April 9, 2020

Last Updated on January 15, 2024

In one of our recent episodes of our show, “The Virtual CISO Podcast” , Pivot Point Security CISO and Managing Partner, John Verry, spoke with cybersecurity hiring expert Deidre Founder and CEO of CyberSN on the talent shortage in our industry and what companies need to do about it.

This post focuses on how to make sure your business can attract and retain good cybersecurity people.

According to Deidre, the number one thing you need to do to retain information security talent in today’s job market is career planning. “And it’s so number one you can forget about everything else,” Deidre quips.
She then offers the critical insight that nobody really wants to job-hop: “Leaving a job is not something fun. Deciding to leave, looking… It’s super emotionally challenging. People don’t want to do it ‘just because’—they do it because they can’t see how to get ahead. We all want to achieve. We all want to make more money; we all want to grow our skill sets. And if that’s not happening, then people will long for that, they’ll look for that, and when calls come in, they’ll take those calls, if they don’t have that plan for themselves.”
Hearing her words, we all know they’re true for us, too. It just makes sense. We need space and encouragement to grow; otherwise we’re stagnating and/or burning out, and that doesn’t feel very good. So, what are people looking for when they leave a job? Basically, someone who (they hope) will take better care of them than their current employer.

So what is exactly career planning and/or career development?

Deidre explains: “It starts with the hiring process. What’s your story? Is it true, is it in place, are you prepared to really back it up? “We’re taking people from jobs!,” Deidre emphasizes. That means we’re accountable and we’d better walk the talk.
We’ve all heard the truism that “People don’t leave jobs; they leave managers.” Deidre explains the deeper truth in that statement: “The manager is responsible for career path development. Everybody’s in leadership. Everybody ought to act like a leader. Leadership traits ought to be in any human who comes to work and wants to be successful. And a manager is the person who manages the success of his or her people—which is really about career planning.”
“Training shall not ever stop,” Deidre further emphasizes. “Ideally you’re always being trained and developed. So, if you get promoted then there is more training to be successful in that role.”

“The key takeaway here is that to keep good people, companies need to plan for keeping good people, and then execute on that plan on a daily basis so that it works.”


But many organizations don’t invest in their InfoSec people like that. They’re already short-staffed, and whatever budget they have they think they should spend on tools. But what good are tools without people to operate them effectively?
Deidre brings the key point home: “Succession planning is a strategy and when you go to implement it, it really comes down to what is somebody doing on a daily basis or an hourly basis? Such that you can manage their time well enough that they don’t burn out or get overwhelmed and have the benefit of a succession planning program. So, getting into the details of tasks and projects that we give to professionals in general need to be clearly defined and documented.”
The key takeaway here is that to keep good people, companies need to plan for keeping good people, and then execute on that plan on a daily basis so that it works. Management needs to be involved and budget needs to be allocated. Otherwise it’s just talk, like a security policy that’s not operationalized. So, the impact on company culture is massive.
Speaking of company culture, Deidre had some fascinating insights on that issue, too. Look for that in a future post.
Stay safe out there!