How to Hire and Retain Qualified Cybersecurity Professionals - Part 3

The below commentary is an excerpt from a longer white paper being produced by the Silent Sector team on how to hire and retain quality security, and by extension, IT resources.  This excerpt addresses retaining the professionals you’ve hired.

The Issue:

Currently there are far more open IT jobs then there are qualified IT resources to fill them this has created a seller’s market and has put the job market in the hands of the resources not the employers. Regardless of the market, however, most IT organizations are running very lean teams and security, since they are not part of IT operations or the “Keep The lights On” (KTLO) team, often run leaner than the rest of the IT organization. Simultaneously security threats are increasing exponentially in quantity and complexity, and available qualified IT and Security staff are scarce. By the year 2021 it is estimated that there will be 3.5 million unfilled cybersecurity positions the cost of cybercrime annually is estimated to be nearly 6 Trillion dollars.

Ok genius you told me what they want and that I have to pay them more, how to attract them, now how do I keep them?

Qualified and quality Security and IT resources are scarce, and the demand is continuing to escalate creating the problems of how do I find them and retain them once I do find them? There is no true magic formula since IT resources all have different driving factors in their decision making for their career choices.  Some stay in jobs because they don’t know there is anything better out there for them.  Some are happy performing the same tasks for 35 years and retiring but those would be considered drones.  While you may need drones for the company to survive, what you really need are rock stars to lead your IT and Security teams.  To find and keep those rock stars, you need to be creative.

The traditional work model of corporate America that has been around since… well forever… may work in certain divisions in your company, but it isn’t going to continue to work for IT. While engineers and musicians have much in common, IT resources can be compared to artists.  IT resources are highly intelligent, inquisitive, and creative.  They consume more information in a day than most people do in a month.  They work best in task oriented small groups (2-3 resources) or alone.  

No matter how you look at it, they’re different than your other staff.  If you don’t believe me, think about this the next time you walk through the IT section of your company.  Notice the different feeling, the first feeling that you are an outsider. Next you’ll notice the comic books, Star Wars (or Trek) or gaming character figures on their desks and in their cubes, the screen savers, and the stickers on their laptops.  

I am going out on a limb and will say that as you walk through accounting or legal or for that matter even the sales department, you aren’t seeing the same thing you see in the IT department. In short, one way to keep your IT staff is to not force them into the rigid 9-5 corporate structure.

Below are some suggestions that will give you a leg up on the competition trying to hire your best resources away from you.  Keep in mind, these suggestions come from someone who has been in IT since the pre-dotcom era and has worked as a consultant for much of that time.  I have been in 100s of companies and seen both good and bad.  Now I’ll share what proves to be effective…

  1. Ask them to describe their ideal working environment - I know we have all seen that before, but take your team out to lunch, in small groups if you have a large team, and really ask them, “What would your ideal working environment be?” Then work to make it happen. Your effort in that direction will go a long way in establishing loyalty and trust. 
    I would bet the mortgage payment they’re not looking for a cubicle farm buried in the basement of some high rise where they never see the sun.  Nor will the environment be anything cubicle related, especially those short ones or shared ones where you have no privacy!  Whose stupid idea were those anyway?   I don’t care what the latest study from some university was about how it enhances creativity; they are just plain dumb.  Sorry that’s a rant for another time.
    1. When you arrive at a consensus of an ideal working environment, be that awesome leader that makes it happen.
    2. If you can’t make it happen, make sure to get at least something off their top 10 list and show them you tried. Still slightly awesome. Feel free to blame Carl in accounting for not being able to get them everything they wanted.
    3. If you have established that you are a leader willing to listen to them and fight for them this attitude toward the boss by a new hire’s peers will go a long way in retaining a resource.


  1. Don’t micromanage your rock stars - You know who your rock stars are even though they may not know it yet.  If they are a newbie or a beginner, they will have the attitude they are right and will work to prove it. To be honest the drones most of the time need to be micromanaged, but you need the drones to keep the organization running. I am sure there are rock star drones out their somewhere, they probably work in Silicon Valley and make more than you do.  Still, they would need more direction than your rock star team members that are going to drive your success and win you IT Leader of the Year. If you provide them with freedom to be creative and support that shows you are more invested in your team’s success instead of your own, they will make you more successful in the long run. 


