You want the best on your security team. And once you have them, you want to keep them happy and keep them in your organization.
Three security career and management experts weigh in on what security managers need to do to retain top-notch security talent.
First, figure out whether you have the right team
"Don't assume the people you currently have in place are the people you need to have on your security team," said Lenny Zeltser, a senior faculty member with SANS Institute and a product management director at NCR.
Zeltser has hired many people over the years, and he believes the first step to retaining great talent is to ensure you have highly skilled, well-matched team members first.
"It is very difficult to admit to oneself that people are on the borderline in terms of personality and match -- and may not be the best for your organization. As human beings, we tend to want to stay with the status quo and say, 'This is the team I have here. If I have lemons, I'll make lemonade.' But that's not the right strategy."
That may mean changing job descriptions, restructuring departments, or shuffling employees to places where they are better suited. Or, in a difficult situation, letting some people go.
"Just like you provide feedback and review to employees once or twice a year, as a manager you want check in with yourself, too, on whether who you have on the team is right for its goals. Your security team may have had different goals when first created."
Evaluate your pay structure
If you've evaluated where your team stands and what kinds of skills you want to see in your department, it is time to look at whether your organization's compensation structure is up to market standards.
"Recruiting and retaining are essentially married," says Lee Kushner, founder and CEO of LJ Kushner and Associates, a recruitment firm for information security professionals. "Your current state of the organization has a lot to do with who you can bring in."
Kushner says one of the battles organizations face when trying to build their security team is the concept of internal equity. When recruiting for a security position, often it turns out that talent outside the company is earning more than the people inside the company. Obviously, this creates conflict between human resources, the recruitment team and the security department.
"I think it's important today for CSOs and CISOs to have better understanding of the market value of the skills of their security employees and be able to make the case to their management for reexamining their compensation, so they aren't put in position where they have retention issues."
Kushner also says the poor economy has given many organizations the false impression that they can get talent for lower salaries.
"I'm not going to be as bold as to say there is no unemployment among security professionals, but there is negative unemployment for highly skilled security professionals. When people are starting to add to their team, they have this nirvana, Shangri-la profile they want to recruit for. It's kind of like having champagne tastes and beer budgets. You get what you pay for."
In other words, make sure you're paying your current talent, and any future talent, what they are worth -- or someone else will.