One topic of conversation that surfaces quite regularly is the skills gap and critical staffing shortage present in the security field. From the data points I’ve been able to gather, this need is felt most acutely in the security operations and incident response space.
Organizations simply cannot find and hold onto enough qualified security analysts. In the past, I’ve written in other publications regarding the topic of identifying, recruiting, and training potential security talent. I won’t rehash these points here, though I’d like to take a look at another piece of the human resource puzzle. Once we successfully manage to bring new talent into our organization, our focus necessarily turns to retention.
I would posit that retaining the talent we work so hard to acquire and train is equally as important as finding that talent in the first place. Unfortunately, retention is an area that many organizations struggle with. It is certainly every organization’s intention to retain valuable and scarce talent, but in practice, this turns out to be extremely difficult for most organizations. Why is that? There are many potential angles from which it is possible to approach this question. Let’s take a look at the question from the perspective of several points that, in my experience, have caused talented analysts to flee organizations. This approach may be a bit of an unconventional manner in which to communicate the challenges, but I am hopeful that it will succeed in that endeavor.
It was through a “Fast Company” article entitled “10 Ways to Lose Your Best Employees” originally published in October 2013 that I found my inspiration for this piece. The article provides an interesting perspective on how companies sometimes drive away their best talent. I thought it might be interesting to take a look at this concept from a security operations and incident response perspective. During the course of my career, I have seen organizations make mistakes that have cost them their best analysts. My hope is that this piece will help organizations identify ways in which they can improve in order to retain their best talent. Here are my thoughts on “Five Ways to Chase Away Your Best Analysts”:
1. Put a jerk or an idiot in charge: This concept is fairly universal, and was listed in the original Fast Company article as well. Studies have shown time and time again that the manager has the most direct effect on an employee’s happiness. Security operations is a serious business with serious consequences, and it is one that deserves a serious leader. Think twice before you crown a leader who can’t spell incident response, or who has no incident response or security operations experience. An analyst who needs to take time away from important work to give remedial security lessons to his or her “leader” is not going to be a happy analyst.
2. Deliver technology that doesn’t work: In the heat of an incident response, key stakeholders need answers, and they need them fast. An experienced analyst knows how to interrogate the data to answer the tough questions of the day. Want to infuriate your best analysts? Provide them with technology that fights them and swims against the workflow, rather than technology that supports the mission. That is another great way to bring about that resignation letter.
3. Micro-manage incident response: During an incident response, management has the best intentions and wants to do what’s best for the organization. But management may be several years removed from the operational realities and best practices of the day. The role of management during incident response is to ask tough questions that need to be answered, and then to step back and let the analysts/incident responders go about doing the work required to answer those questions. More often than not, in my experience, management micro-manages incident response. This causes valuable analyst cycles to be wasted in pursuits that are less value-added or potentially off task. Remember, there are a lot of ideas or thoughts that may seem good in theory, but experience and practice have shown that they are a dead-end. The best analysts know this, and management can empower them by focusing them on high-level objectives and then letting them get to work.
4. Value body heat over grey matter: It’s an unfortunate reality that office environments are sometimes political and require self-promotion. The best analysts are generally apolitical and spend most of their time hard at work, rather than tooting their own horn. Management can help them by presenting, representing, and communicating their efforts and accomplishments to leadership. Want to step in and take credit for the hard work your best analysts are doing to make yourself look good? Kiss those analysts goodbye.
5. Don’t match your actions to your words: Analysts are, not surprisingly, analytical by nature. Actions speak louder than words, and analysts can see through words that are not matched by action. If your security operations program is a priority, then make it so through action. Simply speaking to it as a priority without matching that talk with action will cause your best analysts to look elsewhere for a better fit.
Security operations and incident response are already a high priority or are quickly becoming a high priority for almost every organization. There is simply not enough experienced analytical talent to meet the demands of the field. Given this constraint, it is perhaps helpful to understand the mistakes of others and to look at making your organization more attractive to hard-to-find and harder-to-retain analytical talent. Through highlighting common mistakes organizations often make, I hope to educate organizations as to how they can avoid making those same mistakes. In the end, I believe that this will help organizations with the retention problem they often struggle with.