Beyond the paycheck: What cybersecurity professionals really want – Source: www.csoonline.com

The cybersecurity industry is facing an unprecedented challenge: retaining skilled professionals in the midst of an ever-expanding threat landscape and a significant skills shortage. Organizations are finding themselves in fierce competition to attract and hold onto cybersecurity talent, and failing to do so can have dire consequences.

According to recent research by Forrester, neglecting staff retention efforts can lead to increased absenteeism, toxic work environments, and ultimately, greater security risks. Security teams experiencing high levels of burnout and disengagement report nearly three times the number of internal breaches compared to those with a healthy work culture. Furthermore, when team members fear retribution for raising concerns that affect their organization’s risk posture and they lack psychological safety, the risk of internal incidents skyrockets by three and a half times more than the global average.

To address these challenges, organizations need to implement strategic measures, including creating an environment that fosters resilience and job satisfaction, to retain cybersecurity professionals.

According to Robert Huber, CSO and head of research at Tenable, achieving balance between managing the work that cybersecurity professionals need to do and how they go about completing their work is key. He explains that despite the growing demand cybersecurity professionals face, budgets often fail to keep pace. Therefore, CISOs must prioritize cyber risks effectively to prevent teams from being overwhelmed by the sheer volume of threats, help alleviate pressure, and prevent burnout.

“As a leader, the easiest things for you to do is help them prioritize and focus on what matters for your organization,” Huber says. “If you deliver services, what things could impact the services you deliver? If you generate revenue, what can impact the revenue you generate? That’s your job to tell people where to focus, because that lack of focus will just drive people to the ground. You can consume those resources indefinitely but trying to address every vulnerability and every risk, we already know that it’s impossible.”

Pay attention to mental health during cyber breaches

Another critical aspect of retention is mental health. Huber stresses the importance of frequent check-ins and ensuring team members take breaks, especially during high-pressure periods.

“When a cybersecurity event happens, it’s easy to work 24-plus hours straight and many days in a row, even through the weekends, because you feel like you own it, and you want to resolve it and you want to reduce risk,” he says. “But as a leader, your job is to lean in and make sure people do step back, take some time off, take a break, or take a mental break at a minimum.”

He points to one example of this when CrowdStrike offered $10 Uber Eats gift cards to partners and teams who aided its July 2024 IT outage. “Whether it was appropriate or not, at least, somebody thought like, ‘Hey, we know teams are working long and hard hours and multiple days in a row; lets offer coffee or food or time off.’ You have to step in as a leader and make sure you take care of your people.”

Forrester VP principal analyst Jinan Budge echoes these sentiments, emphasizing the need to address burnout to retain teams by focusing on three key areas: expectations, resourcing and perception.

She says it’s important CISOs set realistic expectations aligned with the team’s capacity. She also points out that resourcing involves not only tools and personnel, but also wellbeing initiatives, such as meditation programs and resilience workshops offered by organizations like CyberMinds. “Those doing workshops, or anything that improves the wellbeing of the teams become really critical in a retention strategy,” Budge says.

In addition to being able to help cybersecurity professionals prioritize their workloads, Huber highlights the importance of giving cybersecurity professionals the freedom to experiment and explore areas of interest, such as AI or other emerging technologies. He believes it can deliver benefits such as a break from the day-to-day and helps keep these professionals engaged in newer technologies, some of which have the potential of becoming attack surfaces.

“You want folks to feel like they’re empowered to take the time to go explore topics that they’re interested in. Tell them, ‘Hey, I’m okay if you carve out so many hours per week or per month to go look into these new topics or take training’,” he said.

Invest in skills and allow room for growth

Upskilling also remains a powerful retention tool. As Huber points out, Tenable invests in training entire teams on emerging technologies and capabilities, ensuring that employees feel equipped and valued.

