Security Experts:

Respect Is Key for Retaining Top Security Talent

There are No Shortcuts or Easy Fixes for Retaining Top Security Talent, but Respect is Key

In the words of the famous song “Respect”, written by Otis Redding and popularized by Aretha Franklin:

“All I'm askin'

Is for a little respect when you get home (just a little bit)

R-E-S-P-E-C-T

Find out what it means to me

R-E-S-P-E-C-T"

According to Rolling Stone Magazine, Ms. Franklin’s rendition of the song is the 5th greatest hit of all time.  It is easy to understand why.   The song brings together incredible vocal talent, a catchy tune, a great rhythm, and a powerful message.

The song’s powerful message can also teach us an important security lesson.  What lesson is that?  Allow me to explain.

Retaining top security talent is a stated priority for nearly every security organization I’ve ever spoken to. In theory, it’s easy to try and retain talented professionals - many organizations offer good pay, good benefits, a reasonable amount of vacation time, a constructive work environment, great technology, and many other important factors.  Yet, in practice, retaining the very best seems to be a daunting task for most organizations.

So what is it that gnaws at so many talented security professionals and eventually causes them to jump ship?  I’d argue that, more than any of the important points I listed above, all most security professionals are asking for is a little respect.  It is in this spirit that I present five points that make talented security professionals seek respect elsewhere:

1. Boss: Study after study shows that an employee’s manager has the most direct influence on his or her happiness in the workplace.  Security professionals are no different.  A good boss can provide guidance, encouragement, constructive feedback, stability, strategic direction, and other important leadership.  A good boss can bring a sense of calm and order, even when the corporate climate is chaotic and stormy.  On the other hand, a bad boss can leave security professionals feeling exposed to the corporate climate and unprotected from the waves that crash into the work environment on a daily basis.  Further, the security team can feel directionless, as if it is swaying with the changing winds, rather than on a firm and strategic path to success.  In this type of environment, fringe benefits take a back seat to a desire for an overall sense of purpose, direction, and accomplishment.

2. Priorities: It’s not enough for an organization to state its security priorities and what it deems important. The organization needs to live it day to day and act in accordance with its stated priorities.  For example, an organization may list incident response as a strategic priority.  But, if the organization doesn’t take steps to build and mature their incident response program, then it’s just lip service.  Words alone aren’t enough for talented security professionals. Those words need to be met with action.

3. Business:  In some organizations, security and the business don’t get along so well.  The business has an obligation to ensure that it accomplishes its goals and operates in accordance with its mission.  The security team has the responsibility to ensure that the business operates securely.  Or, more precisely, to ensure that the risk to the business as it operates is continually assessed, minimized, and mitigated.  Unfortunately, in many instances, security is seen by the business as an adversary - as the team of no.  This simply cannot be.  Security has to be a respected part of the business.  Security needs to be included at all stages of the business, not only as an afterthought.  If this is not the case, it grinds away at the talented security professional.

4. Team:  Granted, everyone working on a team has different strengths and weaknesses, along with different levels of ability.  But talent likes company, and great talent likes great company.  A security professional who finds himself or herself pulling five times the weight of everyone else on the team with no real recognition isn’t going to be a happy one.  Organizations that want to retain top talent need to ensure that all team members are pulling their expected weight.  Further, if the organization wants to recognize the contributions of a given team member, it has to be real.  It has to come in the form of additional responsibility, leadership of a team or a project, additional salary, or some other form.  Not an award or certificate.  Great security professionals have a finely-tuned radar for knowing when they are pulling too much weight or when their contributions aren’t being recognized in a meaningful way.

5. Inconsistency:  We all understand that there are a limited number of security resources, and that those resources need to be distributed across a variety of competing priorities.  At the same time, there needs to be consistency between the manner in which budget is distributed and the stated priorities of the security organization.  Inconsistency here is a red flag for talented professionals.  There is no money for training, additional people, or a needed technology, but there is money to bring in an expensive consulting firm to tell the organization what many members of its security team are telling it already?  That inconsistency is not a great recipe for retaining security talent.

There are certainly no shortcuts and no easy fixes for retaining top security talent. While the list of recommendations on this topic is lengthy, showing security talent that it is respected is high on that list. More than anything else, talent wants to be noticed and appreciated. SOC it to me.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.