The Key Practices to Reduce Turnover and Shorten Time to Fill Positions

Dave Stirling, Chief Information Security Officer, Zions Bancorporation

Dave Stirling, Chief Information Security Officer, Zions Bancorporation

Talk to any cybersecurity leader these days, and the difficulty finding talent to fill key positions is likely to be a top concern. The US Bureau of Labor Statistics projects a 33 percent increase in information security analyst position demand over the next ten years, and that’s on top of the thousands of current unfilled openings. These unfilled positions place a drain on current cybersecurity teams, leading to staff burnout and potentially new vacancies to fill.

How do we stop this vicious cycle? Our cybersecurity team has instituted key practices to reduce turnover and shorten time to fill positions. These practices are: Focusing on skill development, diverse search and interview practices, and building an entry-level pipeline.

Skills Development

Our team started with a simple question: What aptitudes lead to success? Too many job descriptions start, and end, with skills and experience. By focusing on what an individual has a knack for and how they learn new skills, we have been able to tap large talent pools in other departments at the company. A high percentage of our cybersecurity engineers and analysts transferred in from non-cybersecurity roles and developed cybersecurity-specific skills over time through training and development activities. This approach has required significant investment in training, but the training costs have been much lower than the expense of long-term vacancies and search fees.

Diverse Search and Interview Practices

Diversity, Equity and Inclusion (DEI) is an important focus for many companies today seeking to gain competitive advantage through higher performing teams. With respect to cybersecurity recruitment and retention, DEI has the added benefit of tapping talent pools that have traditionally been under-represented. We enacted three simple steps to attract and retain diverse candidates:

  1. Reduce job descriptions down to the essential characteristics and skills required. Build the job around fundamentals, rather than starting with the ideal candidate.
  2. Eliminate degrees and specific certifications as requirements. College degrees and certifications are important ways to develop skills and abilities, but they are not necessary for most cybersecurity positions.
  3. Use structured interview practices to reduce unconscious bias. Interviewers ask the same questions consistently of each candidate and rate the candidates independently to prevent influence from highly vocal or influential interviewers.

Building an Entry-level Pipeline

All of us have seen unintentionally humorous job postings requiring ten years of experience with a technology that has only been around for five years. This is only the most visible symptom of the tendency to recruit only senior people. Hiring managers should thoughtfully consider the work, team composition, and future needs when posting new roles. Consider that hiring a junior candidate and having them build skills through aggressive training in their first six months puts a team far ahead of keeping a senior position open for six months. Paid internships are also a valuable pipeline for rapid conversion to entry-level roles upon graduation. If your company does not currently support internships, take some time to build a financial case with company leadership to get a program in place, as it will typically pay for itself through reduced search costs and position vacancies.

The cybersecurity labor shortage will continue to be a systemic problem for many years to come, but the strategies I have outlined here can help any organization reduce the impact on their own cybersecurity teams.

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank