For everyone

for hiring managers

For everyone

Retaining incredible talent

Compensation

Skills

Certifications

Retention

Share:

Text Link

Вывод URL текущей страницы

Текущий URL страницы:

Retaining your best

Crux Q4 '23 market report

Turnover: A very real vulnerability

While this has been a slower than average year for people leaving their jobs, in security, turnover rates typically average 20-25% per year- high relative to most sectors of the economy.

The loss of team members, particularly experienced ones, is often accompanied by loss of institutional knowledge, productivity, and coverage.

In short, it’s a major risk and perennial frustration.

It is also largely an addressable one.

High rates of turnover are an outcome and a symptom of deeper issues. The root causes can vary significantly company to company and team to team but usually have common themes.

To understand why people leave their jobs, you first have to start with the basics of what most people want:

To learn and grow, and have an appropriate degree of challenge
To feel that their contributions are valued and having an impact
To be fairly compensated for their efforts and their skills
To feel that their work has meaning
To be able to have a balanced life
To be trusted and respect the people that they work with

Usually, when people leave, one or more of these is lacking.

Specifically within cybersecurity at the staff level, these are the issues we often hear:

They feel stuck and don’t see a path beyond their current role
Expectations of their role and performance aren’t clear or aligned
They don’t feel that their voice is heard
Burnout from too many tasks and expectations that don’t align with reality
This year in particular, we have seen a lot of frustration with return to office policies/ end of WFH

We expect to see a return in 2024 to historical (or higher) levels of turnover

Operating under a base assumption that the global economy will return to something more normal in ‘24 (1-2% GDP growth, lower inflation), we see pent up desire for movement. This has been a year of reduced promotions and budget headwinds and we speak with many candidates that are ready to hop to their next step, when the opportunity arises.

Now is the time for leaders to get ahead of it.

It’s not the compensation. Repeat, it’s not the compensation.

If you just went by exit interview data (when it exits) or conversations with hiring managers, you’d believe that everyone leaves to get higher compensation.

That’s not true.

In our experience, that’s a cover for deeper issues. Don’t accept the common scapegoats of compensation and company cultural issues. While lower than market comp certain increases risk, people will accept that if they feel a strong sense of connection to the institution and the mission.

As with so many things in cybersecurity, the fundamentals really do matter.

There is no magic wand that will make turnover challenges go away. Mostly it comes down the fundamentals: managing people well. So while reductions in unwanted attrition are a benefit, there are good reasons to implement these practices because, fundamentally, they will lead to a better talent pipeline, more productive teams, a more cohesive culture and, ultimately, a stronger security posture.

1) Construct explicit career paths

This is the single most important lever. It’s also stunningly uncommon. Don’t take the easy path of just slapping together job descriptions whenever someone leaves. Design a structure that gives a framework for promotion, visibility into future compensation potential, and an avenue for mobility.

Good models include:

Levelling within each area of specialization that is linked to graduating responsibilities, compensation, and title (e.g. engineer -> principal -> staff)
Stock job descriptions that clearly lay out responsibilities and specific skills that are required (this can be used as requirements for internal promotions)
Discrete technical and managerial tracks- don’t make people management the only way to advance. Many great technical people can struggle as managers.

"Building a program in that has clear career progression will lead to a more resilient organization and help attract better talent. And it builds people who know how to teach."

- Christophe Foulon, cybersecurity coach and vCISO

2) Build a genuine culture of feedback and clear expectations

If the only times you are giving or receiving feedback are during formal (mandated) sit-downs as a part of a performance management cadence, you are doing it wrong.

The best leaders are great at providing real time feedback - a meeting, a report, or some deliverable. They make sure that expectations are always clear and there are tangible examples of ‘what good looks like.’ At minimum, conversations should be happening quarterly.

Your team should always know:

What their strengths are
What areas they should be working on
What they need to demonstrate progress on
How their priorities line up to department and company priorities
What expectations and objectives are- what, by when, and what good looks like

Additionally, you should make space for the team to provide feedback to you. And you should take it to heart.

3) Make development and growth central to your team identity

People that are drawn to careers in cybersecurity tend to be highly curious, enjoy solving problems, and are attracted by the nature of an ever evolving field.

Growth and learning are central to their identities; they should be central to the identity of your team and program as well.

This goes beyond providing budget for certs. Companies that do this well also:

Allow time and budget for the team to participate in conferences, and, when possible, support for research and speaking opportunities
Provide stretch assignments and projects that stretch team members in new directions
Support lateral moves within and outside the security team

4) Cultivate trust

Trust is the single most important currency in any organization. It takes time to build and is quick to destroy. You can think about your actions as ones that add to your trust balance, or take away from it.

Trust is built through transparency, genuine positive intent, open communication, consistency (do what you say), and empathy.

People want to know that their leaders and peers have their back. This doesn’t mean that there isn’t performance management or that some people don’t make it. It means that along the way you are open, honest, and fair. It means that you nurture genuine connections with the team and don’t violate the trust they have in you.

People flee from environments in which they don’t trust their immediate manager, their peers, or senior leadership.

5) Hire, and fire, for fit

When hiring, you are looking for two things: 1) Do they have the technical skills to do the work and do it well, and 2) Will the way that they work support or detract from your culture?

In our experience, companies too often hang on for too long to the high performers that damage the culture (the brilliant jerk). Their visible delivery against some metric (sales, product, etc) outweighs the harder to quantify negative impact on everybody else.

Toxic people (particularly leaders) will push talent away. As a leader, it’s your responsibility to hire people that you believe will thrive in and contribute to your culture (so you have to know and define it), and to let go of those that don’t. People who profess a set of values and then fail to live by them lack credibility. The people that work for them are just there for the paycheck. And they’ll jump when they see one that is higher.

A deep dive into our data: what employers are looking for

Certifications in demand

This is what our data show across >5,000 job descriptions. The green lines indicate relative demand within an area.

Technologies/ domain expertise in demand

We’ve compiled the most frequently mentioned technologies and domains of expertise in the ‘qualifications’ and ‘responsibilities’ sections of job descriptions. Understandably, they vary significantly by discipline of cybersecurity. You can use this data if you are considering where to build expertise.

Individual contributor vs managerial roles

Generally, 60-80% of security jobs are individual contributor roles.

Highly technical roles tend to skew individual contributor, with ‘consultative’ roles having more managerial slots.

Individual Contributor vs Managerial Roles

Remote work trends

On average, a bit more than ~60% of security jobs are on site and this has stabilized in the back half of 2023.

Cybersecurity compensation trends

Average salary by domain and level of seniority

In general, we are seeing high level architecture/ engineering roles, cloud security, and application security command the highest salaries.

Salary distribution by years of experience

The below chart shows the range of salary by year of required experience (in $K). The box represents the 25-75% percentiles.

On average, each year of security experience is worth $10,000.

A wide distribution exists at each increment of experience, suggesting that high pay is available for the best talent.

Salary Distribution by Years of Experience

Crux Apex list

Each quarter we recognize a set of standout employers. This time we are highlighting several companies that have a demonstrated track record of hiring entry level employees.

If you are in looking to transition into cybersecurity, you should absolutely check these companies out.

Many of them offer internship programs in their cybersecurity department as well.

This quarter’s winners are:

Visa

Highmark Health

Comcast

Susquehanna International Group

Service Now

Paccar

Idaho National Laboratory

Workday

Ericsson