Connect with us

Hi, what are you looking for?


Management & Strategy

A Case for Recruiting and Retaining “Franchise Players” in Security Software Development

Critical elements required to attract and retain A-players for cybersecurity software teams

Critical elements required to attract and retain A-players for cybersecurity software teams

Meeting Larry Bird at Boston Logan International Airport might not seem like much on the surface, but for a kid from Maine who grew up watching the battles between he and Magic, it was something I’ve never forgotten. Larry, Magic, Michael, Cal, and more recently, Tom, are professional athletes who don’t even need their last names listed to recognize them and their contributions to not only the sport they played, but to the communities, teams and teammates they had.

These athletes are franchise A-players, who performed at an extremely high level on teams that were the best of their time. Though it may seem a stretch to compare a modern software team to the Celtics of the 80s, there are worthy comparisons on the importance of A-grade franchise players that elevate the entirety of the team. I experienced this dynamic early in my career, where I was part of a team that, in retrospect, was way more elite than I had recognized at the time. In looking at this team in the rear-view mirror, there were some attributes that contributed to the performance that I think other organizations could learn from when hiring software developers building security focused solutions. 

As we emerge from a pandemic, increasing employee turnover across almost every vertical is an important point of discussion for cybersecurity. People are seeking change, and as employers, we need to meet those needs with clear eyes if we are going to retain top talent. Now more than ever, there is downward pressure on software development cost. This is true for all software, not just cyber security. But with cybersecurity, the importance of getting software right is extremely high. Every day we hear of breaches that cost a company millions of dollars, or cost people their privacy. Ransomware and other attacks have caused tremendous damage and loss, and it is the cybersecurity professional whose job it is to weather these attacks. 

If there is an industry that needs A-grade developers, it’s in cybersecurity, especially in critical decision and design roles. The job market today versus the market in the late 2000s is drastically different, however, there are similarities around motivation that are still true today – especially for developers of cybersecurity software such that has such an important role of protecting us. With that as a backdrop, I would like to discuss four critical elements required to attract and retain A-players for cybersecurity software teams: 

1. A tremendous sense of mission

The mission for the team I was a part of was baked into the customer we were working for; success had clear impacts on the security of the nation, which drove the team forward. There were people relying on the completion of the capabilities we built, and quality was paramount. In addition, the technology was hard, so there was a sense that this was not able to be done by just anyone. Cybersecurity has many of these same merits. With such importance around protecting IT systems and data, evangelizing how the next product or feature contributes to this mission is an obvious way to not only describe the feature, but also create a sense of purpose across the development team. Establishing this purpose, and sharing the value that end users get from the software is critical to allow the engineers to connect with the result. The clearer that connection, the stronger the sense of mission and the greater commitment the engineer will have this mission. 

CISO Forum

2. An expectation of high performance that when missed, is addressed immediately

Advertisement. Scroll to continue reading.

With the Celtics of the 80’s, as with all high-performing teams, there is an expectation of high performance. The A-players are raising all boats, and those boats had better be able to rise to the occasion or they will be let go. Competitive A-players expect a lot of others around them. They don’t always expect perfection, but if you’re going to make a mistake, it better be because you are pushing the envelope, not because you weren’t blocking and tackling. Allowing mediocrity to exist will kill motivation of your highest performers. On my high performing team, issues were handled head-on. Some found that direct approach off-putting at times, but for the majority of times, issues were handled in the context of improvement, not to tear someone down. If not handled, you’re a-players will leave, so set expectations of working hard, allow risk taking and allow failure, but address any nonchalance promptly.

3. Exceptional hiring driven by internal referrals

A-managers look for A-players, so when you’ve identified your A-players, incentivize them to bring on others. Top talent usually won’t refer someone if they feel they would bring down the overall strength of the team. Create referral bonuses for these folks that make a dent in their pockets. It is small money to offer a multi-thousand dollar referral bonus when you get 4x the productivity from the hire. It’s worth every nickel. 

4. Confidence inspiring leadership

Confidence inspiring leadership helps hold it all together. This includes everything from the sharing of purpose, sharing of successes and failures, the willingness to address difficult circumstances head on and the expectation of exceptional performance, to the support of those who need help, both inside the workplace and in personal life. All the attributes you read about in the millions of management books really boil down to being able to have real conversations. Check in with you’re a-players, share the value of their work with them, and encourage your A-player managers to address the team with a combination of support and humanity, expectation, and context, joined with a desire to see situations as much as possible through the eyes of the employee. In other words, to be able to empathize, while expecting greatness. 

People change jobs much more frequently today than 20 years ago, and there are clear benefits to doing so for the employee. Job changing allows employees to sample companies, gain more of a network, create broader experience, and increase salary more quickly. So, pay matters! A few ways to compete in the market are to establish a bonus structure that incentivizes the right performance and clearly aligns to results you’re seeking. Another option is to make the employee a strong part of the organization through equity. Top A-players aren’t franchise players without skin in the game. Money won’t motivate over time, but without it, you can’t get the best in the door.

This type of dedication to a cause or a company is not done by accident, and I don’t believe it is lost from the human element of work today. I see resumes every day that have employees who have been in the workforce for 15 years and have never stayed at one company more than 3. But when you ask these folks why this is, they usually reply, “well, I just haven’t found that sweet-spot”. I believe great franchise players can be attracted and retained, but not without addressing how people today find and maintain their career sweet-spot and are motivated by what they are doing, and that is not built by accident.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem