Editor’s note: The following is a guest article from Jess Burn, senior analyst at Forrester.
Leaders in the private sector need to update their security and risk salary bands to remain competitive, given the recent overhaul of salary bands at the Department of Homeland Security as part of its cybersecurity talent management system.
Yet compensation isn’t the only factor driving security talent attrition across sectors. Other factors also weigh heavily, including pandemic-driven burnout, unwelcoming workplace environments, and an unclear path for advancement.
At the same time, it’s not just the pain of filling vacated security positions that should concern organizations. Prolonged security vacancies leave organizations perpetually short-staffed and more vulnerable to attacks.
Forrester research found that 40% of respondents who reported lack of staff as a top security challenge also reported between two and five breaches in the last 12 months.
Succession planning drives engagement, retention and resilience
To reduce the attrition of top security talent and vulnerabilities associated with lengthy vacancies, security and tech leaders must provide a clear path for advancement, not just for managers but for all members of the team.
A transparent, inclusive succession planning program does just that.
This type of program helps identify future staffing needs and people with potential. Succession planning, and the conversations involved in the process, make employees aware of the linear or nonlinear options within the team and provides a clear path for advancement that keeps them with an organization.
It also reduces the risk of lengthy job vacancies for critical security roles by increasing employee engagement while building a ready pipeline of talent should a vacancy arise.
An effective, well-socialized succession planning program extends security’s influence across multiple functions and levels. The security team will be seen as a function that invests in its members, making it an appealing destination for talent looking to make a move internally.
Given the current state of security staffing, security leaders, senior management and the board should all recognize succession planning as a business resilience imperative.
Security leaders: 6 steps for solid succession planning
Depending on the size of your organization, it’s more than likely that a succession planning program exists for the C-suite and maybe some other top management positions.
If succession planning processes and tools don’t already exist in your firm — or don’t meet your needs — leaders should follow six key steps to develop a succession planning program for the security organization:
Assess the current state
Gauge the maturity of the program yourself or through an objective third party. Then review results against current organizational structure and composition as well as corporate goals, objectives and risks.
From there, determine, with your managers, the positions that you can’t afford to leave vacant.
Define scope and success
Identify critical positions to include in the succession planning program; for each position, define the ideal candidate and develop a job description. Since employees in critical roles likely accumulated responsibilities and expertise over time, be sure that your expectations for these roles are in line with the current market.
Look outside your team, and benchmark the experience, skills, knowledge and behaviors against recent job postings from organizations similar to yours.
Next, collaborate with your managers and partners in HR to create success metrics based on outcomes.
Identify program participants
Look at the talent pool across the organization to find high-potential employees to fill critical roles. Tap into your HR partners for tools and resources to review and select talent.
Work with HR to broker conversations with the managers or department heads for talent identified outside your team. Discuss with your managers what skills your identified talent pool has right now, what they need to fill the identified roles, and the estimated time frame for advancement.
Communicate next steps — and listen
Program participants can now be informed of their inclusion via a meeting with their manager or skip-level. This is the time to listen and receive feedback from participants in the succession planning program.
Work with them to ensure that they remain challenged and lay out a path for advancement in seniority and compensation for individual contributors, not just those on a management path.
Develop with context
After initial conversations, your managers and those managers outside your team should work with each program participant to create a tailored development plan. Invest in a learning management system that upskills team members based on career paths and aspirations.
Ensure that participants have enough time during normal work hours for training.
Additionally, make sure they gain real-life exposure to their next role through job rotations and shadowing those currently in the role.
Revisit at least annually
Without succession planning, you risk employee disillusionment and departures. The best succession plans and programs are reviewed and refreshed on a regular basis.
Where do security leaders go from here?
As you build your succession planning program, be sure to include the resources needed to maintain it — and maintain the engagement and enthusiasm of your managers. Give them the time they need to mentor early career team members.
Also, encourage senior individual contributors to take on mentor roles and start sharing the institutional knowledge they’ve built up.
It’s important to note that your succession planning program should remain in place regardless of the job market or other factors affecting the security and risk talent pool.
As the economic downturn enters its early phases, team members may be more inclined to stick with their current employers. But they will leave as soon as conditions once again become favorable if they don’t receive a consistent message that their path for advancement is with you.