How to reduce security staff turnover? Focus on culture and people

HM Health Solutions CISO Omar Khawaja reduced security team attrition by focusing on a strong culture and providing effective communication channels to management.

happy employee selects the happiness emoji button to indicate job satisfaction
Thinkstock

The unemployment rate of cybersecurity professionals is around zero percent, while ESG reports that half of organizations have a “problematic shortage” of cybersecurity skills. Because of this it’s important for companies to keep turnover as low as possible on the security talent they have.

Omar Khawaja, CISO at HM Health Solutions (HMHS), found that instilling the kind of company culture the employees wanted and having multiple ways for them to communicate their concerns was key in reducing staff turnover in his team. “Often we start with, ‘What does a customer want, or what does the business want?’ The reality is it should all start with the employees,” he says.

“If you have the right people and culture, they'll ensure you have the right processes, and if you have the right process that they're executing well, then your customers will be happy, and if your customers are happy then your business is going to be successful.”

Losing security talent at an unsustainable rate

HMHS is the Pittsburgh, Pennsylvania-based IT subsidiary of health insurer Highmark Health. Set up in 2014, it provides IT services to healthcare providers and payers both to Highmark and its subsidiaries as well as other organizations.

Its 125-person security team is tasked with protecting data on the wider company’s 50 million customers as well as various hospitals, insurance companies and physician offices within Highmark’s network. Khawaja explains that he sees HMHS as Highmark's “burning platform” and sees the business as a startup based within the parent company.

However, despite him viewing HMHS as the most exciting part of the company to work in, the security team was suffering from a high turnover rate. “Our attrition rate was over 30 percent,” explains Khawaja, “I was trying to build a really strong team to meet the needs of the business, and it just felt like I would spend so much effort trying to attract good talent, and then one out of three people was leaving.”

“This was our burning platform that people were leaving. If we can't even retain talent, then what's the point? Nothing else matters if we can’t retain high quality talent that wants to be here and feel like they're doing the best work of their careers,” Khawaja adds. “Something had to give and change because that was just not a sustainable model.”

To stem the number of people leaving, Khawaja and HMHS undertook a three-year program to change how the organization interacts with its staff and make the company a place they want to work in.

Engaging with employees to create the culture they want

One of the first things Khawaja did was to hire an organizational change management expert specifically for the security function that could investigate why people were unhappy. “I looked around my organization and I had technology people that understand all of these various technologies, and we really didn't have people experts,” says Khawaja. “The only experts I could find were in HR, and it felt like that was a pretty big gap. We can't drive change by deploying technology and publishing a beautiful process. We drive change by getting people to be inspired and motivated, and that means having people that actually understand people.”

The change management expert then performed assessment through a series of surveys and focus groups to identify the main barriers to change within the organization. “We identified exactly what the risk factors were for why we wouldn't change, and the number one reason why people didn't think we had a vision,” says Khawaja. “They said every day we come in it's really disruptive, it's really crazy, there's just another fire drill every day, and we're not quite sure where we're headed, and if we're not sure then we're not really sure we want to be along for this rather bumpy ride.”

The company then went about building and defining a vision for its security team, which was broken down into four parts:

  1. Why the company needed to change
  2. What the company was going to change to
  3. How to measure success
  4. Guiding principles that dictate how to behave along the way to achieve progress

“All of this was done collaboratively and involve workshops, anywhere from 4 to 8 hours, bring people in and give them lots of sticky notes and sharpies and have lots and lots of discussions,” says Khawaja. “The idea wasn't to have 'this is what Omar wants,' but to come up with 'this is what is needed and wanted by the organization' and have everyone's fingerprints on it to increase chances of success.”

The vision the company’s security staff wanted consisted of taking a risk-based approach focused around new technologies that put the onus on business outcomes rather than what technologies were implemented. That meant adopting a zero-trust policy and ensuring security is as frictionless as possible to provide the best user experience.

