We’re in the midst of a cybersecurity staffing crisis. Many major news outlets, such as The New York Times, have reported that unfilled jobs in the industry are expected to reach up to 3.5 million this year — leaving existing security teams stretched thin and burnt out.
To make matters worse, attackers have increased their activity since the beginning of the pandemic and continue to take advantage of the prolonged crisis. In this new year, CISOs everywhere will need to shift their talent management practices in order to attract new candidates to the field and prevent employee burnout. How? Here are a few ideas.
1. Invest in training for new employees
Today’s college graduates in the technology or cybersecurity fields, or even those with one to two years of experience, have a definite thirst for knowledge. Our organization, for example, has found that investing in feeding that knowledge pays dividends. Each year, we take new cybersecurity talent through a six-month continuous improvement and training program that consists of internal and external educational courses, technical labs, shadowing programs and cross training. In the long run, organizations benefit from investing in their people.
2. Match people to the job, set goals and mentor
Understanding what encourages your individual team members to perform their best work is key to keeping them motivated. I’ve learned from personal experience that people don’t tend to burn out if they have work they consider interesting and genuinely enjoy. For example, people who work as security professionals are generally more curious. They are naturally more driven than some professionals. And they are clever — they love challenges as opposed to performing process-heavy tasks. On the opposite end of the spectrum are QA testers. They tend to like to follow directions and prefer lists of test cases that they can execute down to the smallest detail. And to be sure, it is good to have both types of personalities on your teams.
To help all personality types avoid burnout, you need to make sure that you’re giving them tasks that match their interests. You also need to invest in your team’s growth and help each individual understand how they can enhance their skill set — whether it’s digging deeper into one specific area of security or increasing the breadth of areas they can expose themselves to. You can do this with goal setting and building career plans for each person on your team.
Having a formal mentorship program is another effective talent management approach. One of the challenges some cybersecurity professionals face is that they don’t always have the most extroverted personalities and may struggle to build professional relationships outside of their work teams. From my experience, I’ve found that co-workers become friends outside of work, so whenever I needed a sounding board or independent advice about a career issue, I was hesitant to confide in my co-worker friends for fear of possible negative repercussions. Having a formal mentor outside of your work circle for guidance and perspective can be invaluable.
3. View your project managers through a new lens
Project management duties in cybersecurity will never go away — they are a critical component to ensuring smooth workflows as well as efficient and effective client communications. However, project management is not a desired career path for most people who enter the industry. They don’t want to be organizing meetings or writing status reports in a certain format. They want to be breaking things (ethically, that is). As a leader in your organization, you need to maximize their utility to perform high-value technical work, not only project management, if your goal is to prevent burnout.
You can offset your team’s technical excellence by hiring a people person who’s well organized and can take care of the administrative overhead that goes along with doing security work. But don’t stop there. An effective cybersecurity project manager should be more than a task coordinator and client liaison. To be truly successful, project managers today also need some technical knowledge. They don’t need the skills to perform the work, but they need to understand what the work is so they communicate effectively with the client or CISOs. They are essential in understanding and communicating the impact on budgets and timelines when the security teams uncover major vulnerabilities.
My colleague, who manages a team of project managers, recently wrote that an ideal project manager is one who has passion for the job and puts the client first. Critically, the project manager may be in a situation where issues management skills are needed to analyze a particular client circumstance and provide workable solutions on how to move a project forward. The project manager should be the anchor of the vulnerability management program, who advocates for the client at every turn.
Historically, project managers have been very task oriented. They had a project plan, checked in with a team, assigned tasks and checked back periodically to see the status of those tasks. That style of project management is waning, and we now see project managers stepping into a leadership role. They’re leading the entire team, in addition to leading clients toward the best course of success. This leadership will both create excitement around the project management role and alleviate security teams from managing the client relationship, ultimately preventing burnout for both.
4. Be careful with incentives
Incentives, such as bonuses or gift cards, have long been a standard method to entice employees to do what management wants. However, they can backfire. If you’re creating incentives for your security teams to work more because you’re short on staff, you also must have a way to track that the amount of work they’re doing to earn those perks isn’t burning them out. Partner with your human resources department to establish metrics to guide you in determining whether an employee is at risk of burning out, as well as action steps to correct the situation. Work with each staff person on a case-by-case basis when red flags are triggered.
5. Enable automation
Automation is critical to removing workflows or steps that are repetitive, redundant or that don’t necessarily need a human to perform them. It’s a smart way to free up your cybersecurity team’s time for more rewarding work.
Automation has grown significantly as a critical tool to help prevent burnout from a security professional perspective. Back when I was consulting, doing hands-on-keyboard ethical hacking and assessments, I had to write my final reports from scratch. There were no templates for predefined vulnerabilities. Today, certain vulnerability standards and established techniques to prevent them are readily available and should be catalogued for use in reporting.
Automation also comes in the form of platforms that free up assessors from the manual labor of certain tasks. For example, if I’m performing a penetration test on a web application, there are three or four other applications I need to run as part of the workflow. Automation platforms can run those on my behalf so I don’t have to worry about configuring the tools I’m using. These automation platforms can also compile the results from all four tools and de-duplicate them so I don’t have to do that manually on a spreadsheet. Another great feature of automation platforms: They can create reports based on client requirements and notify the client in real time. No more manually writing emails to the client about critical findings or to send a final report.
6. Encourage more people to enter cybersecurity
I’ve noticed that there’s significant stigma shrouding the cybersecurity industry. Many potential candidates worry that they need to be a super-human tech expert or nerd. Mass media plays into that stereotype.
As industry professionals, we need to spread the word that people from all walks of life can potentially find success in cybersecurity. In fact, another of my colleagues astutely wrote that there are a number of personal attributes that can come together to make a person great in this profession. Someone who is a self-starter or is ambitious oftentimes makes a great team member.
Two traits that are more difficult to recognize at first are memory recall and curiosity. Individuals who have memory recall, who can understand patterns and relationships, usually gain an advantage when it comes to thinking like an attacker and recognizing familiar trends, while working as part of a client consulting team. And the highly curious person often has an innate drive to pick things apart — skills that are fundamental to success when the technology landscape becomes more complex by the day and emerging technologies continue to open new doors to hackers. Technology vulnerabilities are there — and a curious person is more apt to find exposures so remediation can commence.
Industry needs to work to prevent burnout
I may be biased, but I think cybersecurity professionals have the best job in the world. It is, however, more important than ever that organizations prevent the all-too-real risk of burning them out. Fortunately, that’s not only possible — it’s highly doable. Consider how to implement the above six methods to help close the industry’s staffing crisis.
About the author
Nabil Hannan is a managing director at NetSPI. He leads the company’s consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pentesting, secure code review and vulnerability remediation, among others.