How to build and retain a talented cybersecurity team

What cybersecurity experts want from the organizations they work for

From the report Recruiting and Retaining Cybersecurity Ninjas by Frank Reeder and Katrina Timlin of CSIS

1. The results of our survey of cybersecurity professionals show that challenging, high-impact work and continuing investment in training are more critical to attracting and keeping all cybersecurity professionals than competitive pay and benefits.
2. Having a flexible work schedule also ranked higher than pay. Ninjas also valued being able to advance without having to assume management responsibilities significantly more highly than non-ninjas.
3. There is evidence of what we call a “Kevin Durant Effect”[1] — highly skilled professionals want to work with others whose talent and work they respect and from (or with) whom they can continue to learn.
4. We found a relationship between certain professional certifications and those who perform ninja tasks. Ninjas hold more and different professional credentials.

What makes organizations employers of choice? Our preliminary conclusions from the survey showed that three factors were rated as very important by more than 45 percent of respondents:

• The employer works in an industry that prioritizes cybersecurity.
• The employer offers exposure to diverse, high-impact computer security projects.
• The employer’s mission motivates employees.

Why they stay where they are. Out of 15 reasons people gave for staying with an employer, 6 were rated as very important by more than 50 percent of respondents:

• Engaging and challenging tasks
• Employer pays for training to ensure skills stay current
• Ability to have a flexible schedule
• Competitive compensation and benefits
• Access to the resources necessary to do the job (people, funding, tools, etc.)
• Opportunities for career advancement

At my level, taking into account conference fees, training seminars, and travel expenses, I’m looking at a $20,000 out-of-pocket cost per year to make sure my skills stay current.[2]

Given the strong interest in engaging and challenging work, factors that stood out as very important by more than 50 percent of respondents were:

• Variety in tasks: not always solving the same problem
• Time to explore new technologies
• Engaging with other experts

When you’re in the cybersecurity field, you want to solve problems, but not the exact same one over and over.[3]

Why they left their previous jobs: Out of 15 reasons people gave for leaving a previous employer, 6 were rated as very important by at least 44 percent of respondents. The next highest was rated very important by only 33 percent of respondents.[4]

• Company management did not prioritize or appreciate the cybersecurity mission
• Lack of opportunities for career advancement
• Lack of people or tools necessary to do the job
• Compensation and benefits not competitive
• No funding for training
• Lack of engaging and challenging tasks

Ultimately, cybersecurity is a national problem–no single entity can solve it on its own. But while we and other countries struggle toward building a safer cyber environment, acquiring and retaining ninjas is crucial for defense. This initial report points to how that can be done.

Footnotes:

1. A reference to professional basketball player Kevin Durant, where his move to the Golden State Warriors prompted his teammates to follow him.
2. Interview of security engineer, June 15, 2016.
3. Interview with computer security expert, March 21, 2016.
4. Data for total survey respondents can be found in Appendix C.