Ask the CISO sessions and agony aunts

As well as instilling a new vision for the security team, Khawaja has made himself available to his team with regular 'ask the CISO' sessions where he can talk to employees informally about whatever concerns them. “I would do town halls and I would realize no one would have a question because people don't necessarily feel very open and comfortable asking a question in front of another 100 folks.”

Instead, the ask the CISO sessions are more of what he describes as an ‘untown hall’—no stage, slideshows or agendas, just Khawaja and a small group of less than a dozen people at a time talking about their grievances. “The idea is to start with a blank sheet of paper and I ask the team, 'What's on your mind? What are you happy about? What are you unhappy about? What do you like? What do you not like? What rumors are you hearing? What myths do you want demystified? What suggestions do you have? What complaints do you have? what frustrations do you have?'”

The goal, he says, is to address anything that could impact the level of engagement and excitement of coming into the office. This could include anything from tools and technology to employees and managers to dress code and parking and food in the cafeteria. “Before it was just complaining about the present and now they're asking about the future because they're pretty OK with the present.”

HMHS also introduced what Khawaja calls the change agent network, a group of appointed colleagues that staff can go to anonymously to talk about issues they are unhappy with. “We picked them because they were trusted individuals who their colleagues felt like they could confide in, everyone knows who they are so it's not like they're moles or they're spies,” says Khawaja.

HMHS has around a dozen change agents across the security department who act as employee “agony aunts.” Staff can go to their peers with issues they don’t feel comfortable talking to managers about and can request their complaints are kept anonymous. The agents then report back to the respective managers around what issues there are and suggestions for who to fix them.  “The program probably took about 18 months to really take off and finally now it's conveying significant value,” Khawaja says.

Khawaja would like people feel comfortable sharing that information without hiding their names but would rather have the information coming through anonymously than not at all. “We don't mind people complaining. We just want you to complain to the right people so something can be done.”

Reducing attrition and an ongoing commitment to change

After a three-year transformation, Khawaja says the company’s regrettable attrition of staff is down to less than five percent. There has also been notable uptick in feedback from employee surveys. “Our employee net promoter score is up by about 45 points. Our Gallup employee engagement score is up by about 1,200 basis points. People are saying, 'We see the organization listens to us, that we're very much a learning organization, that we strongly believe in continuous improvement.’”

While Khawaja admits that nothing HMHS did was rocket science and could be replicated by other security teams, it does take patience and perseverance. “For the first year that we had zero results. It was probably one year before I got even an inkling of some change, and then it was probably about two years where I felt like that now we're headed in the right direction, and a full three years before I felt like the organization actually transformed.”

“It's just having the willingness to keep doing the same thing over and over and over again. My instinct was this really is the right thing. I believed in it, but it’s really hard to do for an entire year and not expect results.”

While the program has been successful in Khawaja’s eyes, the transformation is a continual journey that needs to adapt as employee needs change. “It's constantly getting feedback and constantly looking at what can we do better this week and the next week and next week and one small change at a time. It's what we refer to as relentless incrementalism. If we keep making small changes every day that before we know it, we will look very different than we do now.”

“We've got the humility to know that we're not perfect, but we've got the perseverance to say we're going to keep trying, we're going to keep on and improve every single day,” he adds.

The company uses the same balance scorecard and 26 KPIs from the initial transformation that are still followed to this day, giving Khawaja what he describes as a people risk dashboard. “Every month I get a dashboard that says from a people standpoint what are our risks in every single part of my organization.”

While keeping an organization secure will always be what a CISO will be judged on, Khawaja says keeping his security staff happy isn’t something he can ignore or pass the buck on. “HR is there to serve us and support us and they've got some expertise. But ultimately the individuals that report in to my organization are my responsibility first and foremost. It's my responsibility to do whatever it takes to make sure they're engaged, that they're excited because that's what's going to create a strong security program and quite frankly that's what's going to keep me excited and coming into work because if my team doesn't want to be there, I'm probably not going to want to be here either.”

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!