Why Your Best Cyber Talent is Going to Leave You
According to a 2017 survey by ISSA and ESG, nearly half (49%) of cybersecurity practitioners are solicited for a job opportunity at least once a week. Stretching that out to a monthly range, almost every cybersecurity employee is presented with at least one opportunity to leave their current position. No big deal – your cyber employees love their jobs, right? Apparently not. The same survey found that 60% of information security professionals aren’t satisfied with their current positions. A similar study conducted by (ISC)2 found that only 15% of cybersecurity professionals have “no plans” to leave their current role.
Cybersecurity isn’t unique in low job satisfaction. A Pew Research study across all verticals, annual incomes, and education levels found that 30% of Americans view their current position as “just a job to get by.” Yet, the study found that job satisfaction (and even personal life satisfaction) was significantly higher in those with income greater than $75,000/year and a bachelor’s degree or higher.
So, with cybersecurity professionals earning an average of $116,000/year and most professionals holding undergraduate degrees or higher, where is the low job satisfaction coming from?
Queue the Breakup Playlist
The ISSA/ESG survey respondents self-reported that the biggest sources of dissatisfaction were financial compensation (42%), career advancement support and incentives (38%), and commitment from leadership in treating cybersecurity as a priority (37%).
Perhaps the request for greater pay is indicative of the high-demand in cybersecurity employees. After all, with 3.5 million open jobs expected by 2021, existing cyber employees do have some leverage over their employers who desperately wish to maintain whatever limited staff they possess. With practitioners demanding “more,” employers feel as if there is little more that can be done other than fork over bigger bonuses, match recruiting offers, and implement automatic raises. Employers are whining Sam Smith’s “Stay With Me” while employees are wailing “Babe, I’m Gonna Leave You” off of Zeppelin I.
Too Much is Never Enough
Money rarely buys happiness. The problem with paying your employees more is that the investment doesn’t necessarily provide the expected return and it rarely solves the underlying satisfaction issues. Often times, cybersecurity managers tell us that the value of the bonus or raise “wears off” quickly. Studies on the correlation of money and happiness go back decades, if not centuries. A recent study supported by an international Gallup poll showed that there is a significant correlation between money and happiness. Yet, what’s interesting is that the correlation flatlines at approximately $105,000 annual income. In other words, any increase in salary at $105,000 or greater does not result in higher levels of happiness. It seems that research is congruent with the anecdotes that we hear from managers, even those in organizations with the ability to pay some of the highest salaries. In essence, paying your Senior Cybersecurity Architect an extra $20,000/year might keep her around for six more months, but it might not keep her satisfied into the next annual review.
So if money isn’t enough, then what is? As mentioned, the number one element cited in employees dissatisfaction was insufficient pay. Given that we now know that this is often uncorrelated, we can surmise that many or even the majority of employees don’t necessarily know what will make them happy. Furthermore, those that are satisfied with their current role may have a difficult time pinpointing the sources of job satisfaction. In very simple terms, most people (including cybersecurity professionals) want to feel valued, understand that they are contributing something to the organization, and are empowered to succeed in a way that aligns with their own goals.
Three Signs of a Miserable Cyber Job
Fortunately, there is a model for applying these same general human desires to benefit both employers and employees in Patrick Lencioni’s The Truth About Employee Engagement. Though we’re not quick to recommend often over-simplified business books, Lencioni’s novel leverages a worthwhile narrative to suggest that three factors directly lead to low job satisfaction: anonymity, irrelevance, and immeasurement. The text acknowledges that while industries and individuals are unique, the main factors that lead to employee satisfaction are consistent. After getting some face-to-face time with cybersecurity managers and leaders last week at Black Hat USA, the shared experiences suggest that Lencioni is right on the mark in the cyber domain.
Employees cannot be truly satisfied and fulfilled in the workplace if they are not known in the workplace. Privacy advocates or not, no one wants to be a nameless face in the office – even as a remote employee. Think about it. If it’s important for someone to feel valued and like they’re contributing to the overall mission of an organization, how can they do that if no one knows or acknowledges their existence? Employees who feel known also feel understood, appreciated, and valued. How can you make your employees feel less anonymous? For one, know them by name and understand each practitioner’s unique knowledge, skills, and abilities.
Not everyone wants to have a career focused on world peace, digging water wells in distant countries, or curing cancer. Yet, it is true that every employee needs to know that their work is either directly or indirectly relevant to someone. Anyone! The corporate world in particular is notorious for discounting the importance of communicating business objectives and needs to security professionals. This is a mistake. For example, if a practitioner is working in vulnerability management, it is not likely enough to position his responsibilities as simply limiting and mitigating vulnerabilities. Rather, it would be more effective and more likely to feel satisfying to this employee if he understood how his daily tasks make his teammates lives easier, protects client information, or helps the business to fulfill its mission. Plus he’ll probably perform better as a result too. If there is no connection between the role and its impact, employees are much less likely to feel fulfilled. Your job as a manager is to draw those connections for each and every one of your employees.
Within the Department of Defense or other government agencies, the ability to increase pay is limited or capped while the large numbers of employees can create an atmosphere of anonymity. Given these limitations, these organizations go at great lengths to present the mission or “greater good.” Many government employees stay within public positions where they are making much less than they could in the private world, because they believe in the mission (or relevance) of their organizations.
One of the biggest mistakes that employers make is that they don’t provide clear key performance indicators (KPIs) or other metrics to help employees determine if they are doing great work or delivering a poor performance. In fact, 62% of cybersecurity practitioners want more clearly defined responsibilities and measures. It is important for cybersecurity practitioners to be able to evaluate themselves to understand how their performance meets expectations and how it relates to the relevance discussed in the previous point. Employees will not be fulfilled in their work if they are forced to rely on opinions.
Lencioni’s model applies to the retention and employee satisfaction problems in cybersecurity so well partly because the field, being relatively nascent, possesses a great deal of ambiguity. Employees aren’t often individually identifiable — anonymous within larger security teams. They are often detached from the company mission, or even viewed as a roadblock to company access — cementing a feeling of irrelevance. Practitioners don’t have clear performance expectations in place due to poorly defined roles (let alone have productive performance reviews in place) to determine if they are performing below, at, or above expectations as a nod to immeasurement.
Furthermore, the career path for employees might not be laid out to all cybersecurity team members. In addition to addressing the Three Signs of a Miserable [Cyber] Job, employers should provide a clear path by which employees can see themselves sticking with their current employer for the long haul.
Need help? CyberVista is currently offering our role-based Critical Knowledge solution free to qualified organizations to help cyber and cyber-enabled teams build the foundational knowledge and skills to succeed in their roles. Get in touch with us today to discuss how role-specific training helps retain, upskill, and promote your current cyber talent before they leave you forever.