  1. Freedom and control over their schedule - IT can be tedious, I don’t care how much you love your job, especially when it comes to writing code, reviewing log files, writing documentation, etc.…. Your resources need to work when it is best for them. That’s why I am writing documentation at 10PM in my dark office drinking scotch and listening to Jimmy Buffet. For some reason that just works for me for documentation, if I had to sit in a cube from 7-4 and try to do the same writing it would take be 3-4 times as long and would be nowhere near the same quality. I am not talking about this little tome you’re reading, I am talking about writing Data Security Policy, Information Security Policy, Key Management, etc.…you know the really exciting stuff. When your people are in comfortable surroundings working, that’s when they are most productive
    1. Long story short what that means is allow your people to work the way they can maximize their effort. If you have resources that are night owls, don’t make them come in at 7am because you will lose productivity until at least 10 am when their body clock switches on. If you have resources that work better during non-traditional times let them work those times with the caveat if they are needed for an early morning meeting, they need to join but can do so remotely. You can always tell if they are getting their work done.
    2. You may also have resources that want to pick up their kids after school or take them to school in the morning. Be sensitive to those people as well.  They may need to work in the office from 8-2 and then remotely from 330-7. Being flexible will pay off in multiples.


  1. Working remotely- I told you we were going to get back to this. Gone are the days when your IT staff was actually in the building or needed to be in the building where your computers are, the servers are most likely in a data center. The exception of course would be small shops and help desk resources that need access to the end user computers and of course the data center people all 10 them in a 400,000 square foot building somewhere.
    Let me start with the caveat that working remotely is earned.  You must know that you can trust your resources that they will work, not just load mouse jiggle on their laptop and play Fortnight. That being said, allowing your trusted resources to work remote even 2 days a week, if they want and not everyone does, will differentiate you from other companies.  It’ll keep them around when another company offers them $10k more per year but life in a cubicle.


  1. Working remotely from another city- I touched on this earlier, due to the scarcity of resources and people’s unwillingness to relocate, it may be necessary to hire a resource to work remotely from another city. I know it sounds scary, but I worked for one of the largest banks in the country, if not the world, and never meet my boss or teammates face to face. We did great work and worked well together. It wasn’t just me either we only had one city where there was more than one resource from the team.  We even had one guy driving around the country in a Prevost with a dish on top and working from wherever he happened to be that day. There are always ways to work with this situation such as requiring video conferencing (got funny stories about that for sure but this isn’t the time or the place), flying them in onsite for a week every month during their probationary period, and reducing the frequency from there.


  1. Team building exercises – First make sure that you are doing something your team wants to do and then consider just letting your team go out on their own, on the companies dime. Determine where they are going to go (Bowling, baseball game, paintball, etc…) give them a budget that can be spend at that location and let the team bond without you being there.


  1. The less creative but obvious ideas - keep your compensation and benefits in step with the market, pay for training and/or CPE, and keep your word.



These are just a few suggestions that work to retain staff in an environment where employers are competing for the best resources. Not everyone is going to stick around because you have silly hat day or Hawaiian shirt day every Friday, casual Fridays, or even allowing…. JEANS and T-Shirts instead of business casual (scandalous I know). Every resource is going to be different but if you are creative, establish a comfortable working environment for them, and keep up with the market for pay, you should be able to retain 80% of your resources. This will make your job much easier because you will have the team you can rely on and trust.


About the Author

Written by Michael Rotondo

Senior IT Resource with experience in all aspects of IT from entry-level help desk to Architect, who lived and thrived through the DOT COM era and crash. CISSP-Certified Information Systems Security Professional, CRISC - Certified in Risk and Information Systems Control, CEH- Certified Ethical Hacker, CPT- Certified Penetration Tester, PCIP- PCI Professional.