• Strategy
  • Risk
  • Governance
  • Compliance
  • SABSA®
  • Login

Archistry

exceptional performance since 2006

  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact
You are here: Home / Archistry Daily / Afraid up-skilling your security team will train them for their next job?

February 27, 2023

Afraid up-skilling your security team will train them for their next job?

Photo by Charlotte May.

 

There’s a negative, cynical and sometimes, unfortunately true idea out there that if you pay for skills development with your security team, you’re throwing money away because people are milking you to help them get their next job. There’s a couple of things to say about this.

First, yep. It’s true. And it’s not just the training you pay for. Absolutely anything and everything they learn while a part of your team can walk out the door at any possible moment.

Better just fire them now and get it over with.

Oh, but you can’t. Right. Because, based on a bunch of different, recurring industry surveys, the vast majority of teams feel they don’t have enough staff and are actively trying to fill open slots they’ve had for around 3-6 months.

And then there’s the fact that the perception is that more than half of the applicants out there aren’t qualified enough, so there’s a pretty big problem facing a lot of security teams right now. Maybe you’re seeing it too in your own organization.

I want to warn you in advance. I’m going to get into the brain-bending thing a bit more when i talk about the second thing I want to say about the whole talent, skill development and retention problems that seem to be pretty pervasive, and it’s something that some security leaders probably don’t want to hear. If that’s you, then it’s ok. You can stop reading, or you can even go ahead and click that unsubscribe link at the bottom.

If you’re still reading, then the harsh truth about building a team you need to address if you’re feeling like investing in your team’s skill development isn’t a good idea for fear of the investment being lost is a reminder that people quit managers, they don’t quit jobs. If you look at the top reasons people leave any job, not just security jobs, it’s all about their perceptions of what value the organization places on them actually being part of the team.

Ok, fair enough, you’re always going to have the “collector” types out there that job-hop for skills, salary bumps, certifications and cool companies they can put on their CV. However, with a bit of practice, these types of people are pretty easy to spot. Sometimes, they’re worth it, but sometimes they aren’t.

But for the rest, well over half the reasons people cite for leaving aren’t about them. They’re about the job they do every day and the place they do it. So that’s a pretty good indicator that, regardless if you just pay for the odd cyber training course or certification, the writing’s on the wall already. You might just not be able to see it without a blacklight.

Now, I’m not suggesting security teams should have group meditation, hold hands and sing Kumbaya. Cybersecurity is challenging and stressful even in effective security programs. However, in those effective security programs, it’s just not the norm. There’s some built-in recovery mechanisms in place—even when you’d otherwise think it wouldn’t be possible.

So if you’re a security leader and you’re not investing in your people because you’re afraid they’re going to leave, that fear is real. But that fear comes from putting yourself in the Victim role on the Karpman triangle. And, frankly, you’re just gonna need to stop it, unfortunately. Because it’s not good for you, and it’s not good for your team…because that’s not the kind of leadership that dismantles the revolving door of your team’s locker room.

Of course, that’s one of those things where saying it’s easier to say than do is a catastrophic understatement. It isn’t easy to jump outta that psychological cycle. It’s much easier to switch roles and keep swinging.

And I realize that it’s not probably what you want to hear. And I also realize that it’s not the rah-rah, jolly-feel good stuff that generally sells biscuits. Which is also fine. Because what I’ve noticed from working with a bunch of different types of security teams is that if the team isn’t really performing well, all the technical toys, the certifications, and the token team-building exercises aren’t going to fix the underlying cultural problems that are ultimately a large part of what’s holding you back from creating the team you want to create.

Meaning, of course, that if you’re not ready to take ownership of the culture, the environment, and the mindset of your team, there’s really not much anyone – including me – can do to help you. And investing in tools, technology, training and trips to the park is really just wasting your budget…

…because you’re trying to solve the wrong problem first.