Similarly, KPMG has implemented targeted programs to support diversity and career progression within cybersecurity. The firm’s Cyber Women Leads program, for example, focuses on training middle-management female cybersecurity professionals to formalise their leadership skills.

In addition to diversity-focused initiatives, KPMG has adopted creative recruitment strategies to address the cybersecurity talent gap. By tapping into adjacent skill sets and providing cross-training opportunities to those looking for a second career or parents returning to work, the company has been able to expand its talent pool. 

For cybersecurity professionals like Dominika Zerbe-Anders, cyber human risk partner and solution owner at KPMG Australia, opportunities for growth have been instrumental in maintaining her own long-term career in cybersecurity. At KPMG, she has been given opportunities to take on new challenges every few years, contributing to her professional development and job satisfaction.

“That’s what keeps me interested. It feels like every three or four years I’ve had a different career at KPMG,” Zerbe-Anders says. “Three years ago, with one of the most amazing leaders that I worked with, we identified that we weren’t doing a lot in the human risk space of cybersecurity. So, I was able to apply for and get seed funding to bring in a whole new service in that human risk management space. It then went global …and it’s now been very successful in market. That was one of those opportunities where I saw we weren’t doing anything in the space and I put my hand up and said, ‘I would like to lead this’, and the firm was really happy to invest and back me.”

“Last year as well, I took a slightly different approach. I moved departments to try help grow and amplify one of the cyber teams here. So, it’s really about being able to continuously move directions, continue to grow, and bring in new people, as opposed to always doing the same thing over and over.”

Financial benefits aren’t always the answer

Interestingly, Budge notes that while pay may naturally seem like a typical retention strategy, and it’s a motivator for the younger workforce, it doesn’t sustain itself as a motivator. Instead, she emphasises the need for purpose-driven work to maintain engagement.

“Security team members seek purpose and motivation. Are we making a difference to the organization, to the business value, to the bottom line? From an action perspective, how do we communicate the difference that the team is making, not just to the executives, but also to the team?” she says.

“If you’re a leader, are you spending as much time on your team as you are with the executives? You’ve got to go to the trenches because they’re motivated by purpose and motivation. If they weren’t, then you could step away from that. But the reality is security is about purpose. Most of us are here because we believe that we are protecting our organizations, the business, and society more broadly.”

The value of recognition and business buy-in

Embedding cybersecurity personnel into different areas of the business is another effective strategy, Huber suggests. He believes that by working closely with various departments, security professionals can better understand business operations, gain a sense of ownership, and contribute more effectively to organizational goals.

Huber adds leadership involvement is crucial in reinforcing the importance of cybersecurity within an organization. He recommends that executives actively engage with cybersecurity teams by participating in discussions and highlighting the value of cybersecurity initiatives. He says when CEOs and senior executives advocate for security, it demonstrates its importance to the organization’s overall mission.

“If you get corporate buy-in from leadership, it can help develop goals for other teams. I think that goes a long way because people understand the importance of the role,” Huber says.

Recognise it’s not one-size-fits-all

However, Budge notes that motivation and leadership styles can vary across regions. In Australia, for instance, a significant portion of cybersecurity professionals come from non-STEM backgrounds, leading to more diverse leadership styles.

In contrast, she explains regions such as India have a stronger emphasis on STEM qualifications, resulting in different career development pathways. Additionally, cultural factors influence the way cybersecurity issues are perceived and addressed, with countries that have longstanding data protection regulations exhibiting more mature approaches compared to those with emerging regulatory frameworks.

Ultimately, retaining cybersecurity talent requires a multifaceted approach that balances workload, prioritises mental health, fosters a culture of belonging, and offers meaningful career development, Huber concludes.

“It really comes down to the individual. You have to have leaders whose job is to understand what motivates each employee,” he says. “Some people might really want recognition; others want monetary rewards. Some want additional training, while others want time off to spend with their family and friends. You have to figure out what motivates people across your organization, and that’s a challenge for any leader.”