At this point, we’ve all heard it ad nauseam — the “Great Resignation” is here. Employees are leaving jobs in droves. They’re stressed, burnt out, and seeking higher ground.
Over three-quarters of employees have experienced burnout, and more than half of even those just starting their career – 18 to 25-year olds — have thought about quitting their jobs due to work fatigue. A whopping fifty-five percent of people in the workforce plan to search for a new job in 2022, signaling troubling times ahead for organizations already struggling to fill seats.
The Security Industry
The security industry is feeling that heat. Nearly 465,000 unfilled cyber jobs stand unfilled across the United States, with the public sector hit the hardest. However, the global gap is more significant, nearing 3.12 million unfilled positions.
Meanwhile, executives cite IT talent shortages as the chief barrier to adopting emerging technologies, including cloud migration, automation, and security tools.
From our own recent survey at Invicti Security — of 600 development and security pros, 78% experienced increased stress levels in the past year, and nearly two-thirds have considered leaving their own job. That’s a talent retention red flag.
Vicious Cycle for Devs and Security Teams
This much stress fuels a vicious cycle for development and security teams, especially when they’re already stretched thin. Teams can’t focus on everything simultaneously, so they are forced to make difficult trade-offs about where to place their security resources.
Ultimately, that leaves companies exposed to threats from vulnerabilities, flaws, lingering debt, and burnout. Development teams, facing staffing shortages, are still under pressure to build more innovative applications at breakneck speeds, making needed security steps feel like a blocker to getting their job done. Something has to give.
Leadership Must Address the Talent and Accompanying Exodus
It’s time for leadership to step up and get serious about addressing the talent exodus. Security is no longer a daydream; it’s a strategic imperative impacted by the talent shortage. If you want to find (and keep) the best of the best and improve security know-how for your entire organization, working on solving these problems will point you in the right direction.
Zooming in: why cybersecurity is extra-ripe for turnover
With nearly half a million open IT security jobs in the United States alone, it’s no surprise that almost 60% of organizations are feeling the impact of the cybersecurity skills shortage. Unfortunately, organizations are still having a tricky time hiring and retaining skilled IT security staff, with 39% struggling to fill cloud computing security roles and 30% struggling to fill application security roles. But why is this?
For starters, the skills gap spreads like wildfire across businesses large and small. For example, the Information Systems Security Association (ISSA) and Enterprise Strategy Group found in a survey that 95% of cybersecurity professionals believe the skills gap hasn’t improved because of heavier workloads (62%), unfilled positions (38%), and burnout (38%).
It’s all exacerbated by the constant pressure to innovate and boost time to market in software development, especially by developers and siloed DevSecOps teams that lack the bandwidth and tools for success.
What About the Global Pandemic
Factor in a global pandemic with dispersed and hybrid teams toiling away remotely for the better part of two years, and the situation just compounds. Cloud applications and changes to tech stacks need to be vetted, monitored, and secured within every organization.
That means increased demand for specific security roles while the skills are not in abundant supply and a necessity for eagle-eyed DevSecOps employees who can spot issues faster — and more accurately.
High-stress levels from workloads, a lack of adequate tooling, and dispersed teams can all seriously impact an organization’s ability to retain staff and meet innovation goals.
Take it from ISACA: 66% of respondents said it’s challenging to retain cybersecurity staff, which leads to 42% of organizations that can’t fill open security positions experiencing more attacks.
With dangerous new exploits always lurking in the shadows — like the zero-day Log4j flaw that recently broke the internet — gaps in security coverage are easy wins for bad actors.
Even the United States government is taking notice.
In November, the DHS announced a brand new cybersecurity hiring initiative to find and keep top talent and close some of those gaps for federal agencies. The aim is to modernize how the government engages, develops, and retains its talent, focusing on filling critical roles at the Cybersecurity and Infrastructure Security Agency (CISA).
Dangerous exploits slipping through the cracks are a big problem for the future of software security. But if closing the skill gap is critical and retaining talent is a symptom of a more significant issue, where do you start?
Best Results: Increase retention these five tried-and-true ways
There isn’t a silver bullet fix for anything when it comes to DevSecOps, especially when organizations need to constantly pivot their strategies to keep up with business goals.
But not having a cure-all for this ailment doesn’t mean waving the white flag. Conversely, it means we need to step up our game and cultivate work cultures that include the best tech, the proper tooling, and enablement programs that get workers excited about clocking in.
1. Let’s start with the obvious: pay your employees their worth
It’s a problem plaguing most industries, but especially tech. When employees aren’t paid fairly, they feel undervalued, and retention can become complex.
Subpar salaries imply that you’re not keeping an eye on market trends, too, which means you’re ultimately running the risk of letting good employees walk out the door to other companies offering fair pay.
The recipe is simple: if you want good people to stay, you have to treat them well – including making sure they’re adequately paid for the market alongside experience, unique skill sets, and hard work.
2. Company culture isn’t ping pong tables; it’s about work that matters
Famed author and psychologist Adam Grant said it plainly: “The fear of being judged as weak or naïve prevents many people from operating like givers at work.”
Givers are essential to progress, new ideas, and development in a company’s culture. When you provide a safe and welcoming environment where everyone can make an impact, learn from mistakes, and grow without judgment, you’re more likely to see investments in your employees pay off – and keep people in their seats for much longer.
