Beyond the Great Resignation: Mastering Cybersecurity Retention with Remote Work, Upskilling, and Inclusion

Security Careers

Security Careers

6 min read
Beyond the Great Resignation: Mastering Cybersecurity Retention with Remote Work, Upskilling, and Inclusion
Photo by Alex Kotliarskyi / Unsplash

The cybersecurity industry is currently grappling with what's often referred to as the "Great Resignation" or "Big Quit," a significant challenge for employers globally. Even before the pandemic, the sector faced a labor shortage, and today, retaining engaged, productive, and happy staff is more critical than ever. Professionals are growing restless due to factors such as lack of promotion opportunities, poor financial incentives, and high stress levels. Additionally, limited remote work responsibilities, poor work culture, and lack of management support also contribute to cyber resignations.

To combat this, organizations must shift their focus from merely hiring to strategic retention. This involves adopting practices that foster employee satisfaction, growth, and a strong sense of belonging. Key pillars for "Great Retention" include embracing flexible work models, prioritizing continuous professional development, and cultivating a truly diverse and inclusive culture.

The Power of Remote Work in Retention

Flexible work options, including remote arrangements, are increasingly recognized as a competitive differentiator in cybersecurity hiring and retention. The desire for flexibility and better work-life balance is a significant driver behind professionals considering new roles. People prefer the convenience and flexibility that remote work offers. Offering clear policies supporting flexible work hours can greatly improve employee satisfaction and productivity.

However, the widespread adoption of remote work also introduces heightened cybersecurity risks. Remote workers often do not secure their home networks or personal devices as effectively as corporate security teams, making them vulnerable to attacks like phishing, malware, and ransomware. Personal devices might be shared, lack advanced defenses, or have unpatched software, providing entry points for malicious actors. "Unofficial" remote workspaces can also have poor physical security, increasing the risk of sensitive data exposure or credential theft.

To mitigate these risks while still reaping the benefits of remote work for retention, organizations must implement robust remote work cybersecurity measures. These include:

  • Utilizing advanced cybersecurity tools such as Security Information and Event Management (SIEM) for real-time threat detection, network monitoring tools, Endpoint Detection and Response (EDR) for endpoint security, and threat intelligence platforms. Tools leveraging Artificial Intelligence (AI) and Machine Learning (ML) can automate anomaly detection and incident response actions, minimizing damage from incidents.
  • Establishing clear security protocols for remote employees, mandating strong password hygiene, multi-factor authentication (MFA), data encryption, and regular software updates. It's also crucial to implement the principle of least privilege, limiting access to only necessary data and systems.
  • Continuously monitoring employee devices and access points to ensure policy compliance, detect malware, and identify unauthorized access attempts or unusual usage patterns.
  • Conducting regular, mandatory cybersecurity training for remote workers to ensure awareness of risks, secure practices, and incident reporting guidelines, including practical phishing simulations.
  • Integrating Third-Party Risk Management (TPRM), as vendors often access company data. This involves assessing vendors' remote work security, updating contracts for compliance, implementing remote auditing, obligating vendors to train their remote employees, enforcing strict access controls, and collaborating on incident response plans.

Upskilling: The Engine of Growth and Loyalty

Upskilling and continuous professional development are paramount for employee retention in cybersecurity. They directly address common reasons for resignation, such as lack of promotion opportunities and poor financial incentives. Investing in a team's development strategically addresses skills gaps and builds a more robust and adaptable workforce ready for evolving threats.

Key aspects of upskilling's role in retention include:

  • Addressing Skills Gaps and Building Resilience: Upskilling is essential for filling the cybersecurity skills gaps, especially with evolving threats and limited specialized talent. A new SANS/GIAC study highlights that the core issue is not a talent shortage, but rather a lack of people with the right skills. Investing in development creates a more robust and adaptable workforce.
  • Promoting Internal Mobility: Reskilling current employees to promote internally is identified as a key strategy to improve retention and combat the "Great Resignation".
  • Providing a Clear Career Path: Cybersecurity professionals seek clear career paths and opportunities for continuous training and learning. Organizations should offer customized career pathways and provide equitable access to professional training and certifications. Personalized growth plans, developed collaboratively, demonstrate a tangible commitment to employee growth.
  • Increasing Engagement and Motivation: Tailored training ensures that learning is relevant and actionable, directly addressing unique team challenges. This personalized approach sharpens expertise, enhances problem-solving, and increases engagement because team members see the direct impact of their learning on their work. OffSec, for example, offers Custom Learning Paths where administrators can mix and match courses, modules, and labs to suit team needs.
  • Strengthening Employer Brand and Credibility: Access to the newest technologies and top training is a significant draw for junior cyber defenders. Companies that offer opportunities for employees to develop their skills and become thought leaders, such as by attending trade shows or participating in software maturity programs, benefit from an enhanced corporate brand and improved defense capabilities. This also fosters client trust as a skilled workforce can reduce risks.
  • Enhancing Technical Capability and Attitude: The cybersecurity industry is increasingly valuing technical capability over work experience and academic degrees as the most important hiring qualification, with certifications ranking second. "Power skills" like adaptability and eagerness to learn are becoming non-negotiable. Upskilling programs can integrate these aspects.

