10 Ways to Boost Cybersecurity Talent Retention

Once you manage to find the right people for those essential cybersecurity roles, how do you keep them from leaving? More than half of respondents (56%) reported having issues retaining talent in the State of Cybersecurity 2023 report from professional association ISACA.   

“You've got a lot of cyber workers not only doing their job, but they're also covering for other open and unfilled positions in their workforce,” Erin Weiss Kaya, senior associate at consulting firm Booz Allen Hamilton, tells InformationWeek. 

Taking on that additional workload, often with limited resources, as the onslaught of cyberthreats escalates in volume and sophistication is the perfect recipe for burnout. And burnout in the cybersecurity space is a well-known trend.  

When people feel overworked and underappreciated, they are likely ready to job hunt. With cybersecurity talent in such high demand, that hunt probably won’t take long. “The skilled workers in cyber space, they're getting calls on a weekly basis for new opportunities,” says Weiss Kaya. 

How can enterprise cybersecurity leaders create a workplace that encourages their team members to stay and grow rather than picking up that recruiter’s call and heading to a new company? Here are 10 ways to consider:

Related:IT Security Hiring Must Adapt to Skills Shortages

1. Recognize the problem  

If your organization has a cybersecurity retention problem, turnover rate is going to be the most obvious indicator. The average turnover rate in cybersecurity is approximately 20%, according to the Cybersecurity Under Stress report from cyber threat intelligence company ThreatConnect.  

Knowing that turnover is a problem isn’t the same thing as fixing it. Enterprise leaders need to do some digging to understand why people are leaving. Survey work can provide some insight here. “One of the best ways of understanding whether or not you may have somebody departing is survey-based work or other types of data collection around intent,” Weiss Kaya shares.  

While data does paint a picture, leaders need to talk to their teams to fill in the blanks. “There is no replacement for a leader sitting down with an individual on the team or with a whole team and doing a round table and saying, ‘Hey, give me … candid feedback,’” says John Grancarich, chief strategy officer at Fortra, a cybersecurity and automation software company.  

2. Make retention a team sport  

The CISO at an organization, naturally, takes the lead on cybersecurity talent retention. But they cannot do it alone. Employee retention is fostered by multiple different factors, driven by many different people within an enterprise.  

Related:How to Begin a Career as a Cybersecurity Consultant

“Ultimately … the CISO is responsible in many ways, but … there are team leads, department leads under the office of the CISO. So, they obviously also need to keep everybody informed and engaged as well,” says Michael Lyborg, CISO at Swimlane, an AI-enabled security automation company.  
Human resources and other members of the senior leadership team can also play a role in creating an effective talent retention strategy.  

3. Use rotation programs 

Rotation programs can give cybersecurity workers the chance to develop new skills within an organization.  

“It really begins to upskill the existing staff and give them a way to grow their role within the organization … as opposed to been picking up that aggressive recruiter’s phone call and saying, ‘Oh, I'll hop over there because that was the kind of thing I wanted to do, but I couldn't find it within my own organization,’” Weiss Kaya explains.  

4. Offer continuing education 

Giving people access to continuing education opportunities is a straightforward strategy for keeping your talent. If people have these opportunities to grow and learn, they may be more likely to not only stay put but also to put those skills to work supporting an organization.  

Related:Closing the Cybersecurity Talent Gap

“Have they [enterprises] looked at the traditional continuing education opportunities? Have they put clear tuition reimbursement plans in place? Have they made really [easy] access to trainings, to certifications? Are they creating pathways to get to conferences?” Weiss Kaya asks.  

5. Show a path for growth 

In ISACA’s State of Cybersecurity 2023 report, 48% of respondents pointed to limited promotion and development opportunities as a reason that talent leaves an organization. Building and sharing a roadmap for career progression can be a long-term investment in your people and your retention.  

Cybersecurity workers can get lost in the day-to-day demands of their job and struggle to see the potential for advancement. Cybersecurity leaders can help them see that road ahead.  

