of your day putting out fires where there are no flames can create an atmosphere of frustration that can lead to burnout. Automate ruthlessly and consolidate tools where possible so your analysts have the brain space to focus on what’s actually important.

3. TODAY’S STUDENTS ARE TOMORROW’S LEADERS: The Security Operations Center (SOC) leaders of tomorrow are often the junior analysts who are buried under tickets and log files today. It’s the IT leader’s responsibility to make sure they aren’t spending the entirety of their day sitting on a ticket queue and filling out templates.

Invest in a test environment for all your tools and services, train them on threat hunting, and involve them in your threat intelligence processes. Make budgets available for these junior team members so they can take SANS classes or get certified in new skills. As conferences start opening back up, send your staff to the ones they’re most interested in and show them that you care about their professional development.

4. MEASURE WHAT MATTERS: One of the main reasons why team members burn out is that they spend far too much time on redundant or overlapping tasks. Invest the time upfront and work with your team to break down how their time is allocated in a typical week. Then, hone in on those areas where the pain is most acute. You may find that one of your top engineers is spending 80% of their time each week on operational tasks that could be automated, shifted to a more operationally focused team, or distributed more evenly across the team.

Burnout and stress are not unique to the domain of cybersecurity. It’s an unfortunate and unhealthy consequence of an outcome-oriented culture. That said, it’s hard to truly calculate the cost of an indispensable infosec employee walking out the door because they feel overworked or underappreciated. So, before you think about how to hire the next 10 shining stars, take a breath and think about how you can keep your existing team members fully engaged and motivated.

Martin Roesch, CEO, Netography