How to Develop Career Paths for Your Security Team

September 8, 2022 | By IANS Faculty

With a competitive hiring market and the shift to remote work, it’s harder than ever to retain security talent. Today, there is less of an expectation for employees to remain at a job long term—let alone, even a year minimum. How does this tie into career planning for your security team? 

What should a standard career path or progression look like for security employees? Are there similar pathways or frameworks to reference? This piece explains how security leaders can establish strong career paths that not only set up security staffers for success, but also help prevent the costs associated with turnover across the security function. 

Plan Paths and Goals for Security Staff 

One-on-one meetings about career paths and planning are useful to understand what employees are seeking. In addition, it’s an opportunity for employees to become more self-aware and reflect on what is important to them. Be sure to ask about: 

  • Their actual career goals: All too often, the allure of title and salary is what entices people. People tend to always want more, but exactly what is “more,” and does more equate to fulfillment, job satisfaction and/or quality of life? Is what an employee aspires to become in a career primarily about their paycheck or do they really want to work in that aspirational role? 
  • Cultural fit: Uncovering what people want in their career and why is important. The conversation should uncover their desire, purpose, strengths and skills. Sometimes it is necessary for an employee to leave the organization, because the opportunity within the company just isn’t there. However, if the culture is right and overall benefits and compensation are respectable, then employees should not be in and out in one or two years. If they are, then management should be proactive and talk with them to uncover what is driving them to leave. The sooner you learn why the organization was not a good fit for their career, the better. 
  • What’s good and what isn’t: Asking what’s working well and what is not should be part of the dialogue. Be sure to ask them how they’d fix an issue they raise, and if it sounds reasonable, have them fix it, because this process can improve self-esteem. On the other hand, some employees just like to vent and no matter what is offered, they’ll never be satisfied. It’s important to identify those cases, too. 
  • What makes them thrive: If you don’t really know your people, it can be tougher to set them up for success. Sometimes, managers promote high-performing engineers into management, which is a completely new set of skills. The engineers might be interested at first, because they get a new title and higher salary. But when they realize they are now responsible for other people’s work and are unable to have their hands on the keyboard, they may get frustrated and consider leaving the organization. Conversely, someone good at project management and building rapport may make a wonderful team lead. However, not everyone wants to advance; some are content churning out quality work on time. Knowing your employees and how work fits in their life is key to understanding short- and long-term succession plans. 

Creating an employee matrix gives a quick snapshot of your team’s interests and the skills they possess. An example an interest matrix is shown in Figure 1. 

Figure 1: Employee Matrix

Employee

Stronger in technical or soft skills

Team player or solo performer

Focused on career growth or stability

Openness about future and longevity

Tolerance for instability vs. need for structure

Jim

Technical

Team

Career

Open

Tolerant

Alice

Technical

Solo

Stability

Open

Structure

Ben

Soft

Team

Stability

Open

Structure

Kate

Technical

Solo

Career

Open

Structure

Dan

Soft

Team

Career

Open

Tolerant

Source: IANS, 2022

Establish a Career Path for Security Staff 

Once you understand each employee’s goals and motivations, a good strategy is to place them in a stretch role. With the right coaching, training and support, employees can grow into their roles and obtain a sense of accomplishment. However, to make this work, it’s important to invest in: 

  • Training: Employees want (and need) both external and internal training. Many managers worry that once employees are trained, they will simply leave. But as Henry Ford said, “The only thing worse than training your employees and having them leave is not training them and having them stay.” 
  • Mentoring: Mentors can be a form of training, too. Look for internal or external resources able to provide coaching and feedback. 
  • Continuous assessments: Employees like to get feedback. On a regular basis, discuss how they are doing and where they can improve. 
  • “Train the trainer” programs: If employees are working on their managerial skills, have them train those around them. It’s good experience, and it can help uncover early whether they can communicate effectively and accept that someone may do things slightly differently but get similar results. 

READ:  How to Hire and Retain Cybersecurity Talent 


Keys to Security Staff Retention 

Employee retention became even more challenging over the past few years. Now, talent can look anywhere for opportunities. On the other hand, employers can also draw from a larger pool of candidates, provided remote or hybrid work is offered. If remote or hybrid work is not offered, retaining cybersecurity talent can become difficult, because what used to be a perk for security teams is now table stakes. 

There’s no one solution to retention. Overall, it is about providing the best place to work, but what’s considered “best” varies by what people value. This can sometimes be uncovered during the hiring process. Don’t ignore cultural red flags in favor of filling an opening, because it can disrupt the team and erode department and company culture. Areas to focus on for retention include: 

  • Fair compensation packages: Money alone is never the answer. Everyone needs a respectable salary and benefits, but money is a short-term motivator. Pay people enough so money isn’t a controversial topic, but don’t allow it to be the main motivator. Be sure you also provide a good training and conference budget, work flexibility (e.g., hours, remote), PTO commensurate with experience, and, when applicable, company equity and options. 
  • Reducing/eliminating mundane, repetitive work: Automate what you can and free up people for more meaningful work. For example, consider security orchestration, automation and response solutions. They not only will help employees learn new skills, but will enable them to take on more security-focused work. Automation offers efficiencies and gives employees back time in their day. 
  • The team: Employees want to work with like-minded, talented people who align with the team and organization culture. Hire top talent whenever possible, but be wary of hires who don’t align with the culture. Candidates considered “rock stars” and “ninjas” may sound enticing, but make sure that they will positively and not negatively impact the team.  One bad apple can lead to many good people leaving. 
  • Empowerment: Employees should be managed to the point where they are empowered to make decisions. Rather than micromanaging them, provide them with guidance and latitude. This creates growth and helps develop leaders within the team. 
  • Extracurricular involvement: Foster participation in the cybersecurity community at large. Speaking at external events or being on advisory boards can provide security staffers with new opportunities and experiences that leave them fulfilled, while improving their knowledge and expertise. 
  • Career path: All employees should be given a career path for their professional development. What are their aspirations? Are they working toward them? Do they align with the overall corporate strategy? Every year, employees should be able to look back at the work they completed, but also the career steps they’ve taken, and see a clear path to where they want to be in the future. 

DOWNLOAD: Building a More Diverse InfoSec Team 


How to Create Career Paths for Security Teams 

Ensuring your security team can clearly see the career path ahead isn’t easy. To keep your staff happy, in the fold and motivated: 

  • Get to know your team: Hold regular meetings with employees to understand what they want and where they want to go. 
  • Review career path resources: Career resources are not one size fits all. Build a career path library of resources specifically for your team’s roles that can complement existing human resource materials. An easily accessible library of tools helps to ensure any customized path you create works and makes sense. 
  • Put it all together: Coordinate with your human resources department to establish opportunities for strong training, mentorship, continuous assessments and compensation packages. Together, you can ensure you help employees move along in their career and retain them longer. 
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 

Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

2021 CISO Compensation Benchmark Study

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.