I happened to watch the movie “The Duff” recently. If you haven’t seen it, it’s a 2015 teenage comedy film with a plot along the lines of “The Breakfast Club” meets “Mean Girls.”
What struck me about this movie (and the reason I’m alluding to it now) was the fact that one of the main characters, a young woman named Casey, is a hacker. In fact, her hacking ability turns out to be a major plot point (no spoilers, I promise.)
This fact struck me for two reasons: first, the movie didn’t need to explain it. It was a given that everyone watching would understand what a hacker is, what it means that this character is one, and the potential impact of her skills.
This means that information security (cybersecurity if you must) has become embedded into the collective social context. For those that have been in the profession a while, you may (like me) remember the days of explaining what you did for a living and the resultant confused looks you often got in reply.
While that’s interesting in itself, it’s the second point that really made this otherwise trivial nuance stick with me — specifically, that this character’s hacking abilities weren’t just a personality quirk or convenient narrative device… they were cool.
Yes, the “cool kid” was a hacker. Moreover, it wasn’t just that she was already cool and happened to be a hacker – instead, her “hacker skills” contributed significantly to her being cool in the first place.
This might not seem like much at first glance, but the more I thought it through, the more it seemed like something important for security pros – particularly security managers – to pay attention to.
Specifically, talent management in security – in particular recruiting and retaining younger professionals is a huge deal. Talent acquisition is tremendously expensive and time consuming, and the cost of the inevitable attrition (and corresponding loss of intellectual capital) is a major resource drain.
This subtle shift in perception – the “coolness factor” – is directly relevant and important when it comes to bringing in new talent to the organization from younger professionals. It also simultaneously provides insight on how we might retain them.
Why “interesting” matters
Every security manager knows that there’s only so much that expertise, grit, and “hustle” can buy you when there aren’t enough talented personnel available to help shoulder the load. Finding and retaining the right talent is always challenging (as any hiring manager can attest) – but it’s also simultaneously one of the most important things to get right.
Junior roles are particularly challenging to fill well. Human nature dictates that the professional connections we make tend to be peers or former managers (those we’ve worked directly with in the past). Meaning that, in general, our closest connections will be to folks with a similar amount of experience to our own. So when looking to fill a position, names will almost inevitablly leap to mind – but only rarely will those names be of folks just out of school or with only a few years of experience.
Much of the research suggests that the ability to attract and retain young professionals correlates to the level of interest and engagement that those professionals have in the work that they do.
For example, a May 2014 study from the Brookings Institution found that 64% of millennials (those born between 1980 and 2000) would prefer to make 40k at a job they love (i.e. one they find interesting and engaging) vs. 100k at a boring job.
So it’s not about the paycheck, it’s about the experience.
By extension, professions that are perceived to be appealing and interesting will tend to draw the best and the brightest. Hiring managers in those disciplines will have a larger pool of talented candidates to draw from compared to professions that are perceived as boring and uninteresting.
This gives an advantage to security if security is viewed as compelling and interesting among younger professionals. It also conversely means that the bar for talent retention is higher – at least in that it correlates to how engaging those professionals find the discipline once they’re in the door.
It’s on the retention side of the fence where many security organizations might need to get creative. Some tasks are just less interesting than others; and some tasks – log analysis, firewall rule review, asset inventory maintenance can get tedious when done to the exclusion of all others.
Putting a resource who values interesting and engaging work on a task like that – with no hope of other, more interesting, projects to follow – might not give you the long-term talent retention results you want.
Obviously the boring tasks still need to get done, but being creative – for example by employing a duties rotation program – might help make these tasks more workable while helping share knowledge and develop skills among staff.
Investing in employees
In addition to interest level being at the forefront of importance to millennials, so too is employee growth. The Deloitte 2015 Millennial Survey found that young professionals place more emphasis on employee growth and wellbeing, and a corresponding decreased emphasis on personal income and short term financial goals.
In practical terms, this means that in order to retain the talent that we so expensively (and sometimes painfully) acquire, it behooves managers to pay attention to the workplace culture they foster: how they treat their employees, the opportunities they provide for them to grow, and how receptive they are to employee needs.
How do you foster a culture that engenders retention and enables growth?
A useful first step is to ask the employees themselves. Ask them how they’re doing, what would help them be more effective and better acclimated, and how they see their career evolving.
Work collaboratively with them to develop an action plan that accounts for how they’d like their career trajectory to grow over time and check in with them periodically to gauge progress, correct course when needed, find out what’s bugging them, and otherwise maintain a level of interest in their career.
While security may be “cool” today and thereby give us (at least) a short term boost in talented junior-level candidates, the long-term success of using this fact to your advantage rests in what you do next. Adapt your culture and practices to help them want to stick around.
Ed Moyle is Director of Emerging Business and Technology for ISACA. Prior to joining ISACA, Ed was a founding partner of the analyst firm Security Curve. In his more than 15 years in information security, Ed has held numerous practitioner and analyst positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers, and senior security analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.