Tommi - Fotolia

Manage Learn to apply best practices and optimize your operations.

How important is a security staff retention strategy?

Developing a staff retention strategy for your security team is a good idea. Expert Joseph Granneman explains some techniques for keeping security talent.

A recent headline claimed that nearly two-thirds of all IT staff members are actively looking for a new job within the next two years. If this applies to security teams, then security managers need to be prepared to lose more than half of their staff. What can companies do to prepare for ongoing staff departures? How could they potentially prevent it?

There can be a lot of disruption to an organization when a long-standing employee leaves for another opportunity. There is a limited supply of trained information security professionals available, so there is a good chance that many staff members will be leaving within a few years. Although a little turnover can be healthy for an organization, security managers are going to have to try some new tactics to retain top talent and keep their departments from becoming a revolving door. Some changes to departmental procedures may be necessary to maintain information security integrity when key personnel inevitably move on to new opportunities.

A more effective staff retention strategy to keep top security talent is to offer access to training and conferences. Good security practitioners want to continually improve their skills and learn from other security experts. Many security managers are paying for staff to attend popular security conferences like DEFCON or Black Hat. Companies that lack the budget for formalized training can use other creative ways to reach the same goal. Managers can ask for volunteers from the staff to research a specific security topic to present it back to the group on a regular basis. This not only promotes learning but helps create camaraderie between employees.

Most people tend to stay or leave their jobs based on their relationship with their manager. This is just as true in information security as it is in any other profession. That is why it is critical for information security managers to build positive working relationships with their staff. Managers should provide feedback to employees and help them to structure and obtain their career goals. Ask staff to be involved in department decisions and contribute to the overall information security strategy. This type of inclusive management, when done well, may do more to retain staff than any other strategy.

Even with the best staff retention strategies, security managers are going to lose good employees to other opportunities so they must be prepared. Departmental processes must be thoroughly documented so that any team member can perform them; in addition, such documentation will help give new employees a firm grasp of their roles and responsibilities. Managers can also rotate the responsibilities for running recurring processes to other team members, which increases bench strength and offers cross-training opportunities. Proper documentation is critical to help reduce the impact when a valuable employee leaves the organization.

The increasing demand for experienced information security professionals will continue to drive turnover. Although some turnover is healthy, there are ways for managers to retain top talent in the organization. They can offer access to training and conferences to increase employee skill levels. They can build an inclusive management culture in their department based on employee feedback and career goals. Managers will still have to face the harsh reality of losing good employees and should be prepared with detailed documentation and rotation of responsibilities. Good security teams should be able to survive a changing roster.

Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

Next Steps

Joe Granneman reviews the pros and cons or nontraditional security staffing and whether companies should hire generalists or specialists.

This was last published in December 2014

Dig Deeper on Information security program management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use a staff retention strategy? If so, what is it and is it effective?
I think employee retention strategies work if those strategies are centered around the needs of the employees. I think it is a good idea to have a daycare center on site if a company wants to employ working parents. I think the concept of employee retention can also be centered around trust and passion. I think if employees are given more responsibility, they are more likely to become emotionally invested within the company.
I answered this in my blog post "Your First 30 Days in the New Gig (and if You’re on the Old Gig, They Begin TODAY)"

In general, When salary, benefits and other side “perks” are not part of the equation, tend to respond with one of these three things:

  • They want to learn something new.
  • They want to be challenged and do better.
  • They want to be surprised again.
Employee retention is much less an issue of "what perks do we offer" and more of "do my people feel they are in a place to thrive and feel their contributions are meaningful. Some options such as flexible hours or the ability to work from home to help with scheduling issues can be a help, but if the previous three items aren't being met, they are far more foundational issues than whether or not you have a workout facility or artisan coffee ;).
Retention of security staff is key. When staff leave, you loose that corporate knowledge they gained during their time at the company, regardless of what area they work in. This can be a bigger problem for groups like security, that are rapidly changing to address not only evolving security threats, but also an evolving IT infrastructure.