This blog post on developing and retaining security professionals at your high growth technology company is part of a multi-part series on designing an information security program in alignment with your most important business objectives. You can also watch the webinar or listen to the podcast that accompany each blog post for more ideas.

CISO Role (Part 1) | Security Org Structure (Part 2) | Budgets (Part 3) | Business Cases (Part 4) | Build a Team (Part 5)

Employee engagement is the key to employee performance and retention. As a security leader, it is easy to focus on the technical parts of the job, but ultimately, the success or failure of your entire security program hinges on your ability to build and retain a highly engaged team.

What is Employee Engagement and Why Should I Care?

Employee engagement is the extent to which employees feel passionate about their role and responsibilities, are committed to the organization, and put discretionary effort into their work.

Based on every study worth citing (many are linked in this post), employee engagement is the key to retention. And retention is the key to a successful security program. We will spend most of this post talking about how to drive engagement in support of your security program.

Why Should I Care?

If you are not bought in yet, let me explain why you should care. Employee engagement is the key to recruiting and retaining your security team for the long haul. And retention, dear reader, is the life blood of a security program. This is not just touchy-feely stuff either. There are data and hard numbers to back it up. Consider the following:

  • Cost to the Organization – Studies show that losing an employee can cost the organization upwards of 216% their salary. For key cybersecurity personnel charged with maintaining certifications or regulatory programs that drive revenue, this cost could be even higher.
  • Loss of Productivity – A McKinsey study on the global workforce noted that for highly complex jobs, like cybersecurity, turnover significantly impacts productivity. If your organization is having trouble making headway on security initiative, is loss of productivity due to retention the root cause?
  • Low Morale, Workplace Toxicity – The same McKinsey study revealed that high turnover leads to “workplace toxicity”. Workplace toxicity reduces employee engagement, productivity, and satisfaction. Further, toxicity spreads like wildfire and will degrade an entire security program.
  • Lack of Continuity – In the context of security, most activities in one, three, and 12-month cycles and require context. When turnover happens, there are gaps in controls and institutional knowledge. How many security incidents have been the result of a missed patch or a system access issue?
  • Significant Competition For Candidates Who Lack Necessary Skills – Based on a study performed by ISSA, 70% of organizations report an increasing cybersecurity shortage, report that available candidates do not have the skills to do the job, as well as an average tenure of just 24 months. This means you are likely paying top dollar for candidates that do not have the skills needed to do the job. To have any chance of growing a solid security team, you must recruit the best candidates you can, train them in-house, and keep them for as long as possible.

I am convinced the only way to solve the security talent problem is engagement and retention – and only leadership can prioritize it. Engagement must be your top priority. The consequence is a vicious cycle of turnover, a challenged security program, and more security incidents.

Engagement Chart

Part 1: Recruit and Hire ‘A-Players That Want It’

You cannot make people want it. You can certainly inspire people, you can help them see a vision, but you cannot train for that fire than burns in the belly of so many top performers. The only thing you can do is build a recruiting process that increases the odds that ‘A-Players that want it’ will want to work with your organization.

Here are four steps to increase your chances at attracting the best candidates:

1. The Hero – Define How the A-Player Will Contribute to a Shared Vision

Security job descriptions are boring and rarely do a good job reflecting the reality of the position requirements. Instead, view a job description as a creative marketing document aimed at telling a story to the candidate. The “Hero Job Description” can contain all of the elements of a typical job description, but it should explain why a career at your place of employment is a worthy mission, how they will be a hero in this journey, and the exciting outcomes of accepting the position.

The job description should be authentic. The intent is not to paint a picture of a position that does not actually exist, but rather to inspire a vision for one that does.

2. Real Knows Real – Ask Top Performers to Refer a Friend

Top performers are eight times more productive than the average employee. And top performers want to work with other top performers. As a result, one of the best ways we have identified top talent is by asking our team members “Who is the #1 person in your network you would hire today, if you could?” Then we go about trying to hire that person.

Individuals tend to attract and keep company with people of similar caliber and character as themselves. If you have ‘A’ players on your team, ask them for a referral to ‘A’ players in their network. An added benefit is that research shows that people are more engaged and stay longer at jobs where they “have a best friend at work.”

3. Leave No Doubt – Provide Evidence of Engagement

At risk3sixty, we talk a lot about “leaving no doubt”. That is our way of saying that it is not enough to make a claim – you also need to back it up. Do not just say you have an awesome culture – have an awesome culture. No bait-and-switch. This level of authenticity is much more sustainable.

