blvdone - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Can security employee tenure be improved by CISOs?

Security employee tenure is shorter than in most industries. Expert Mike O. Villegas outlines five budget-friendly steps CISOs can take to help lengthen it.

The average employee tenure for IT jobs is said to be about three years. Do you think the tenure length for IT...

security jobs is higher or lower than that, and why? What are some budget-friendly ways to keep talented professionals in those IT security jobs?

According to the U.S. Bureau of Labor Statistics, or BLS, every occupation within the computer and mathematics occupations group is expected to experience job growth through 2022. The BLS has also reported that the median tenure of employees between 25 and 34 years old with a bachelor's degree is three years. This appears to be a millennial phenomenon, since age brackets of 35 to 44, 45 to 54 and 55 and older are 5.7, 8.7 and 11 years, respectively.

One interesting statistic is that there is usually a higher turnover rate for employees with more advanced degrees -- and the technology industry has the lowest average employee tenure. Because of this, employers have retention challenges that affect hiring practices and training budget allocations for cybersecurity professionals. The question is whether they should hire seasoned and experienced professionals for cybersecurity jobs or spend the budget on building up internal skills knowing that, in three years, the cybersecurity staff will likely realize their worth and look for higher paying jobs elsewhere.

So what can CISOs and cybersecurity managers do to improve employee retention with a limited budget? The answer to that question is complex, and may be particular to your organization's business model, industry and culture, but there are certain steps CISOs can take that can help their enterprise deal with this employee tenure challenge.

  1. Contribution -- Teach your staff that being an agent of change brings greater satisfaction to the job regardless of whether the rest of the company is aware of their contribution.
  2. Compensation -- Obtain compensation studies from recruiting firms for cybersecurity positions in your region and industry. Pay staff market rate salaries for their job responsibilities.
  3. Recognition -- Recognize your staff publicly in newsletters, personally name them in management meetings when appropriate, allow them to participate in projects, and give credit to those that had a direct hand in special project achievements. This builds pride and team unity.
  4. Development -- Encourage staff to seek cybersecurity certifications using self or group training. Develop a specialty for each of the members where they can become a subject matter expert.
  5. Lead by example -- Be an example to your staff. Allow them to see your passion for your work and your sense of accomplishment. If you do not believe in what you do, neither will they.

Use all of these steps as positive reinforcements for growth and motivation. Make their jobs challenging and exciting so they feel a commitment to their job, profession and to you in performing their job responsibilities.

Work on obtaining the proper budget for salary, training and tools. However, regardless of your budget, if you focus on the mentioned areas, you will improve employee tenure, satisfaction and the overall protection of critical assets.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover how military cybersecurity skills can help fill the security hiring gap

Find out why millennials may be the saviors of the security staffing shortage

Learn how to fix the security skills shortage in your enterprise

This was last published in December 2016

Dig Deeper on Information security certifications, training and jobs