3. Broaden your candidate pool (and your borders)
As you rethink your company culture initiatives to be more inclusive, broadening your applicant pool can open new doors for fresh talent with diverse skill sets. And with the shift to digital presenting new opportunities for hybrid and remote work environments, you don’t have to box yourself into a single location.
When you extend beyond your usual borders and interview applicants you haven’t considered before, you might be surprised at all of the new proficiencies you uncover that will help solve complicated process and security challenges.
Rethink your prerequisites
Have you ever decided not to interview someone because they recently graduated from college or don’t have enough experience? Your talent pool is missing out.
Recent grads bring many benefits: they know how to work with limited budgets, have new perspectives on the world, were raised on modern technology, and give your established employees more room to grow as mentors.
Even better, fresh college grads and greenhorns without experience ask many questions, which can serve as a huge source of inspiration and creativity.
Drop prerequisites that box people into degrees or proficiencies, and instead focus on seeking applicants who get these current security issues and have a passion for figuring out the fixes.
Automate everything that you can
Manual security tasks are a drag. They can seriously impede innovation or halt new development projects altogether, not just for morale. And in the world of software where delivery needed to happen yesterday, that doesn’t fly.
Integrating security tools right into the SDLC at every critical point of the software development process takes some manual work (and often rework) out of the picture.
Automation can help with accuracy, remediation prioritization, and reducing time-draining false positives. In short, automated security tools that plug into existing workflows make the lives of DevSecOps pros easier, which means less stress and happier employees.
One more time for the people in the back: automation reigns supreme
It’s clear as day that automation is now a critical piece of the AppSec puzzle. And the elephant in the room is enablement; when you make the lives of your developers and security professionals easier, they’re less likely to stress and more likely to stay.
So investing in automation to improve processes, save time, and reduce stressful manual work must be taken seriously.
Our survey shines a spotlight on how underpowered tools and manual processes are crushing efficiency: it can take an astonishing two weeks per team member on average to address their org’s current backlog of security issues — and that’s if they don’t work on anything else.
Add in other day-to-day responsibilities, and realistically you’re looking at more like four to fourteen weeks of attention-draining work.
What About the Accuracy Issues?
It’s an accuracy issue, too. Over three-quarters of respondents say they are forced to verify vulnerabilities always or frequently manually. False positives undoubtedly play a role in this: 96% report false positives as problematic at their organization, and 39% say they increase friction between development and security.
But the great news is that employees look at automation favorably – 60% agree that automation can help, especially for developers who operate with secure coding best practices in mind.
Automation Alleviates Stress Points
Automation also alleviates stress points around “hidden” potential threat areas, such as APIs, supply chains, and third-party vendors. Web APIs, in particular, often add to unforeseen risks organizations face daily as they expose a larger attack surface for threat actors to exploit.
Automating security right in the software development lifecycle while staying on top of APIs and all of those critical software handoffs in the supply chain helps shrink that attack surface significantly.
Chasing false positives, API security, time-intensive manual verification … imagine automating those processes and critical elements of AppSec. You could free up weeks (months!) by taking the burden of rote, repetitive tasks out of your IT security staff’s hands.
They’ll also have a more significant impact on the organization, which positively impacts retention. The employee who spends more time squashing dangerous vulnerabilities is bound to feel more fulfilled at the end than one who spends hours chasing tedious false positives.
Setting the stage with Security Champions
You’ve got all the right actors in the right roles, they know their lines and can communicate well, and they have the best tools for the job. So how do you keep that momentum going and ensure that you can work through any new or long-term issues that make talented employees scramble to update their resumes?
Security champions programs work well for many organizations because they spur more participation in security efforts and help leadership stress the importance of AppSec.
Security Devs and Pros Keep Businesses Safe
As the developers and security pros who are highly skilled and the most passionate about keeping the business safe from exploits and threat actors, these men and women help you spread messages and best practices and can even attract new talent.
They also speak up about critical tools and processes missing from the puzzle, which reduces stress and boosts bandwidth.
Security champions programs are a morale booster, but more importantly, they make DevSecOps professionals feel heard. Use the program as an opportunity to celebrate wins, improve education, and foster growth so that the skilled people on your team – and the ones who will join the future – operate in an environment where they want to plant roots.
One small step for security, one giant leap for DevSecOps
Reframing your approach to discovering and retaining talent in cybersecurity is no easy task. But, if you make a series of minor improvements towards better agility and ample security coverage, you’ll see positive impacts on productivity, innovation, and employee satisfaction.
And that’s mission-critical: hardly a week goes by where there isn’t a significant breach in the news that sets hair afire for development and security alike.
Agility is such an essential aspect of making the lives of DevSecOps professionals
Agility is such an essential aspect of making the lives of DevSecOps professionals easier. The good news is that we can cut back on industry-wide headaches by empowering good employees.
Agility will mean replacing your legacy tools with updated tech stacks and building enablement programs that fix problems. In addition, you will want to use automation to save time and sanity, and widen your worldview when looking for new skills.
Only then can we take serious strides in retaining talent and closing the glaring skill gap holding cybersecurity teams back.
Image Credit: Saksham Choudhary; Pexels; Thank you