So, if you want to attract top talent, be prepared to show them why they should work with your team. Consider the following proof points for your next interview:

  • Testimonials from employees, clients, and stakeholders
  • Photos and videos from events
  • Examples of prior projects and work performed

4. Develop a Proven Interview Process That Identifies Engagement Potential

If you want to build a great team, you must have a proven process to identify candidates that you want to work with AND who want to work with you.

At risk3sixty, we have adopted a modified version of the “Get it, Want it, Capacity to do it (GWC)” interview process popularized by Gino Wickman in the book Traction. You can read about risk3sixty’s GWC + Core Values process in our blog post on the subject.

GWC Chart

If you are developing an interview process, here are five traits I consider non-negotiable in vetting a candidate.

  • Get It: People either “get it” or they do not when it comes to their role, the company culture, and the systems that are in place. Not everyone gets it. Find the ones who do.
  • Want It: When someone genuinely likes his or her job, it shows. They take the time to understand the role, they embrace the responsibility, If you find yourself having to beg someone to take a role, you are going to end up with someone who does not genuinely want it. Hire people with a fire burning in their stomach.
  • Capacity: It’s not just about having the knowledge to do the job, but also the time and physical, mental, and emotional capacity to do the job well. Some roles may require more hours than a person is willing to work each week or it may require skills that a person simply does not have. It is best to ensure that the role suits their capacity before making a hire.
  • Core Values Match: Fit should be assessed against defined core values as identified by your company or specific to your team. This should be a formal assessment against defined values, not a popularity contest or assessment of the candidate’s likability. You should design specific interview questions in alignment with your group’s core values. (You have defined core values, right?)
  • Writing Ability: Beyond a few email exchanges, the ability to formally communicate is rarely assessed during an interview. A simple case study will help measure writing ability, problem solving, and creativity. Taking the time to return a case study is also evidence the candidate “wants it”.

Once you have recruited a top-notch team, the next step is to keep them for as long as possible. Retention is largely driven by leadership’s ability to drive engagement.

Part 2: Develop and Retain Your Team Through Engagement

Research performed by Gallup of more than 82,000 teams, over 1.8 million employees, in 230 organizations, across 49 industries, and in 73 countries, indicated higher employee engagement results in:

  • 59% Less Turnover
  • 10% Higher Customer Satisfaction
  • 70% Fewer Incidents (e.g., policy violations)
  • 21% Higher Profitability

In the context of information security, the security leader must own employee engagement. It is not a duty that can be abdicated to Human Resources. So, the question becomes: if leadership owns engagement, how do you “do” engagement?

Here are five must-haves you should consider:

1. Reporting Structure and Position Visibility

Many security organizations lack clear reporting structure. The organizational chart is filled with “dotted lines” and unofficial reporting structures leaving the security team with no clear boss, no clear authority, inability to make decisions, and no advocate on the executive team.

This marginalizes the security organization and the people in it. Top talent will not stay at a dysfunctional organization, and a lack of defined reporting structure is often the root cause.

Defining the organizational structure (check our part 2 of this series for more on this) is critical for the health of your security program and key to keeping talented employees excited about their prospects with the organization. “A-players” want a seat at the table and an opportunity to make an impact. (27% of employees leave because they want to do more meaningful work.)

Here are a few simple ways to increase your team’s impact and exposure with executives:

  • Define a clear reporting structure
  • Provide opportunities to own all or parts of board-level updates and presentations
  • Own key performance indicators (KPIs) that go directly to leadership
  • Own all or parts of projects that will have leadership-level visibility
  • Name-drop team members who contributed to a project’s success
  • Invite team members to sit in and/or contribute to leadership updates
  • Invite team members to lunch/coffee/office visits with other executives
  • Consider rotational programs with Internal Audit, Information Technology, or Operations

2. Define Roles and Responsibilities

Too many security professionals are brought into organizations with no clear understanding of their roles and responsibilities. Either the position is a catch-all for everything security and compliance or the employee will be pigeon-holed into a single task that will quickly become mundane.

In part 1 of this series I wrote about how to design a CISO role. You can refer to that blog post if you would like to think through techniques to design a role for your security team members as well.