Diversity and Inclusion: The Foundation of Strength

Diversity and inclusion are crucial for strengthening an organization's cybersecurity workforce by enhancing innovation, improving operational effectiveness, and leading to better outcomes in risk management and threat mitigation. Diversity of thought is an essential ingredient for resilience within cybersecurity teams. Organizations with inclusive practices consistently achieve better outcomes in risk management and threat mitigation. Women's varied experiences and perspectives, for instance, enhance analytical rigor, strengthen problem-solving capacities, and foster innovation.

To cultivate an inclusive cybersecurity culture and strengthen the workforce, organizations should focus on concrete actions:

  • Redesign Recruitment Practices: Authentic inclusion starts during recruitment. This involves:
    • Clear, competency-focused job descriptions that outline necessary skills and avoid ambiguous or biased terminology, which encourages diverse applicant pools. Removing language that may discourage diverse candidates, such as masculine gendered nouns or references to military-style approaches, is important.
    • Anonymized candidate evaluations to reduce unconscious bias and focus solely on qualifications.
    • Diverse interview panels to provide multiple perspectives, mitigating biases and promoting balanced decision-making.
  • Implement Structured Mentorship and Sponsorship: These programs help women navigate industry-specific challenges and position them for advancement, boosting retention and leadership representation. Defined mentorship programs with concrete objectives and active sponsorship from senior leaders are key.
  • Prioritize Equitable Professional Development: Providing equal access to training, certifications, and customized career pathways reinforces an organization's commitment to its workforce and strengthens operational resilience.
  • Strengthen Equitable Workplace Policies: Establishing clear policies for flexible work options, transparent compensation, and rigorous anti-harassment standards creates environments conducive to sustained success and professional satisfaction. Flexible work options specifically improve employee satisfaction and productivity.
  • Increase Recognition and Visibility: Developing formal mechanisms to regularly highlight women's achievements and facilitating their participation in industry engagement enhances their professional visibility and establishes credible role models.
  • Commit to Diversity, Equity, and Inclusion Policies: Employers should commit to developing these policies as a key strategy to improve employee retention. Specific programs like the Apprenti Network Security Administrator Apprenticeship prioritize underrepresented groups, offering accessible training and high job placement rates.

While the cybersecurity job market is challenging, particularly for entry-level and mid-level roles, it's crucial to understand its nuances. There's an oversaturation of underqualified people with unrealistic expectations, often misled by influencers promising six-figure work-from-home jobs with minimal experience. This creates a high volume of applications for posted jobs, making it harder for legitimate candidates to stand out.

However, the market is not universally bad. There's still high demand for experienced professionals, especially those with 5-10+ years of experience and specialized skills. Companies often seek "unicorns"—individuals with a broad range of skills like network engineering, system administration, SOC analysis, programming, and incident response—but are often unwilling to pay for such comprehensive expertise. Economic uncertainty and budget cuts also lead companies to hesitate in investing heavily in security teams, as cybersecurity is not seen as a "money maker".

In this environment, continuous upskilling and gaining practical experience are vital for differentiation. The industry values technical capability and adaptability highly. For those entering the field, foundational IT experience is often seen as a prerequisite before moving into dedicated cybersecurity roles. Networking, showcasing real accomplishments on resumes, and developing strong "power skills" like communication and problem-solving are also critical for success.

Conclusion

In summary, organizations committed to "Great Retention" in cybersecurity must strategically integrate flexible work arrangements (while diligently managing associated security risks), foster continuous professional development through tailored upskilling and clear career paths, and actively cultivate a diverse and inclusive culture. By prioritizing these elements, organizations can not only fill critical skills gaps and enhance their defensive capabilities but also attract, engage, and retain the top talent needed to navigate today's complex and evolving cyber threat landscape.

Read more

The Critical State of API Security: A Comprehensive Guide to Modern Threats and Defense Strategies

The Critical State of API Security: A Comprehensive Guide to Modern Threats and Defense Strategies

Executive Summary In today's interconnected digital landscape, APIs have become the backbone of modern applications, enabling seamless data exchange and service integration. However, this proliferation has created a massive attack surface that many organizations struggle to secure effectively. With 99% of organizations reporting API-related security incidents in the

By Security Careers