While this has been a slower than average year for people leaving their jobs, in security, turnover rates typically average 20-25% per year- high relative to most sectors of the economy.
The loss of team members, particularly experienced ones, is often accompanied by loss of institutional knowledge, productivity, and coverage.
In short, it’s a major risk and perennial frustration.
It is also largely an addressable one.
High rates of turnover are an outcome and a symptom of deeper issues. The root causes can vary significantly company to company and team to team but usually have common themes.
To understand why people leave their jobs, you first have to start with the basics of what most people want:
Usually, when people leave, one or more of these is lacking.
Specifically within cybersecurity at the staff level, these are the issues we often hear:
Operating under a base assumption that the global economy will return to something more normal in ‘24 (1-2% GDP growth, lower inflation), we see pent up desire for movement. This has been a year of reduced promotions and budget headwinds and we speak with many candidates that are ready to hop to their next step, when the opportunity arises.
Now is the time for leaders to get ahead of it.
If you just went by exit interview data (when it exits) or conversations with hiring managers, you’d believe that everyone leaves to get higher compensation.
That’s not true.
In our experience, that’s a cover for deeper issues. Don’t accept the common scapegoats of compensation and company cultural issues. While lower than market comp certain increases risk, people will accept that if they feel a strong sense of connection to the institution and the mission.
There is no magic wand that will make turnover challenges go away. Mostly it comes down the fundamentals: managing people well. So while reductions in unwanted attrition are a benefit, there are good reasons to implement these practices because, fundamentally, they will lead to a better talent pipeline, more productive teams, a more cohesive culture and, ultimately, a stronger security posture.
This is the single most important lever. It’s also stunningly uncommon. Don’t take the easy path of just slapping together job descriptions whenever someone leaves. Design a structure that gives a framework for promotion, visibility into future compensation potential, and an avenue for mobility.
Good models include:
"Building a program in that has clear career progression will lead to a more resilient organization and help attract better talent. And it builds people who know how to teach."
- Christophe Foulon, cybersecurity coach and vCISO
If the only times you are giving or receiving feedback are during formal (mandated) sit-downs as a part of a performance management cadence, you are doing it wrong.
The best leaders are great at providing real time feedback - a meeting, a report, or some deliverable. They make sure that expectations are always clear and there are tangible examples of ‘what good looks like.’ At minimum, conversations should be happening quarterly.
Your team should always know:
Additionally, you should make space for the team to provide feedback to you. And you should take it to heart.
People that are drawn to careers in cybersecurity tend to be highly curious, enjoy solving problems, and are attracted by the nature of an ever evolving field.
Growth and learning are central to their identities; they should be central to the identity of your team and program as well.
This goes beyond providing budget for certs. Companies that do this well also:
Trust is the single most important currency in any organization. It takes time to build and is quick to destroy. You can think about your actions as ones that add to your trust balance, or take away from it.
Trust is built through transparency, genuine positive intent, open communication, consistency (do what you say), and empathy.
People want to know that their leaders and peers have their back. This doesn’t mean that there isn’t performance management or that some people don’t make it. It means that along the way you are open, honest, and fair. It means that you nurture genuine connections with the team and don’t violate the trust they have in you.
People flee from environments in which they don’t trust their immediate manager, their peers, or senior leadership.
When hiring, you are looking for two things: 1) Do they have the technical skills to do the work and do it well, and 2) Will the way that they work support or detract from your culture?
In our experience, companies too often hang on for too long to the high performers that damage the culture (the brilliant jerk). Their visible delivery against some metric (sales, product, etc) outweighs the harder to quantify negative impact on everybody else.
Toxic people (particularly leaders) will push talent away. As a leader, it’s your responsibility to hire people that you believe will thrive in and contribute to your culture (so you have to know and define it), and to let go of those that don’t. People who profess a set of values and then fail to live by them lack credibility. The people that work for them are just there for the paycheck. And they’ll jump when they see one that is higher.
This is what our data show across >5,000 job descriptions. The green lines indicate relative demand within an area.
We’ve compiled the most frequently mentioned technologies and domains of expertise in the ‘qualifications’ and ‘responsibilities’ sections of job descriptions. Understandably, they vary significantly by discipline of cybersecurity. You can use this data if you are considering where to build expertise.
Generally, 60-80% of security jobs are individual contributor roles.
Highly technical roles tend to skew individual contributor, with ‘consultative’ roles having more managerial slots.
On average, a bit more than ~60% of security jobs are on site and this has stabilized in the back half of 2023.
In general, we are seeing high level architecture/ engineering roles, cloud security, and application security command the highest salaries.
The below chart shows the range of salary by year of required experience (in $K). The box represents the 25-75% percentiles.
On average, each year of security experience is worth $10,000.
A wide distribution exists at each increment of experience, suggesting that high pay is available for the best talent.
Each quarter we recognize a set of standout employers. This time we are highlighting several companies that have a demonstrated track record of hiring entry level employees.
If you are in looking to transition into cybersecurity, you should absolutely check these companies out.
Many of them offer internship programs in their cybersecurity department as well.
This quarter’s winners are:
We analyze the movements of ~100K cybersecurity professionals in the US to understand which sectors and geographies are growing.
This is a view of where security jobs are being created, by state.
Not surprisingly, the top quartile is led by high population states, suggesting a roughly even distribution of jobs relative to population.
Unsurprisingly the most new jobs are being created in the IT space, as well as large, regulated industries such as financial services and healthcare.
The lines show relative job creation.
Each quarter we track the big CISO jobs that were filled. Congratulations to all!
David Damato is now CISO at Citadel
Chris Betz is now CISO at AWS
Tim Williams is now VP, CISO at Insulet
Joe Marroquín is now CISO at Vestis
Ricardo Johnson is now VP, CISO at Dentsply Sirona
Troy Mattern is now CISO at StoneX
Karthik Swarnam is now Chief Security and Trust Officer at ArmorCode
Hadas Cassorla is now CISO at AssuredPartners
Brian Heemsoth is now EVP, CISO at FIS
Eric Herr is now VP, CISO at Ameren
Nicole Darden Ford is now CISO at Nordstrom
Eric Hussey is now CISO at Finastra
Julie Porro is now SVP & CISO at Anywhere Real Estate
Trina Ford is now CISO at iHeart Media
David Adler is now SVP, CISO at Banc of California
Shawn McGhee is now VP, CISO at Neiman Marcus Group