3. Paint a Clear Vision of Career Progression

As a leader you have to be the visionary of your group. Part of that vision must include the career trajectory for your team members. Help them understand where they are going and how they can get there.

Career progression must be authentic. It must be more than a job title change. It must come with additional responsibilities, more visibility, and additional compensation. This type of path requires significant planning on behalf of leadership.

Admittedly, this is not an easy task. Top performers have high expectations and leaders are constantly challenged to provide coaching, new opportunities, and meaningful work to keep team members engaged.

Here are a few things to consider when building out your team’s career vision (below is an example of what we have at risk3sixty):

  • Start by career-mapping each position from entry level to management. Many positions will have a ceiling and require the candidate to choose alternate paths based on their preferences. (e.g., management vs. technical routes)
  • Define success criteria for each position. This does not have to be perfect and will likely evolve over time.
  • Define criteria to get to the next level. The biggest shift is typically between individual contributor and manager.
  • Provide a time range for career progression.
  • You do not have to build-out every position at once. A good time to build out this type of material is the months leading up to a new job posting for a new position type. Ideally it is great to have this material ahead of interviewing candidates so I can use it as collateral during interviews.

Position Graph

4. Formalize Development, Performance Review, Coaching, and Mentoring Cadences

The difference between a good leader and a great leader is the extent to which they are willing to dedicate their time to develop others.

As you become a leader, success is no longer self-centric, but instead hinges on your ability to facilitate the growth and success of your team members. One of the best ways to help your team grow is through a formalized coaching and mentoring relationship. Great mentoring relationship and development plans include the following:

Traits of Effective Coaching and Development

  • Genuine Interest: The coach should have a genuine interest in the individual’s development. That does not imply that the coach is required to “be friends” with the mentee; however, the coach should be willing and able to dedicate significant time and thought into the mentee’s development.
  • Career Development Plan: Formalized and documented career development plan. The career development plan should consider the individual’s career goals and outline a path to obtain them.
  • Performance Reviews: Formalized and transparent performance review process based on a defined set of criteria. At risk3sixty, we like to have a mix of core values alignment, contribution to the business, and project performance. The U.S. Army has a great overview of their evaluation criteria which I highly recommend reviewing and leveraging as inspiration.

Coaching and Development Cadences

  • Quick Connects – One-off meetings that occur during the normal course of business. Use these as ways to check the pulse of the business.
  • Check-Ins – Scheduled meetings, often over lunch or coffee, that offer more time for a deeper conversation.
  • Developmental Coaching – Developmental coaching should be accompanied by a formal agenda and check-in on the individual’s career development plan, prior coaching points, and goals. Developmental coaching should be candid and leave no room for surprises when it comes time for formal performance reviews.
  • Formal Progress/Performance Reviews – Formal reviews should be measured against defined criteria understood by both parties.

“Coaching is primarily accomplished through ongoing coaching conversations. The five coaching conversations that drive performance include role and relationship orientation, quick connects, check-ins, developmental coaching and progress reviews. And, the frequency of these conversations matters.” – Gallup

5. Create Opportunities for Deep Bonds and Crucible Experiences

Shaping teams through shared adversity is nothing new. The U.S. Army has been using basic training to turn diverse groups into cohesive teams for over a hundred years. They have turned the concept of assembling, normalizing, and sustaining teams into a science.

According to their research, teamwork is a continuous process of formally establishing purpose-built teams and building shared trust, competence, commitment, confidence, and goals. And while there are many methodologies used to build these components, shared adversity has proven to be an effective methodology to authentically expedite and deepen team relationships.

Out of the mutually shared hardships and dangers are born an altruism and generosity that transcend ordinary individual selfish interests.

At risk3sixty, we consciously do hard stuff together. For example, every October we do a 100-mile relay race through the North Georgia mountains. The race starts at midnight and lasts about 16 hours. It is “a real gut-check” as some of our military veteran team members like to say. Not everyone runs, but everyone participates (logistics, moral support, etc.). We wrote an entire blog post on shared adversity you can read here.

Conclusion

Employee engagement is the key to employee performance and retention.

And the success or failure of your entire security program hinges on your ability to build and retain a highly engaged team. As security leaders we have to shift our mindset and become executives, not just subject matter experts. If we cannot build and grow a team that supports the business, the profession will be marginalized and rendered ineffective.

The choice is ours. Choose to be an executive – a leader of people – and lead the way in developing a world-class security program.