To address cyber security talent matters, change must start from within
A Google search for “how to break into cyber security” returns more than 88 million results. There are numerous blogs, widespread meet-ups and detailed self-help articles to help aspiring candidates break into this budding domain. These efforts are deeply commendable and ought to be sustained.
But let’s face it, we can’t keep enticing graduates into cyber cadet programs without creating environments where such talent can be nurtured and retained. There are deeper and important matters to fix for existing and future talent stay in the industry and thrive. For instance, a survey conducted approximately a year ago by Dr. Andrea Little Limbago, highlighted three key dogged factors derailing retention efforts:
· Lack of professional advancement, a well-defined career paths, combined with unchallenging work drives people out of their roles or the industry.
· Long hours, leading to stress and burnout was the top reason respondents left positions or the industry completely. A separate study revealed that a staggering 68 percent of cyber security professionals found it difficult to balance personal and professional lives.
· Industry culture was another top reason driving people out of cyber security. Discrimination and harassment at professional conferences far exceeded that found within company work environments. Moreover, the same survey found out, males were significantly less likely to experience harassment or discrimination than non-males.
It’s become clear that solving the cyber skills issue will require much more than current efforts. If we turn a blind eye on these issues or throw the proverbial cane down the road, every other measure may be inconsequential. Real change must emanate from within. To do this, business leaders must consider three key strategies.
1. Assign cyber security staff to meaningful and challenging work - fostering learning, growth and job satisfaction. To make this happen, managers need to constantly recognise individual and team achievements, remind staff that their efforts matter and linking them to larger company objectives. This is much more than financial rewards. In fact, according to Harvard Business Review, 9/10 people are willing to earn less money to do more meaningful work. Furthermore, managers should desist from micro-management, giving their staff independence, flexibility and trust. Micromanagement sends a chilling effect on anyone, and cyber security staff are no exception. This is management 101, to which Deloitte agrees “when we enrich jobs, giving people more autonomy, decision-making power, time, and support, the company makes more money.”
2. Nothing disheartens teams than companies that pay lip service to cyber security issues. Security patches deferred indefinitely, projects without security budgets, staff not showing up to security awareness sessions, security solutions permanently disabled to “enhance system performance” are all downright debilitating to security teams. This is where leadership matters - if they don’t demonstrate a deep courage and commitment to cyber security, no one else will. The top most business officers need to set the tone at the top, role modelling examples for everyone to follow.
3. Developing high-performing cyber security teams requires companies to put their money to the proverbial mouth. The idea you can hire a hacker/ enterprise security architect /security operations manager/malware reverse engineer / forensic analyst who can also “communicate clearly to the board”, is simply a fallacy. Doing more with less is key to any successful enterprise, but the principle should not be abused. Cyber security teams need to be adequately funded, roles need to be broken into realistic chunks, otherwise this will inevitably lead to burnouts, frustrations and can provide false sense of invulnerability. Also, be upfront to candidates during interviews.
Advertising exaggerated roles is akin to selling someone an Aston Martin Vanquish, then deliver a Datsun 120Y. They will resent the role and likely leave. Align expectations with reality.
Additionally, automate mundane security stuff, creating time for staff to work on innovative projects, as well enabling them to disconnect and rejuvenate. Equally important, as Jen advocated, cyber security leaders must create an environment where taking time off is not only allowed but championed.
We need to address this now more than ever. Sustained positive change will come when we create cyber security environments where favouritism is detested; where diversity of thought is advocated, where, as Rob Goffee and Gareth Jones advocated, “the company adds value to employees, rather than merely extracting it from them; the organization stands for something meaningful; the work itself is intrinsically rewarding; and there are no stupid rules”.