Increasing Retention Capacity: Research from the Field

Digital grassroots

Security professionals from academia and industry gather this week in Dayton, OH for the annual National Initiative for Cybersecurity Education (NICE) Conference and Expo.  NICE is a program of the National Institute for Standards and Technology, and focuses on the cybersecurity workforce, education, and training needs of the nation. As part of this conference, I am presenting my research on improving retention within the industry.

The security workforce shortage is well-publicized, and is only expected to grow. By 2022, the industry may face a shortage close to two million qualified security personnel. For the most part, improving the pipeline understandably dominates most discussions when looking for solutions to this shortage. However, all of the resources and work that goes into improving the pipeline will go for naught if the industry fails to address the retention challenges as well.

My research builds upon existing social science research on retention, including organizational change and cultural inclusion. In addition, I distributed a survey throughout August and September to infosec professionals via social media. Over 300 people responded, and represented a range of experience within the industry: three-quarters worked in the field over five years, and 35% eleven years or more. The survey findings and recommendations for addressing them are discussed in detail in the final white paper. Below is a summary of the key findings.

  • Ill-defined Career Path: The lack of professional advancement, a well-defined career path, and work that at times is not challenging were strong factors for respondents when considering leaving the industry, and why they left their previous employment.
  • Burnout: Stress and burnout, coupled with long hours, topped responses for reasons for leaving a position or considering leaving the industry.
  • Industrial Change: The industry culture is among the top reasons respondents consider leaving the industry. Discrimination and harassment at professional conferences far exceeded that found within company work environments. Moreover, males were significantly less likely to experience harassment or discrimination than non-males.

The white paper also covers a range of recommendations for organizations to improve retention, each aimed at addressing the three major findings from the survey. The recommendations are divided into mutually constituted structural factors (material constructs, institutions, environmental constraints) and agents (motives, ideas, and actions of individuals). There is no silver bullet, as social change requires efforts across both categories, as summarized below.

  • Structural factors: Corporate policies (e.g., performance metrics, PTO, social events); Conference culture & representation; Visual cues (e.g., workplace, marketing materials)
  • Agents: Leadership (e.g., by example, policies & values); cultural entrepreneurs (grassroots leadership to shape culture, provide accountability, social capital)

Although the survey analysis highlighted significant challenges, security has a core, competitive advantage: the mission. The mission is a key motivating factor for retaining talent across industries, and ranked as among the most important factors in the workplace among half the respondents. By focusing on the mission and addressing the key challenges, not only can retention rates dramatically improve, but it will also reinforce many of the ongoing pipeline efforts and truly begin to hack away at the workforce shortage.  Security professionals want to stay in the field - let’s help make it easier.