Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Respect Is Key for Retaining Top Security Talent

There are No Shortcuts or Easy Fixes for Retaining Top Security Talent, but Respect is Key

In the words of the famous song “Respect”, written by Otis Redding and popularized by Aretha Franklin:

There are No Shortcuts or Easy Fixes for Retaining Top Security Talent, but Respect is Key

In the words of the famous song “Respect”, written by Otis Redding and popularized by Aretha Franklin:

“All I’m askin’

Is for a little respect when you get home (just a little bit)

R-E-S-P-E-C-T

Find out what it means to me

R-E-S-P-E-C-T”

Advertisement. Scroll to continue reading.

According to Rolling Stone Magazine, Ms. Franklin’s rendition of the song is the 5th greatest hit of all time.  It is easy to understand why.   The song brings together incredible vocal talent, a catchy tune, a great rhythm, and a powerful message.

The song’s powerful message can also teach us an important security lesson.  What lesson is that?  Allow me to explain.

Retaining top security talent is a stated priority for nearly every security organization I’ve ever spoken to. In theory, it’s easy to try and retain talented professionals – many organizations offer good pay, good benefits, a reasonable amount of vacation time, a constructive work environment, great technology, and many other important factors.  Yet, in practice, retaining the very best seems to be a daunting task for most organizations.

So what is it that gnaws at so many talented security professionals and eventually causes them to jump ship?  I’d argue that, more than any of the important points I listed above, all most security professionals are asking for is a little respect.  It is in this spirit that I present five points that make talented security professionals seek respect elsewhere:

1. Boss: Study after study shows that an employee’s manager has the most direct influence on his or her happiness in the workplace.  Security professionals are no different.  A good boss can provide guidance, encouragement, constructive feedback, stability, strategic direction, and other important leadership.  A good boss can bring a sense of calm and order, even when the corporate climate is chaotic and stormy.  On the other hand, a bad boss can leave security professionals feeling exposed to the corporate climate and unprotected from the waves that crash into the work environment on a daily basis.  Further, the security team can feel directionless, as if it is swaying with the changing winds, rather than on a firm and strategic path to success.  In this type of environment, fringe benefits take a back seat to a desire for an overall sense of purpose, direction, and accomplishment.

2. Priorities: It’s not enough for an organization to state its security priorities and what it deems important. The organization needs to live it day to day and act in accordance with its stated priorities.  For example, an organization may list incident response as a strategic priority.  But, if the organization doesn’t take steps to build and mature their incident response program, then it’s just lip service.  Words alone aren’t enough for talented security professionals. Those words need to be met with action.

3. Business:  In some organizations, security and the business don’t get along so well.  The business has an obligation to ensure that it accomplishes its goals and operates in accordance with its mission.  The security team has the responsibility to ensure that the business operates securely.  Or, more precisely, to ensure that the risk to the business as it operates is continually assessed, minimized, and mitigated.  Unfortunately, in many instances, security is seen by the business as an adversary – as the team of no.  This simply cannot be.  Security has to be a respected part of the business.  Security needs to be included at all stages of the business, not only as an afterthought.  If this is not the case, it grinds away at the talented security professional.

4. Team:  Granted, everyone working on a team has different strengths and weaknesses, along with different levels of ability.  But talent likes company, and great talent likes great company.  A security professional who finds himself or herself pulling five times the weight of everyone else on the team with no real recognition isn’t going to be a happy one.  Organizations that want to retain top talent need to ensure that all team members are pulling their expected weight.  Further, if the organization wants to recognize the contributions of a given team member, it has to be real.  It has to come in the form of additional responsibility, leadership of a team or a project, additional salary, or some other form.  Not an award or certificate.  Great security professionals have a finely-tuned radar for knowing when they are pulling too much weight or when their contributions aren’t being recognized in a meaningful way.

5. Inconsistency:  We all understand that there are a limited number of security resources, and that those resources need to be distributed across a variety of competing priorities.  At the same time, there needs to be consistency between the manner in which budget is distributed and the stated priorities of the security organization.  Inconsistency here is a red flag for talented professionals.  There is no money for training, additional people, or a needed technology, but there is money to bring in an expensive consulting firm to tell the organization what many members of its security team are telling it already?  That inconsistency is not a great recipe for retaining security talent.

There are certainly no shortcuts and no easy fixes for retaining top security talent. While the list of recommendations on this topic is lengthy, showing security talent that it is respected is high on that list. More than anything else, talent wants to be noticed and appreciated. SOC it to me.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem