According to two recent studies from ESG/ISSA and Infosec, that sentiment is real amongst the majority of today’s cybersecurity professionals, leading to high levels of employee stress, fatigue and turnover. While the causes of the cybersecurity skills shortage and its impact on job satisfaction vary by region, the reality is this challenge is faced by nearly three quarters of organizations globally. The good news is many of these issues can be addressed — partially or in whole — by delivering the training and career guidance cybersecurity teams want and need. Here are four things you can do right now to boost employee job satisfaction and retain and attract the talent you need to bridge the cybersecurity skills gap at your organization.
1. Create clear learning paths — and give employees time to learn
In Infosec’s 2019 Cybersecurity Industry Report, 785 security professionals were surveyed about their short- and long-term career goals. Six in 10 respondents lacked a clear career path and 34% lacked confidence in their career goals. Unsurprisingly, security professionals with “a clearly defined path to advance their career” were more confident in their career goals, more confident in their cybersecurity skills and spent more time learning compared to peers without a clear career pathway. Interestingly, ESG and ISSA’s 2019 study, The Life and Times of Cybersecurity Professionals 2018, revealed that “while 93% of survey respondents agree cybersecurity professionals must keep up with their skills or else the organizations they work for will be at a significant disadvantage against cyber attackers, 66% claim that cybersecurity job demands often preclude them from skills development.” By proactively helping your employees set learning goals and career-path milestones — and giving them adequate time to learn new skills — you’ll help boost job satisfaction. Furthermore, the ability to better keep pace with the rapid rate of technology change will boost employee confidence in their skills.
2. Develop new talent to ease the workload
Just 8% of the respondents in Infosec’s 2019 survey began their careers in an information security role. With people coming into the field from a variety of different backgrounds, it’s not surprising that many organizations are looking outside traditional talent pools to fill open and new security positions. According to Harvard Business Review, companies like IBM are creating new cybersecurity roles that “prioritize skills, knowledge and willingness to learn over degrees and the career fields that gave people their initial work experience.” They cite the importance of sourcing “unteachable” skills like curiosity and problem solving when filling open security roles, while also reinforcing the need for continuous learning. Whatever your approach, establishing a unified framework similar to the NICE Cybersecurity Workforce Framework will help both new and seasoned security professionals build confidence, gain new skills and transition more easily into future security roles. A unified framework also helps keep employees engaged in skill development while reducing churn — an initiative of increasing importance considering over 75% of security professionals are solicited by recruiters at least monthly to change jobs.
3. Remember the soft skills
New insights into the security skills gap suggest a lack of soft skills like communication and leadership might be the security department’s Achilles Heel. With 23% of security professionals reporting a lack of knowledge of important cybersecurity challenges at the executive level, it’s easy to see how better communication from security teams could improve an organization’s overall security posture. When building your cybersecurity employee development program, remember that an effective security strategy requires more than just investment in technical skills and tools. Business acumen and emotional intelligence are just a couple of the soft skills needed to both obtain executive buy in for new initiatives and ensure other department leaders understand the impact of wider-reaching programs like employee security awareness and training.
4. Build a culture of security at every level in your organization
It’s widely accepted that human error continues to be the leading cause of data breaches. But what’s often overlooked is that most of these mistakes could be avoided with the right security education for the right people at the right time. When prompted to disclose the common causes of breaches at their organizations, 34% of respondents in the ESG and ISSA study cited a lack of end-user training while 24% said they can’t keep up with a growing workload. Cybersecurity education for everyone at your organization reduces the chances of preventable incidents like accidental disclosure while also better equipping the security team to manage the tools and assets under their protection. By enlisting help from others outside of the security department through initiatives like a security champions program, you can relieve some of the burden from security teams while increasing job satisfaction and retention. With an effective, role-based security training program for all employees, you can upskill employees and retain talent while building a culture of security across your entire organization.