Of course, I’m not a psychologist, nor do I play one on TV, the interwebs…or even Instagram. But I have worked with enough teams to know that an infinite supply of enthusiasm and energy from the members of the team can’t fix a broken cybersecurity team culture. There’s only one place that can happen—

At the top.

So, I’m genuinely asking you to do nothing more than take a moment to step back and really think about the last few people you hired, the last few people you lost, and to dip into some of the comments and background noise of the team to figure out where you are with this issue. Maybe you don’t have it, and that’s great. Or maybe you do, and you’re already trying to address it, which is even better. Or maybe you know what the problem is, but you can’t figure out how you can be that critical buffer that can create a pocket of positive culture inside an organization that might be actively deploying its own antibodies to destroy anything that’s just a bit different than the larger norm for the organization.

There are some things that’ll help you create a fanatically loyal, focused and effective team. But they aren’t things you do. They’re things you need to become. Sometimes, I can help, and sometimes I can’t. But if you’re ready to actually make a serious change in the effectiveness of your security organization, then maybe I can help. Below is the link that talks about how I might be able to do it so you can read it, see if it resonates and maybe set up a call to talk about where you are and what you’re trying to accomplish.

If you’re ready, here’s the link: https://securityleadershipcoaching.com

Stay safe,

ast
—
Andrew S. Townley
Archistry Chief Executive

Article by Andrew Townley / Archistry Daily / Cybersecurity, Security Architect, security team Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Email
  • LinkedIn
  • Twitter
  • YouTube

EMAIL NEWSLETTER

Want to get DAILY email tips on how to build a more effective security program so you can prove your security investments deliver value to the business?

You can always unsubscribe at any time, and we won't sell your data to third parties.

About Us

Archistry works with you to ensure what you want to achieve actually gets done, linking strategy, risk, governance and compliance to enable sustained exceptional performance Read More…

Testimonials

Andrew is a highly skilled and experienced information systems architect and consultant, which in my view is a rare thing. He is innovative in his thinking and merits the title of 'thought leader' in his specialist domains of knowledge—in particular the management of risk. Andrew has embraced SABSA as a framework and, in doing so, has been a significant contributor to extending the SABSA body of knowledge."

— John Sherwood, Chief SABSA Architect

"Fabulous person to work with. Very engaging and insightful. Extremely good technical knowledge with ability to relate concepts together and overcome differing opinions. Makes things work."

— Kevin Howe-Patterson, Chief Architect, Nortel - Wireless Data Services

"Andrew was able to bring clarity and great depth of knowledge to the table. His breadth of thinking and understanding of the business and technical issues along with a clear and effective communication style were of great benefit in moving the process forward towards a successful conclusion."

— Doug Reynolds, Product Manager, MobileAware

"Andrew is a fabulous consultant and presenter that you simply enjoy listening to, as he manages to develop highly sophisticated subjects in very understandable way. His experience is actually surprising and his thoughts leave you without considerable arguments for any doubts in the subjects he covers."

— Biljana Cerin, Director, Information Security and Compliance

Recent Posts

  • The real difference between architecture and engineering
  • The myth of the isolated project
  • The boneyard of failed architecture initiatives
  • To re-architect or not to re-architect your security controls
  • Afraid up-skilling your security team will train them for their next job?

Looking for something else?

Archistry

Practice Areas

  • Strategy
  • Risk Management
  • Corporate Governance
  • Compliance
  • SABSA®
  • Home
  • About
  • Courses
  • Bookstore
  • Glossary
  • Contact

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Copyright © 2006-2023 Archistry Incorporated or its affiliates

"Archistry", the stained glass window logo, "Pragmantix" and the Pragmantix™ logo, "Archistry Execution Framework (AEF)", "Archistry Execution Framework, Cybersecurity Edition (ACS)", "The Agile Security System", "The Agile Business System", "Baseline Perspectives", "Architecture Wall" and "Archistry Execution Engine" are trademarks of Archistry Limited.