There’s a negative, cynical and sometimes, unfortunately true idea out there that if you pay for skills development with your security team, you’re throwing money away because people are milking you to help them get their next job. There’s a couple of things to say about this.
First, yep. It’s true. And it’s not just the training you pay for. Absolutely anything and everything they learn while a part of your team can walk out the door at any possible moment.
Better just fire them now and get it over with.
Oh, but you can’t. Right. Because, based on a bunch of different, recurring industry surveys, the vast majority of teams feel they don’t have enough staff and are actively trying to fill open slots they’ve had for around 3-6 months.
And then there’s the fact that the perception is that more than half of the applicants out there aren’t qualified enough, so there’s a pretty big problem facing a lot of security teams right now. Maybe you’re seeing it too in your own organization.
I want to warn you in advance. I’m going to get into the brain-bending thing a bit more when i talk about the second thing I want to say about the whole talent, skill development and retention problems that seem to be pretty pervasive, and it’s something that some security leaders probably don’t want to hear. If that’s you, then it’s ok. You can stop reading, or you can even go ahead and click that unsubscribe link at the bottom.
If you’re still reading, then the harsh truth about building a team you need to address if you’re feeling like investing in your team’s skill development isn’t a good idea for fear of the investment being lost is a reminder that people quit managers, they don’t quit jobs. If you look at the top reasons people leave any job, not just security jobs, it’s all about their perceptions of what value the organization places on them actually being part of the team.
Ok, fair enough, you’re always going to have the “collector” types out there that job-hop for skills, salary bumps, certifications and cool companies they can put on their CV. However, with a bit of practice, these types of people are pretty easy to spot. Sometimes, they’re worth it, but sometimes they aren’t.
But for the rest, well over half the reasons people cite for leaving aren’t about them. They’re about the job they do every day and the place they do it. So that’s a pretty good indicator that, regardless if you just pay for the odd cyber training course or certification, the writing’s on the wall already. You might just not be able to see it without a blacklight.
Now, I’m not suggesting security teams should have group meditation, hold hands and sing Kumbaya. Cybersecurity is challenging and stressful even in effective security programs. However, in those effective security programs, it’s just not the norm. There’s some built-in recovery mechanisms in place—even when you’d otherwise think it wouldn’t be possible.
So if you’re a security leader and you’re not investing in your people because you’re afraid they’re going to leave, that fear is real. But that fear comes from putting yourself in the Victim role on the Karpman triangle. And, frankly, you’re just gonna need to stop it, unfortunately. Because it’s not good for you, and it’s not good for your team…because that’s not the kind of leadership that dismantles the revolving door of your team’s locker room.
Of course, that’s one of those things where saying it’s easier to say than do is a catastrophic understatement. It isn’t easy to jump outta that psychological cycle. It’s much easier to switch roles and keep swinging.
And I realize that it’s not probably what you want to hear. And I also realize that it’s not the rah-rah, jolly-feel good stuff that generally sells biscuits. Which is also fine. Because what I’ve noticed from working with a bunch of different types of security teams is that if the team isn’t really performing well, all the technical toys, the certifications, and the token team-building exercises aren’t going to fix the underlying cultural problems that are ultimately a large part of what’s holding you back from creating the team you want to create.
Meaning, of course, that if you’re not ready to take ownership of the culture, the environment, and the mindset of your team, there’s really not much anyone – including me – can do to help you. And investing in tools, technology, training and trips to the park is really just wasting your budget…
…because you’re trying to solve the wrong problem first.
Of course, I’m not a psychologist, nor do I play one on TV, the interwebs…or even Instagram. But I have worked with enough teams to know that an infinite supply of enthusiasm and energy from the members of the team can’t fix a broken cybersecurity team culture. There’s only one place that can happen—
At the top.
So, I’m genuinely asking you to do nothing more than take a moment to step back and really think about the last few people you hired, the last few people you lost, and to dip into some of the comments and background noise of the team to figure out where you are with this issue. Maybe you don’t have it, and that’s great. Or maybe you do, and you’re already trying to address it, which is even better. Or maybe you know what the problem is, but you can’t figure out how you can be that critical buffer that can create a pocket of positive culture inside an organization that might be actively deploying its own antibodies to destroy anything that’s just a bit different than the larger norm for the organization.
There are some things that’ll help you create a fanatically loyal, focused and effective team. But they aren’t things you do. They’re things you need to become. Sometimes, I can help, and sometimes I can’t. But if you’re ready to actually make a serious change in the effectiveness of your security organization, then maybe I can help. Below is the link that talks about how I might be able to do it so you can read it, see if it resonates and maybe set up a call to talk about where you are and what you’re trying to accomplish.
If you’re ready, here’s the link: https://securityleadershipcoaching.com
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
