Software security positions have never been so central to an enterprise’s success, yet so difficult to hire for. The recent Dice report uncovered that security positions are the most difficult to fill after software developers. Therefore, it’s essential that security professionals such as yourself retain your security superstars.
Yet with competition amongst companies to attract such talent at an all-time high, and the average employee tenure within the industry being only three years, what are the key ways you can prevent your top performers from jumping ship?
Your security professional are always looking for more exciting and challenging work. SANS survey of security professionals shows how important this is, with 70% of respondents saying that job satisfaction was the main reason why they stick around.
Make sure everyone gets chance to work on challenging new projects which pushes their capabilities. Yet as we all know, not every security task can set the world on fire, but I’ve got a tip to make sure your security guys can even find the silver-lining in these clouds. Connect them with the numbers. Show your talent the impact they are having on the organization as a whole, such as how many viruses they stopped, how many got through, compliance numbers and the tax on the network.
Also be sure to implement a regular project rotation schedule ensuring your team are consistently getting fresh projects on top of their more regular duties. By doing this, I bet you’ll find your team will be more motivated and content in their roles, and therefore happier to remain with you.
So, now your team sees the value of the work they are doing now, what about the future?
Few can doubt security is stressful, yet you can relieve some of this pressure by helping your guys work with developers to balance the needs of a secure yet agile software development lifecycle. A great way to start is to meet at with your opposite number in development, and go through what their current project objectives are. Armed with this knowledge, report back to your team and highlight any security issues those objectives may entail, and how development may overcome them.
Now your team knows how to speak the same language as developers, the next stage is to reduce their workload. This will so allow them to focus on the creative side of security solutions that ensure they stay challenged and engaged.
If you can automate a manual process, automate it. Some great examples are using CHEF to automate your DevOps workflow and integrating WhiteSource into your build to automate your open source component usage and manage your security and licences. By automating processes where you can, you will give your team time to improve as professionals, and space to express their creativity.
With your team being able to focus on the more stimulating aspects of software security, your top performers will no doubt have great ideas to help you achieve your security objectives. However, professionals can often feel stifled when managers decide to pull ranks and discount their suggestions and ideas.
As a security executive, it’s up to you give your team the tools and support to develop in their current role. Ensure your team is exposed to new technology, training (e.g. Udemy and SANS Software) and that they get hands-on experience of working on the bleeding edge. This doesn’t necessarily mean working on company-defined projects. Just look at Google’s 80/20 policy which gave birth to such software heavyweights as Gmail and AdSense. By giving your team the skills to develop and grow within your organization, they will not only know what success looks like, but what they have to do to achieve it.
As your talents’ knowledge and skills increase, you will naturally find them taking on greater a role in your organization. Yet as my favorite web-slinger says “With great power comes great responsibility”.
Making sure everyone has the opportunity to express their ideas and suggestions is important for both your team and enterprises’ success. Try establishing weekly meetings with your guys to go over what projects are in the pipeline, any challenges they entail and what you can do as team to overcome them. However, on top your team having space to communicate, they need to know how to do it effectively. A good starting point is for you and your team to participate in an in-house communication training course. This will give ensure your team is able express their ideas with greater clarity when they come to meet.
By ensuring your team has a voice, they will surely be encouraged to stay for longer. However, just because your team has more space to communicate doesn’t mean your role as leader is any less important
Top performers look to work with leaders that understand their role, therefore it’s essential that you are engaged in their work. As Dr Stein (MIT Sloan Management Review) suggests, on top of the vital oversights that you provide, you need to get down to the nitty-gritty of your guys’ daily tasks, such as unruly data sets and the what can seem like never-ending identification and action of false positives. By standing shoulder to shoulder with your professionals, you will be able to build a team of high-performers who will stick with you through thick and thin.
Up to now we have been looking at how to retain your top talent. Yet what about the individuals who are your security superstars of tomorrow?
An entry level security professional today might be your security superstar of tomorrow, and a central to keeping them onboard is to build an engaging environment where their talent can grow. Implement a mentoring program where more seasoned professionals can share tips and ideas with the less experienced amongst you. Additionally, as the saying goes, you don’t realize you’re working when you’re having fun. Microsoft’s use of the Elevation of Privileges game as a way to get IT professionals engaged in threat modelling is a perfect example of how games can both bring teams together and educate them.
If you’re unable to find your star performer within your ranks, it’s true you can always hire A-list analysts from outside. However, it will take some time for them to acquire the ‘meta-data’ that your current staff possess. In short, it is far cheaper to invest in a stimulating high-performing and collaborative environment, than looking to hiring external talent.
The role of security executive has never been so central to your enterprise’s success or failure. By ensuring your security team are satisfied, informed, challenged and listened to, you will be able to retain your security superstars of today, and develop those of tomorrow.
After all, there is no point being captain of a ship if you are constantly on the lookout for a team who can’t help you steer it to success.