Economic Recovery: Will Your IT Security Department Jump Ship?

After a year of uncertainty and difficult circumstances in business, many analysts say it appears the economy has begun to calm down and organizations are slowly shifting from survival mode back to strategically considering ways to grow business. Sounds like good news, right? According to IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, it is good news, but it doesn’t come without some challenges for information security departments.

Jack Phillips, IANS co-founder and CEO, conducts two-day information sessions with clients—mostly CISOs, CSOs and other security leaders—to find out what they are seeing, hearing and experiencing in the enterprise and to share information that might be helpful to others. Phillips said as the economy recovers, the concern now has changed from how to handle workforce cuts, to how to keep team members from defecting now that they may have more options. He spoke with CSO about how security leaders can keep morale high among the infosec department and hold on to talented employees who might be looking elsewhere.

CSO: You mentioned you’ve heard career and workforce management concerns really change over the last year for security folks. Can you tell me more about that?

Jack Phillips, IANS: In around Februrary and March of this year, when things were much more critical than they are now, the message we heard from clients was “I’m worried about losing my job, how should I be prepared for that?” That came not so much from CISOs, but more from their team members, the work force. They were preparing for the worst. So we began the curriculum with a plain, vanilla approach with basic thinks like how to use LinkedIn and other social networking tools to see not only what is coming but to prepare yourself for the next move.

What then happened about mid-year was that the leaders came to those sessions as well and said “I have the inverse concern. First of all, I don’t want to lose people. I don’t want to have to cut, and I also have to maintain morale. Can you give me ideas for keeping people interested and engaged when I’ve asked them to work with no pay increase and it’s been a tough road here for the last 8 to 9 months?”

The second concern was: If the economy turns around in 2010, will we see a competitive market dynamic where on the margin my team members may leave for a marginal difference in salary, benefits and conditions for other organizations in my geographic area? In other words, if XZY institution offers a marginally better package than ABC institution, my folks are pretty weary right now. So the concern is all of a sudden I could lose people I really want to keep. Is that going to happen? And if it does, what can I do to stem that? It really comes down to that the sun is coming out here and I’ve got some people who have stuck with me. I don’t want to lose them when I’ve fought so hard to keep them for such a marginal difference.

What is the probability we will start to see some defections given what is happening now economically?

They way we have answered it is to say we certainly can’t predict the economy. But we are seeing is an uptick where there is a return to projects that were shelved because of a coming storm. More and more we hear IT teams say “Yeah, there is an uptick in project work, the reins are loosening.” Therefore, security has to have a role in those projects. If you collectively survey folks, we are seeing from a corporate standpoint the view is “Let’s get back to trying to start to expand our business, and we need an IT portion to help us do that.” Business owners are saying “Let’s get ready as we potentially grow our business again.”

So if one company says “Let’s go and try and build a new service offering in 2010,” are they going to marginally try and pick off people from a competitor firm in order to be able to do that? So the advice is watch projects. Not so much the economy, because that is too difficult to do. But keep track what certain of your competitors are doing. Are they announcing new business initiatives? If they are and you are not, you could get caught just marginally where someone looks across the fence and says “Conditions are a bit better over there than they are here.”

You mentioned motivation. How have companies done that among security in the recession?

If you were an organization that had to cut headcount, you had one set of issues. If you were an organization that didn’t need to cut but couldn’t reward with benefits or salary bonuses, you had a slightly better problem, but nonetheless a problem. Ultimately the best solutions we heard was keep it as interesting as you can.

[Editor’s note: Here Phillips echoes a point made by consultant Ram Charan in a 2007 interview with CSOonline: Ram Charan on the Business of Security.]

So how do you do that? Rotation across roles, focusing back internally on skills. encouraging people to study for a CISSP, have them take classes or continuing ed to expand their skill set. Rotate people around so they are doing some new things. That has tended to keep things interesting in IT security.

And as much as you can, include these folks in the business conversation. Put their work in context for them; now, more than ever. The key to getting out of the morale downward spiral is make people feel as though they are really relevant and critical to the mission of the organization. So it’s no-cost-creative thinking that has gotten the high performing leaders through this period of time.

But that can only go for so far. At some point people say “But I’m not moving up. And I need some kind of increase to my salary”

So what about the folks that are starting to feel that way? Can you create allegiance so they don’t defect?

If you aren’t proactively speaking with your team about this, you will be surprised if people leave and that’s a difficult scenario. Be honest with folks and say “My hands are tied. I can’t increase your salary or benefits. But just hang in here and this will be as exciting as it looks across the fence”

To me it’s all about relevance; making sure your team know they are really, really relevant and necessary in the overall business process. Even if in your heart you know at the end of the day you are a cost center. I think it’s just trying to create the same excitement they look at over there.”

It’s all about the word engagement. If you can measure how engaged or connected your team is to the over all enterprise mission. When it is high; when they feel a sense of ownership, they are more satisfied. This is a group of people who are religious abut what they do. It’s a mission for them, not just a job. So it’s an intangible metric, but a metric the high-performing CISOs follow.

And if, despite all of that, some security folks do decide to leave for slightly better situations, what are the implications of that loss?

The primary one is the brain drain; particularly in info sec. You have these specialists whose value goes far beyond what you are paying them. So from an enterprise standpoint you are losing really human assets that are hard to replace than in seems in terms of more than just salary.

Also see How to Build a Security Management Team

The other trend we are seeing is replacement of full-time workers with contract workers. The idea that if you have a new project IT is involved in, somehow there is an acceptance that outsourced workers, contract, consultants, are better in this economy than full-time workers. So you could end up in situation where you’ve replaced full-time security workers with consultants. And it’s a lot like Chinese food where it satisfies you for a short time, but in the long term, you are still hungry. The real high performing leaders are looking and saying “What is the best way to run security in my enterprise? It’s not with contract workers. It really is with full-time people. So I’m going to do everything I can to keep that institutional knowledge in place here.”

To be frank, as the economy recovers, how much is salary going to eventually be a factor again? Are organizations going to have to start factoring that in again to keep people?

They are going to have to. I would say at the one year point, and we are about at that if you look back at where people started to pay attention, when people started to hear on high “Batten down the hatches.”

As you go into salary reviews and as we see an economic uptick at other institutions, if people see that they may stand to get slightly better pay somewhere else, that is what causes people to say “Should I jump or should I stay?”