Problem solve Get help with specific problems with your technologies, process and projects.

Enterprise information security employee retention strategies

Expert Ernie Hayden offers employee retention strategies. Learn how to keep good enterprise infosec staff for the long haul.

Experienced security professionals in the workforce today have many excellent opportunities. In the most recent...

global information security workforce study conducted by (ISC)2 Inc. and Frost & Sullivan, Frost & Sullivan forecasted a double-digit annual growth rate in infosec hiring during the next five years. This year alone it projects that more than 300,000 new infosec positions will be created around the world, meaning skilled infosec workers will have no shortage of opportunities for career advancement.

CISOs must have employee retention strategies in place; retaining good talent should be a top priority.

CISOs must have employee retention strategies in place; retaining good talent should be a top priority. It's important not to take workers for granted. For starters, a CISO should take the time to learn the career interests of his or her staff so as to provide them with opportunities to grow. A talented security analyst probably won't want to remain in that role forever, so providing that person with a chance to work on architecture design or policy development will not only help prepare him or her for a more advanced position, but also demonstrates that the organization is committed to the growth and development of its employees. This will help them realize they are appreciated as valued members of the team, increasing job satisfaction and ideally making them less likely to look at job opportunities outside the organization.

In addition, make sure that security professionals are compensated appropriately. Security salary surveys performed by the larger accounting or consulting firms can guide human resource's salary decisions. Also, knowing what the local competition pays is very important to remaining competitive. Some additional bonuses or perks to help retain infosec staff could include opportunities to attend major security events such as the RSA Conference, held every year in San Francisco. Alternatively, paying for advanced education such as SANS Institute courses or attending university classes can be considered. Paying for CISSP certification "boot camps" and annual certification fees are fairly inexpensive when looked at strategically, and it demonstrates the importance of the certification by corporate management.

A CISO, often among the most experienced security pros on the staff, should take on the role of mentor. Be sure employees are introduced to the key players in IT, legal, public relations, human resources, treasury, accounting (credit card management), engineering and operations/production. These managers need to see that new employees, in particular, are supported by the CISO and that security is important. Also, by taking the time to do the tours and introductions, employees can hit the ground running. I've noted in my past SearchSecurity articles that one role of the CISO is that of the corporation's security conscience. By making the important internal introductions, the CISO positions the new employee as an extension of his/her security focus and conscience.

From the editors

See our companion article: Mining for infosec talent: How CISOs can fill security positions

Still, turnover is a reality in any organization, so it's wise to have a pipeline for new talent coming into the organization. One employee retention approach is to offer internships for information assurance trainees or candidates. There are many students in undergraduate and graduate information security programs who are willing to spend time learning about information security from the inside -- even at no pay. These students learn the ins and outs of the organization while the CISO identifies key players who possess excellent technical knowledge and who are well liked by co-workers and other members of the enterprise staff. These candidates are truly diamonds in the rough and should be considered for employment.

Lastly, CISOs need to take the time to introduce security staff to other CISOs and their teams -- in the region, through CISO forums, other regional security meetings and the like -- to help establish a strong network among local infosec staff members who do similar jobs. This may seem counterintuitive because there is always a risk of losing employees to other companies, but CISOs may be surprised by how loyal employees are when he or she is willing to take the time to be a mentor and supporter.

About the author
Ernest N."Ernie" Hayden, CISSP, CEH, is an experienced information security professional and technology executive, providing thought leadership for over 12 years in information security, cybercrime and cyberwarfare, business continuity and disaster recovery planning, leadership, management and research in conjunction with his 35-year professional career primarily in the energy and critical infrastructure protection business. Based in Seattle, Hayden holds the title of managing principal -- critical infrastructure protection and cyber security on Verizon's RISK Team, devoting much of his time to energy, utility, critical infrastructure and smart grid security on a global basis. Prior to this, Hayden held roles as an information security officer or manager at the Port of Seattle, Group Health Cooperative and Seattle City Light. Hayden's independent analysis may not always reflect positions held by Verizon. Read more of Hayden's expert advice on his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at

This was last published in April 2013

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.