Increasing Retention Capacity

Thank You Kathleen all right so yeah if you thought the last talk that's really build upon a lot of that is almost a continuation of which is great so well done Kathleen on managing those so I'm a social scientist and I work at the endgame do a lot on the intersection of geopolitics and cybersecurity but also give my social science background I've done a lot of analysis in the past on institutions cultural change organizational shift all those kind of things and I've been in the security industry about five years now and noticed a lot of the stuff that I used to study that apply to you know geopolitical conflict interstate conflict I could actually take some of

those lessons learned some of those policies and strategies and apply them to what I was seeing within the security community and one of the things that I noticed and especially compared to I've worked in the military works in academia the security industry is unique and some of the retention challenges that we face and I want to kind I've into it and that's what social scientists do we wanna start looking at this the human behavior aspects of it and so I didn't I did a study of it it's I'm going to walk through the the findings of this study and then some of the social science theories and strategies for addressing some the retention challenges and so

basically about a year ago I did the analysis I'll talk about that we'll walk through the analysis itself and some of the key findings and I'll talk about the recommendations for helping retain more people within the community itself and within organizations and so what we hear a lot within the and we talked about the workforce shortage that's something I think all of us know really well so I'm not gonna dwell on that so much but what's focused mainly on is the pipeline problem I didn't see much going on in the area of retention and so that's why the talk before was great started to talk about some of the challenges we see with retention and I want to dive a

little bit deeper into and look at what some of the causes might be and so I deserve a analysis and I actually did over last summer Jack Daniel actually helped me propagate it throughout social media which is always helpful because this is actually a challenging community to get people to respond to surveys as Kath William probably found out as well with her analysis a lot of people think you're out there fishing for some sort of thing and I got lot of comments along those lines but that's all I was doing so at the end of the day I got a little over 300 respondents John I'd prefer a bigger end but you know that's you take

what you can get and the distribution was you know 80% male which you know actually it's a little bit different from our community is so you know not not awful and I what I was especially interested in was the industry breakdown it was fairly consistent across the board so isn't one of those things that leans heavy towards startups or government or so forth there really was a broad spectrum of respondents and so it's very happy with that and so after doing the analysis was about twenty multiple choice questions which is a good way to actually frame the analysis because that's people aren't willing to put in an hour to respond to anything so you do the 20

multiple choice questions that covered a range of issues as far as why you stay while you go some of the key causes then a little bit of demographic information and then in different areas for comments and I include some the additional comments a lot of people actually did take the time to write in some additional comments and it all pertain to you know retention and so there's three areas that uh three key findings that I've found one was on career limitations and this to me was one of the more interesting ones and may come with a no-brainer to a lot of people I think within the industry that knew that the career progression seems to stop if

you want to stay doing technical work and that's what a lot of people said over and over again and so there's you know that lack of advancement the lack of professional growth where people kind of felt like they were stuck in a you know sort of hamster wheel doing the same thing over and over again without seeing any progress available for them and a lot of other fields that isn't there they kind of know where you're going to be progressing you know what if you work for 30 years you know where that you know that high-level where you can you can aspire towards and it's not quite there yet and security and so that gets to some aspect a lot of people say

well if it's because it's so new but it's not so new that that's that should still be an issue but it really is so as one key takeaway that the manager or boss issue I think that that's pretty much across almost any industry and something that's necessarily unique here but it's interesting to see it reiterated the lack of challenging work I thought was especially interesting probably because we hear about your the house how challenging and how you know what the cool work that we can be doing in security is and so that's I think that's relevant I think a lot of it is that when people are coming in though they start doing a lot of the same kind

of processes and redundancy and then in their work day after day after day instead of being able to evolve and to some the high well and more sophisticated work and so I thought that was an interesting aspect of it that we don't hear talked about very much and then the love and opportunity and for technical management a lot of management basically requires doing more the timesheets and so forth versus helping tightly technically develop the workforce and this is just one of the quotes that was in there which gets back to because within organizations when there is a little understanding of security or security should be placed with an organ to that organization you know there is

no set career path and a lot of these different comments along those lines talked about oh yeah we replaced an IT we don't really belong there or they placed us over here we don't really you know we were sort of an island so a lot of those kind of issues that we're talked about in some of the comments and this is some of my favorite comments from from Twitter I think just kind of dives into a lot this a lot more especially we're starting to look at what kind of people were hiring for the kind of experience does necessarily match what people are doing and so these are here's a couple of my my favorite

ones on that area so burnout is next and I think that again comes as a probably no surprise to this community but what's interesting I think to the outside world it actually is a little bit we now just interviewed and Jack Daniel was in the for an MIT Technology Review article that came out today on burnout and you know it's really it's starting to gain great gain greater visibility you've got the Holy of blackcats got the whole track now on these kind of issues but it really is one of the major causes for people leaving both companies and leaving the industry and I asked both both those questions was why people leave the company and industry are can

