Cybersecurity employers need to adapt their recruitment and retention practices to gain from benefits and minimize detriments
We live in interesting times for cyber talent recruitment and retention. The task is never easy, but is now affected by two conflicting pressures: the ‘Great Resignation’ leading to staff departures, and the growth of remote working potentially increasing the pool of available applicants as replacements.
The latter is both an advantage for gaining new talent, and a contributor to the Great Resignation. Both effects are arguably influenced by the Covid-19 pandemic. SecurityWeek talked to Jon Check, executive director of cyber protection solutions at Raytheon Intelligence & Space to gain practical insight into today’s staffing problems and solutions. Raytheon I&S provides services and support to customers largely in the government and the defense industries.
The Great Resignation
One unknown of the Great Resignation (GR) is whether it is a net gain or loss to cybersecurity. Are people leaving the profession, or leaving other employment to come to the profession? Check believes that in the long term it will be a net gain – but only if the industry gets the underlying basics of staff attraction and retention correct.
The GR has multiple causes; and we don’t yet know whether it is a temporary phenomenon or part of a permanent change in employment behavior. There are four current primary causes. Two suggest that it may be temporary while two suggest it may be more permanent.
The two temporary causes are directly pandemic-related. First, the sheer traumatic effect of the Covid-19 pandemic, with millions of deaths, high transmissibility and long periods of isolation has led to mass life/work revaluations. High stress professions – and cybersecurity is one of these – suffer most in such circumstances: is the job worth the stress?
The second cause is also related to the pandemic. “When the pandemic started, nobody knew what was going to happen,” explains Check. “People considering a change hunkered down. They had a job, so it was worth hanging on to it.”
Raytheon I&S had a very low attrition rate during the first 12 months of the pandemic. “Six months later,” continued Check, “we are all getting accustomed to pandemic effects, and the block on the natural churn of employees has been released.” If this idea is accurate, it could suggest that the GR will tail off and we will eventually return to a more normal level of staff churn.
The two indications that GR might become more permanent, however, come from remote working and an evolving change in employment behavior. Remote working was not caused by the pandemic but accelerated by it. The effect on staff churn is that it removes the practical friction from job-hunting. Remote workers have no fear that their current employer might become aware of their alternative job seeking. They can make confidential enquiries and applications online at any time. Changing jobs is simply easier for the remote worker.
The second argument for permanence to the GR is something observed by Check over the last few years: the importance of ‘a job for life’ is no longer so important. “People have started to work for shorter periods with multiple companies rather than staying with one employer for a long period of time,” explains Check. He believes that this is a growing trend in work behavior – and if he is right, it could counterbalance any reduction in staff churn caused by the relaxation of pandemic-related pent-up churn.
Overall, it may be that the GR is another phenomenon that has been accelerated rather than caused by the pandemic – it may simply be something that employers must learn to accommodate.
[ Read: Is the ‘Great Resignation’ Impacting Cybersecurity? ]
The remote working pool
The expansion of remote working is another phenomenon often ascribed to the pandemic when really it has merely been accelerated – albeit on a large and rapid scale – by Covid-19 effects. It brings its own advantages and disadvantages. We’ve discussed the disadvantage in its contribution to the Great Resignation. Its primary advantage is a huge expansion of the pool of available employees.
Remote working benefits most companies, and usually more so than it benefits Raytheon I&S. “It depends on our customer and the mission,” Check told SecurityWeek. “For some customers, like government, we must have bodies in the office. But in general, for functions like on-site response at a customer, we don’t need to have the staff here.”
One of the things he works on with his customers every day is to discuss specific job functions. “How do we adapt that function and successfully make sure that it can go remote?” he explained. This provides a wider choice of potential candidates to fulfil the function – but then, “How do we ensure that we make sure the person is successful, they’re accomplishing the functions and activities we need them to, and we’re able to provide feedback and guidance on how to perform to what our customers are expecting.”
This begs a question: how do you even find potential remote workers? “Social media,” he replied. “It’s the greatest recruitment platform you can possibly find. We look for who’s active in our space — who is participating with relevant blogging, and in Twitter conversations, providing insights into TTPs. The plus side of social media is that you get to see who are the thought leaders and who are the people that care and are participating; and that helps us identify candidates – which can potentially expand to include the candidates’ own circle of friends and colleagues.”
Navigating the current situation
The pandemic may eventually pass. The Great Resignation and remote working may modify, but will probably remain. Cybersecurity employers will need to adapt their recruitment and retention practices to gain from any benefits and minimize any detriments. Check is adamant that this requires doubling down on existing good practices.
Key to this is looking everywhere with an open mind for new candidates. “We do a lot working with educational establishments to help identify cybersecurity talent, but we know we have to follow up with training. We can’t expect someone to come in with the perfect résumé. If they have the right aptitude and characteristics, we’ll hire them without the perfect résumé, because we know we can train and mentor them in-house. It’s such a multi-faceted problem that there is nowhere you shouldn’t look for potential talent.”
Check is one of those leaders who won’t automatically eliminate any candidate. This includes the employment of an ex-hacker. “It would depend on the rules that apply to our individual customers. But in principle? Absolutely. Hackers’ insights could be invaluable. Why not use their technical superpowers for good rather than evil? I support the idea that people can reinvent themselves.”
Finding people is one thing – keeping them is another. Apart from the basics like adequate compensation and benefits in a good environment, Check believes that maintaining a high interest level is essential. This is achieved through training new skills and continuous mentorship.
“We’re also really focused on cybersecurity training,” he explained. “When somebody joins the team, we have a cyber academy to build skills to allow the person to grow and evolve. Key for someone to have a great work experience is to be able to continue learning new skills. Also, and most importantly, the leaders must be focused on a ‘people first’ approach. So, we’ve established a culture that we call ‘Cyberlandia’ – it’s a place with happy employees ready to tackle the hardest problems; a place where everybody’s voice is heard, and everyone is welcome.”
The key to navigating the Great Resignation is to turn the problem into an opportunity. People moving on from one industry can be attracted into cybersecurity with the right leadership approach and the right benefits on offer. Those same approaches will limit staff exodus through remote working, while providing access to the larger pool of remote staff.
Related: With the ‘Great Resignation’ Comes the ‘Great Exfiltration’
Related: NSA Issues Cybersecurity Guidance for Remote Workers, System Admins
Related: CISO Conversations: Mastercard, Ellie Mae Security Chiefs Discuss the People Problem