Last summer I talked with Fred (not his real name), a chief information security officer (CISO) in the aviation industry, about how to rebuild coming out of the pandemic. Fred lost most of his team because of downsizing and layoffs and explained a lot of others were in similar situations.
More upbeat than I expected, Fred put it simply: “If we go back to the way things were, and hire people into a team that looked like it did, we failed.”
Fred talked about redefining the purpose of the security team and changing the way we function. We need a better connection to the business and the ability to align our contributions to their needs.
A clear and desirable purpose is a good way to attract the right candidates to your team. Contributing to a team with a purpose someone believes in might be the deciding factor between multiple offers.
What about the folks already on your team?
It’s reported that 30% to 40% of the technical workforce is looking for a new job. Let’s say one third of the workforce is thinking about leaving. How much of your current team can you afford to lose?
Maybe you think offering remote work and flexible schedules is enough to keep everyone happy.
We possess an innate need to contribute to a purpose we believe in. Purpose outweighs salary and is stronger than passion. It’s wired into our human experience and desire to help. We seek to contribute and earn recognition — a sense of belonging — for our efforts.
Without growth, an obvious purpose to contribute to, and recognition, people are open to other opportunities, especially if they find a team who meets their needs.
Does your current team have a reason to stay?
Have you clarified the purpose of your team beyond “security,” or “we manage risk to a tolerable level,” or “we protect stuff?”
The best example I’ve seen came directly from Oscar (not his real name), a remarkable CEO of a publicly traded company. When Braden (not his real name), the CISO and I asked Oscar what he expected from security, he gave us three things to focus on:
1. Meet our client’s security requirements
2. Stay just ahead of the curve to keep us out of trouble
3. Build security into our fabric to make us more competitive
The first two made sense and made it easy to connect security actions to business value. When I pressed on what he meant to use security for competitive advantage — in front of the whole security team — Oscar said: “Anyone can offer longer call-center hours, but if we build security into our solutions, people won’t be able to compete with us in a few years.”
Braden’s face lit up. The entire team sat up a little taller in their chairs and embraced a sense of purpose. After all, it’s not every day that the CEO of your company embraces security as a competitive differentiator.
The team used the three expectations set by the CEO to prioritize work. A year later, the security team got rave reviews from marketing, sales and other parts of the business. Everyone worked together and made a difference.
When the company got acquired by a competitor, the CEO of the new company publicly praised the security team for their work during the transition as a model for others to follow. Unfortunately, the new CISO didn’t clarify the same sense of purpose and most of the team left for other jobs.
Whether building your team or just making some needed changes, give your current folks an obvious purpose and reason to stay or you risk losing them.