be two different things but they were pretty consistent on that and in this area and so part of it was that you know security basically you know Brett was rest on the shoulders it just as hearing professionals and wasn't dealt with as an organizational whole responsibility and so the accountability rests on one person and because the rest on one person that means the other they're constantly again just working overtime that as we all know you there's no rest time during any of this things don't stop generally a lot of these major attacks and happening over holidays uh we're really an opportune moment so put those up just some more comments on those lines but is the

constant stress and the paper and the MIT Technology Review today I think is pretty good it covers a broad range of these topics and it's one of it also gets back to some of it the feedback cycle so you're still working really really hard but if you're customers that first when you're trying to prove you're some that might be unprovable in many ways especially two customers I may not understand that the technology aspect of it you really all get the accountability or the or the recognition for all the hard work that you're doing and then again just a couple of comments on unburn out and i'll address some of these more so going into some of the

recommendations but um one of them is on vacations I think probably all of us unfortunately do a fair amount of work on vacation more than we should at least and as every other study shows vacations actually should be a time for taking time off you actually come back more refreshed but that's not really how a lot of us do it in this industry I mean that some that we see in other industries as well but I think it's especially pronounced with insecurity and then finally we talk about Industrial changes so that gets into changes in the industry culture and so party isn't necessarily what we hear about a lot um summit is that you know

half my respondents were you between 31 and 40 so when we see all that sort of the cultural stereotypes that are out there of you in the 15 year old hacker and it's not actually reflective of the security industry itself and so part of India there's a branding challenge that we had was in the industry and you know some of it falls on us but may not flow you know also can fall on either the companies as well to reshape what this vision of what security is what the job potentials are with opportunities are those kind of things a third of Hunt's response point to security culture and what an issue and component of this is

you know one aspect that kept being brought up in the comments was a bro culture and it was all self-identified males that made those comments which I thought was especially interesting also I think a lot of women are just don't are tired of talking about it but the men you know we're very vocal as far as how the negative impact it was on them as well and so I think that you see as well and either some of the tweets on on the right basically issues with you know that the social aspects being heavily reliant on on drinking you know all the mantles that we see out there those kind of things are good into the sort of the

together they help build this culture that may not be they take that culture and you combine that with the burnout you combine that with the career progression and you get a lot of retention challenges on the positive side that's potentially what makes people stay which is something we do also need to be focusing on these are some of the other could they've caught the top aspects for what keeps people staying within their jobs I think in these I think they are fairly similar and aren't necessarily unique to the security industry except for the mission aspect I mean the mission here I do think is you know extremely important it absolutely can be viewed as heavy you

know weighted heavier and more important than we see in some the other tech industries so I do think that something that as a industry we should absolutely take to our advantage when we're trying to retain people that that's about the impact that we can have stimulating work as well sort of the new mirror image of the lack of challenging work so it's not surprise supportive boss manager keeps you there whereas you know an unsupportive boss or manager is while you leave professional development which again was talked in the talked about in the last last talk extremely important and again in how professional development is actually applied is really really important I'm just putting money into professional

development boxed and no one ever uses it really doesn't count as professional development and so unfortunately a lot of companies just kind do it that way they think they can throw money at it and you know move on from there so what can be done about all that I think probably for a lot of us you know those three high-level findings though they lacked the career trajectory some of the cultural aspects and burnout probably become as much of as a surprise we hope we all am totally I think have felt well at least one perhaps you know all three of those that's something that may want to question whether we belong in this industry or they wanna retain working in

this industry throughout our career and so we know that problems there and just you know identifying the problem obviously as part of the the solution we actually started looking at solutions instead of just continuing it's really highlighting some of these challenges and I feel like for a while last few years when we see like media reports on Siri industry along these lines a lot of it is just highlighting the problem without really getting into solutions and so what I want to do for the remainder of the talk is really focus on some solutions or ways that I think we can look at addressing it and one by no means do I think I have every solution

in here that I thought everything has to be customized to organizations and so forth but I think there's some overarching themes that have been proven time again organizationally tell them proof retention within companies and so for social science one of the key ways we kind of break down the way social system social systems are extraordinarily complex they're open systems which makes it even harder so many of those system dynamic models I argue don't work really well at all first social system analysis even though I've seen that tried before uh tends to be a disaster of a spaghetti ball chart so instead of looking at it something like that we look into at the agents who are basically the modes and

ideas of individuals and look at the individual aspect of it then you'll get the structure is the environment the institutional constraints the various parameters are out there within which the agents function and honestly you do a there happen you know lengthy dissertations on which matters more at agents or the structure and they're huge debates on and then end of the day and they both matter and so that's you know I perspective so we need to look at both and so I'll start with some the structural factors within organizations one or our the policies and so the first one the performance metrics and recognition you know when looking to the the survey responses a lot of the folks

highlighted as part of the reason for leaving is you the lack of the recognition so the point that they're working very very hard you know if they complain about you being tired or need time off they're told they're not passionate enough about their work so we need to actually start looking at what the performance metrics are and in how we're recognizing the people for the work that they're doing and so again it when some of those things are say you know say abrete it doesn't happen to happen over area that's some course of time you know how can you integrate something like that into some of that some of the metrics how can integrate something that even if a breach does

