What you need to retain the security talent you want

perks bonus hand plus
Credit: Thinkstock

Much attention is paid to the talent gap. Some companies are aggressively exploring how to best attract needed security talent. But what about retaining the people they have?

At InfoSec World, Mike Saurbaugh caught the attention of security leaders with a data-driven approach to retaining talent. Broader than the use of collected evidence is his targeted audience: the next generation of our workforce.

Mike Saurbaugh

Mike Saurbaugh

Mike Saurbaugh (LinkedIn, @MikeSaurbaugh) has been a consultant, advisor, writer, and former head of security. He’s got two decades of broad experience. We connected a few years ago when he reached out with an offer to help. It’s indicative of his approach - and explains why he’s been an advisor to schools and those they prepare for our industry.

As such, he initially set out in an effort to “open the eyes” of those preparing for successful careers in security. In the process, he discovered powerful insights we can use today to attract and retain the talent we crave.

What sparked your desire to explore the workforce with an eye toward what we need to do to attract the talent we want?

Having served as a curriculum advisor, I realized students were picking job titles based on what appeared cool, but no real understanding of the industry. In the industry, focus is largely on a talent gap and expected salaries.

Higher education tends to lead students to believe that they will make a lot of money. And, for the most part, they are right. However, what is often overlooked is the cost of living when salaries are compared. $80,000 for a security analyst is cheap in some metro areas, but the cost of living is exuberant. An $80,000 annual salary for a new college graduate seeking a security analyst role is not realistic in many parts of the country and because the cost of living is so much less. However, students are expecting salaries which may not translate equally depending on the location.  

Money only goes so far.

Business cannot continue to pay huge salaries. I decided to explore how to better retain people by exploring the perceptions and needs of the next generation of our workforce. As a leader, I sought to retain the talented folks who worked with me. Often that meant helping them grow, even if that means they might leave for a promotion. Sometimes people leave for other reasons, too. I saw an opportunity to explore more.  

Seems simple in hindsight to ask people what they want. What prompted the approach to ask about expectations?

It seemed to be the most logical thing to do. Simply ask. Once we learn and understand, we can then tailor the environment to hopefully provide a win-win. It’s not always going to be perfect, but rather than guessing, let’s have the conversation and better understand what’s in their head.

These are students who have not yet worked in corporate America (some were graduate students, but the vast majority were undergraduate students). Therefore, we have an opportunity to start with a clean slate. It meant I could ask some hard questions and expect candid responses.

I set out to ask students in higher education what they value in employment and what they seek. What will drive them away, and what will make them stay. I then wanted to compare this to my own personal management training, leadership experiences, conversations with clients, and colleagues in the industry to see if the results were in-line. And if not, why.

Think about the value to security leaders.

If we know what people expect, and we know what irks them, we can work towards providing the optimal work environment for them where they feel valued and want to stay, even if there is more money elsewhere. Soon, people learn that money doesn’t buy happiness - yes, money is VERY important, but so too is your purpose and your company’s mission. Simply take a look at how many security people do something for NOTHING - they research, organize cons, podcast, write, etc. - granted, it’s good for their career, but it is also something they are doing for oftentimes no monetary reward.

That, in my opinion, is passion - it’s what we often talk about. So, we’re trying to be supportive of our employees to work in an environment where they can grow, learn, feel valued, and take home a respectable salary. Ultimately, security leaders should grow their staff so that they can leave, but provide an environment that they won’t want to leave. Yes, eventually employees seek change, and they may leave for something which cannot be provided in your company - which is fine. However, the negative differentiator is when employees are just job-hopping from “Bank A” to “Bank B” for a few thousand dollars - doing essentially the same job.

What was your biggest surprise in the findings?

The biggest surprise is that they were not looking to bounce around.

The expectation is to find a job and stay with it. Some expressed staying with a company as long as they had a job. At the outset, they aren’t seeking to job-hop. It’s fascinating, because it contrasts the current discussions about job-hopping and the churn in the industry

It’ll be interesting to track how this unfolds and what happens when they get their first positions; maybe what they expect will change. Or maybe we’ll be able to provide a better culture by then.

I’d say the other, and not so much surprising, but interesting, are the number of students who aspire for leadership as it stands today. I say as of today, because they may change their mind later in their career - which would be an interesting follow-on question in another survey.

Based on your findings, what do people want?

It’s not surprising or atypical, they want what most of us want: to be meaningful and happy. They want to be part of something where they feel like they’re making a difference.

This is already evident in our industry with the success of volunteer driven efforts and conferences.

It suggests that culture and opportunity is more important than money (though that doesn’t mean pay them less; pay people what they’re worth). In general, most people just wanted to be valued, have a supportive environment with opportunity to grow, and decent work-life balance (with respectable salary). They want to make a difference and they want to have something purposeful.

To me, this seems achievable.

Corporate culture is vital. If the culture of the company is desirable, employees will likely have higher job satisfaction. A lousy environment - and soon the salary may be the only thing keeping the employees there. This is a dismal place to be for the employee and the employer. As security leaders, if we have high communication with our staff, mentor them, focus on their career growth, provide a reasonable salary, and provide a decent work-life balance, this is an environment where employees, the security leader, and company can be more successful.  

What can a security leader do today to benefit from these findings?

The biggest thing in my eyes, is being there for people. Also, not treating them like a machine (“hey Michael, did you close that ticket out”?) vs. (“how was your weekend - what did you and Teresa do”?) This is much different - you can still get to the “ticket question” but it’s a different way in getting the answer and for people to know, hopefully, that you care about them as a person, not just tickets opened/closed.

Start engaging in open conversation. Conduct something called a “stay interview.” Instead of waiting for someone to leave and fumbling through the mandatory “exit interview,” talk to them before they dart. Schedule time to sit and talk with everyone on your team.

Those conversations are the first step toward understanding the sort of environment you need to create to keep the talent you have… which creates a path for the talent you want.

Also, ensure they are in a position for success. Strengths Finder, is a great resource as well as DISC, in my opinion. They are resources to help ensure people are in a position for success and for security leaders to better understand their employees.  

Look to find ways (from my suggestions) where as security leaders you can provide them with supplemental activities that doesn’t cost the company more in salary and benefits.

Insider: These ransomware situations can result in colossal outcomes
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies