Provide training and education
"Training and education must be a continuous process for all security staff," according to Hord Tipton, executive director of information security education and certification firm ISC2. "Technology is changing so rapidly -- no one can keep up with everything that is changing and evolving. To a degree, a well-rounded security program must have specialization. Although organizations need people who understand the entire security process, they also need people who are specialized and totally up-to-date in the many areas that must be well understood before security can be implemented."
Offering your security team the chance to take professional development and education courses keeps them feeling refreshed and challenged. And it obviously benefits the organization, too. Well-rounded security professionals look forward to the opportunity to further hone their skills. If an organization neglects their need for frequent training, they will go elsewhere, says Tipton.
"For example, the amount of technologies that have emerged in the last year surrounding cloud-based applications, social media, virtual servers, and mobile devices has been overwhelming," says Tipton. "We must continually develop technical training that is specific to the jobs performed and matched to continuing professional education [CPE] requirements. Obtaining quality CPE [courses] is more important now than ever."
Offer opportunities for growth
Sure, everyone wants a raise and a promotion after proving themselves on the job, but that's not always easy, or even possible, says Zeltser. Organizational and financial constraints often put the brakes on desired title changes.
Instead, offering a security team member the chance to work with new technologies, or be exposed to new challenges, can provide a different kind of career growth that can also be satisfying and fulfilling, says Zeltser. It's really up to the individual to decide if they want to take on more responsibility without an actual promotion, but many will want to do it for the challenge.
"You might have a person who started as an entry-level help desk technician, became really good at trouble-shooting desktop-related problems, started dealing with malware in sections, and then gradually became interested in malware analysis and incident response."
In that scenario, Zeltser points out, the employee has rounded out their skill set and, consequently, gained career benefits, even if it didnt come with a title change.
However, it is a rare employee who will keep taking on new roles without at some point expecting rewards.
"If someone keeps adding to their responsibilities but knows there is no chance for promotion and knows they have hit a ceiling, they will eventually end up leaving."
Security is a career well-known for being high-stress and a likely path to burnout. That perception is backed by a 2010 survey conducted by the group of industry experts who founded SecBurnout.org. While the researches felt that the 124 valid responses they got weren't enough to allow them to draw statistically meaningful conclusions, they were nonetheless able to make some interesting observations.
The data revealed that almost 13 percent of those surveyed were in what was referred to as a "red flag" area for burnout and were clearly in need of some intervention. A majority of respondents noted that they thought security was more stressful than other industries.
A variety of industry-related stressors contribute to this problem. For one, security professionals worry about the impact to the organization if there's a serious security event. For another, they're worn down by the tiresome task of constantly having to tell employees and management "no."
Zeltser suggests one way to address this is to educate security team members on how to better approach these situations.
It's rarely useful to simply tell someone "no," says Zeltser. "Useful advice is, 'You can't do it this way, and here are the reasons why.' And encourage them to find and offer alternatives, too, to the issue, so it's not just saying 'no.'"