You can’t stop people from leaving for pastures new; employee turnover is a natural function of any organization. But when that trickle turns into a flood, there’s an issue. Our recent Great Re-evaluation research conducted revealed that 55% of employees are thinking about leaving their jobs this year. What’s more, 39% are currently working their notice period or actively looking for a new role in the next six months.
But who’s leaving, and why? According to research by Harvard Business Review, ‘mid career’ employees between 30 and 45 years old have had seen the greatest increase in resignation rates. The research also identified the most at risk sectors and alarmingly tech industry resignations came out on top, with an increase of 4.5% (compared to 3.6% in healthcare for example). If this sounds like the situation in your security or IT team, here’s why they might be leaving, and what you can do about it.
Why are people quitting?
A recent McKinsey report highlighted that it wasn’t always the promise of a higher salary that lures people away. Instead, the things employees were looking for were: feeling valued by either the organization or by their immediate managers, a sense of belonging, and a flexible work schedule. In essence, employees were far more likely to prioritize relational factors, whereas employers were more likely to focus on transactional ones
The past two years have certainly taken their toll on security teams from the CISO down, and people are a little burnt out and stressed. SOC teams are on the front line of a company’s defenses against cyberattacks – alert fatigue is real.
What to do: Work with your people team on an employee support plan, schedule regular check-ins with team members, and explore technological solutions like Spill.chat – full disclosure, it’s what we use here at Tessian.
“Security is hooked on heroics. We love the story of pulling all-nighters and the story of heroes saving the day. But to avoid burnout, there needs to be a shift. Adopt an anti-heroics stance, recognize that heroics are a failure condition”
Highlight team achievements
SOC team members have a thirst for knowledge – they have to reply to an attack quickly in a high-pressure situation. If they feel they haven’t got the support and encouragement they need, both managerially and technologically, they’ll walk. After all, it can be particularly demoralizing to devote eight hours a day to defending an organization when that defense is neither valued and acknowledged nor resourced sufficiently.
What to do: As the company’s security leader, you have to beat the drum for your team’s work and show the value that it brings to the company. Remember, IBM’s ‘Cost of a Data Breach’ report tells us the average cost of a breach is $4.24 million. Communicate that, whether it’s at the all-hands or a poster in the restrooms.
Automate and augment the mundane
The IBM Pollyanna Principle states ‘machines should work; people should think’. That means you should review your security automation and response (SOAR) set-up periodically and see what can be automated. Things that automate well are repeatable manual tasks, threat investigations, triage of false positives, and creating reports. This Microsoft blog has some great tips on what security tasks and objectives you should automate, and why. After all, if attackers are automating many of their processes for increased efficiency, so should you.
What to do: Automating the everyday tasks from reporting to rooting out false positives will help you and your team concentrate on the critical issues. Be realistic about what automation is capable of. With that expectation, focus on areas where augmentation can help the team make faster and better decisions. That’s the winning formula.
“I’m not disappointed by what automation has delivered, but I think I have taken a very realistic view of what automation could do. Which is make smart humans able to make faster decisions, make better decisions”
As Mike Privette said in our podcast, security is the one corporate function that should always be growing. As we explored in this article, one of the key factors in building out a security team is that people must have confidence that they can grow and gain value by staying within the organization. So as well as increasing the team in terms of overall size, prioritize elevating existing team members into more senior roles.
What to do: Have a clear understanding of individuals’ potential career progression within the organization. Work with your People team on highlighting future opportunities and creating growth plans for 6-12 months down the line.
Make time for training, learning and development
As well as promotions and increased responsibilities for some team members, training across the team keeps everyone united and aligned. Training in conjunction with things like automation is most effective when you’re looking to change behaviors, such as decreased response times or triaging.
For the fifth straight year, the ISSA and EGA Cyber security survey reveals that 59% of cybersecurity professionals agree that while they try to keep up with cybersecurity skills development, job requirements often get in the way. As the survey notes, ‘This training gap is quietly increasing cyber risks at your organization’
What to do: designate a baseline metric to improve upon, and design a training program that is focused, flexible, and able to meet that metric. If training lacks an objective and feels like a chore, people will treat it as a chore.
Finally, if people are dead set on leaving, the only thing you can do is wish them all the best. Infosec is a small world and chances are your paths might cross again.