“Developmental assessments can be a really nice tool for allowing them to begin to see those next-stage opportunities,” Weiss Kaya suggests.  

Once leadership and talent have an idea of where individual strengths lie, they can lean into those. Pair people with mentors that can build on those strengths. Share how developing certain skills will lead to career advancement opportunities.  

“Getting an employee engaged on that longer-term journey could be a way to really get them excited and pumped about where they're going in their careers and lead them to stay and to trust that their employer will show them the way, and they'll stay with the organization longer,” says Grancarich.  

Arsenii Palivoda via Alamy Stock Photo

6. Stop looking for cyber unicorns  

The search for “cyber unicorns” is a significant factor behind the unfilled jobs in the industry, which leads to greater pressure on the people who are employed in cybersecurity, according to  Grancarich.  

Just because an individual does not have the exact set of qualifications that a hiring manager wants to see does not necessarily mean they can’t grow into a cybersecurity role. With so many enterprises competing to snag cyber talent, it is impossible that every single candidate will be that perfect, unicorn fit.  

“We have to find ways to get more people into the field and provide them an on-ramp to meaningfully contribute because I think that will help decrease some of the burden on the existing cyber professionals that are out there,” says Grancarich.  

7. Consider the work environment 

How is an organization’s work environment impacting employees’ decisions to stay or leave? “Cyber professionals tend to really thrive in a nontraditional environment, and it's not always the nature of the parent organization that they work in to be more nontraditional,” says Weiss Kaya.  

Can an organization make any relatively easy changes to the work environment to make it more welcoming for cybersecurity talent? Do non-customer facing workers really need to wear a suit and tie to work?  

“Removing that requirement from the environment is a commitment to showing that we are going to make a long-term change [in] how we think about including this subset of our workforce into our bigger culture,” says Weiss Kaya.  

Cybersecurity is a high-pressure industry. But Lyborg argues that leadership should not lose sight of the importance of bringing their teams together. “I think the biggest thing, in my opinion, is cybersecurity should be fun,” he says. “We have to pair that fun by doing these labs and exercises and bringing people together because a lot of us are remote. Doing events together, whether virtual or physical, that's extremely important as well for retention.” 

8. Prepare for new technology  

Enterprise leaders will need to consider how AI can be bane and boon for their cybersecurity teams. On the one hand, attackers armed with AI are going to add to the volume of attacks. And existing cybersecurity talent will be under pressure to upskill and keep up.  

On the other hand, cybersecurity workers tend to be curious and eager to use new technology. Automation driven by AI could make it easier to do their jobs, potentially streamlining workflows and alleviating alert fatigue.  

How can enterprises integrate AI into continuing education opportunities to help their team members keep up with and potentially reduce the pressures of their jobs? How could AI potentially open the door for attracting new talent to balance cybersecurity teams’ workloads?  

9. Keep up with market pay 

Money isn’t everything, but it doesn’t pay to pretend that it isn’t a major factor in any employee’s decision to stay or leave an organization. In the ISACA State of Cybersecurity 2023 report, 54% of respondents reported that poor financial incentives are a factor leading cybersecurity professionals to change jobs.  

“Pay needs to be something that is considered on a very regular basis and reassessed by your organization to ensure that it is actually aligning what the comparative market looks like today,” says Weiss Kaya.  

10. Monitor success 

As enterprise leaders implement changes to address talent retention, they can check in on their turnover rate. Is it going down? Turnover will never be 0%, but measurable improvement does indicate that cybersecurity talent is responding to retention efforts.   

Quantitative metrics, while important indicators, do not always tell the whole story. It is important to continue talking to cybersecurity team members to understand where they stand. Hold regular check-ins. Conduct exit interviews. Ask people what is and is not working in their work environment. Building an environment of trust will encourage people to speak up, according to Grancarich.  

“Our job as leaders is [to] take what we've heard, to prioritize it, and then to make meaningful progress,” he says. “That is not the employees’ responsibility. That is the security leadership’s responsibility to take what they've heard and put that into action in some systematic and sustainable way.”