happen and people aren't gonna be concerned that they may lose their job because of it and so there are some issues along those lines that we really start thinking about the industry how can we start rewarding people further performance for their hard work in a way that actually takes into account than the unique aspects of security another one is sort of the the notion that you secure professionals within organizations are their enemy and so I heard that a lot in some of the comments that you know when going around trying to help different people out and trying to either update their systems help them learn some the patch management working on you two-factor authentication some

the very basics there's a lot of organizational pushback against the security folks and so they kind of felt like they were you know you working up a river trying to trying to do their job that in today we neither we need to have that shift in the mindsets whereas the secure professionals within organizations are viewed as a friends as allies as their to try and help make the organization succeed in the business not there to be a hindrance not there to slow everyone down and so it's going to take a give-and-take right so security professionals also have to understand the people that they're working with have their job to get done and have their own business incentives and so it

does go back to you where are incentives where it what where are people you're trying to go what do they need to do for the businesses and so trying to find a happy medium and work together instead of seeing it as an enemy another aspect is leveraging technology again we're starting to see more of this come to security I mean a few years ago when I joined the security in most interfaces I saw a nice to do a lot of user experience interface research well interfaces I saw were you know looked like they're about 20 years old right so we're where we saw you know the technology industry a lot of the applications have moved ahead and really

leverage the user experience component of it security was well it seemed to be lagging a little bit behind in that or quite a bit behind I think we're starting to catch on to that and realizing that we can leverage more friendly user interfaces some aspects of automation you leverage automation work where it's relevant you leverage user interface and user experience that's relevant and really optimize the human-computer interaction is where we can start moving ahead to make a lot of work more accessible and also more efficient so it's more accessible for more junior analysts and the more efficient and timely with less you know less of that redundant kind of processes for analysts across the board PTO

policies I think is one I think is especially important that kind of seems like all units it's like a no-brainer but I think it gets overlooked a lot as well you especially have a completely open pto policy right that tends to be something that a lot people tend not to actually use it as much as they would if they were given you know X amount of weeks during a time period and so we need to find a way within companies and every time is gonna have some different strategies for this though one cut someone's on PTO to not bug them with the emails to not expect them to be producing you know whatever your reports

or projects to not be you know available 24/7 for various phone calls and that's I think it's really hard it's hard with these with that you know it requires some sort of mind that shift but also requires getting to a point where other people can help each other out and carry on some the responsibilities so I think that's a really important thing that we need to work on and found some the corporate social events which you can set some look at the cultural aspects of it you know are all the corporate social events are they do they all pertain to use a happy hour with drinking or other they all things that basically appeal to a

certain subset of the popular course it may be not to the other subset and so we need to find a variety of things and this can be you know everything from like a book club may work for some group and that would be great so keep doing some things along those lines to the happy hour which doesn't mean you know drinking at all that by any means I'm just making sure if that's not the only option to sporting teams you know get people who are athletes like to about make them a morning runs those kind of things just finding other activities outside of the work for people to find those interactions because those interactions outside of everyone set

their keyboard are really really important and it's really it's it comes even more difficult when you start thinking about distributed workforce but there are ways that critics have to find new meaningful ways to find various outlets for people to work together and find something to talk about outside of the work because when you're having those discussions outside of work somehow they you know they often somehow that weave back into something along work that you wouldn't have come up with otherwise and so there's sort of spontaneous conversations that I think are really important and they rely heavily on those social interactions and ensuring that there are those events that are accessible across the board for the entire demographics aren't just

aimed at a certain group of people and that's why you ensuring they're not just reinforcing the problem they're actually to help trying to solve it conferences which is you know relevant since we're here right now and I will say them besides Las Vegas I think that's one of the better jobs at creating more of an inclusive environment Congress is about 95 percent respondents attend conferences they're a very big deal in this industry I think as we all know anything more so than in some other industries they're great for professional development they're great for networking they're great for hiring they're a really good way just to learn more about the cutting edge of what's going on and we all know

these things the problem is when sahn these conferences reinforced them the challenges so even if as a company you're doing all the right things you're doing developer has a career track you're doing great things for growth if when people are going to conferences and having really awful experiences they're gonna bring back some old experiences back to the company and may not want stay within the industry and so some of the experiences at conferences are what people you spoke about and so that's one thing we're talking about the boomerang effect so even if companies are doing things right if the conference's which are such a key part of the community aren't doing some these things right it may have a

negative impact on those organizations and so there's bent on Roundup codes of conduct and actually complying to those codes of conduct so I won't go into that much the speakers the males representation all those kind of things ensuring that the those speaking at the various conferences are you know more representative a broader of a broader workforce I think is really really important and see if some conferences do this much better than others CFP processes I think are actually real interesting I've been on it handful of different review committees and how you end up doing them really has a big impact on so we're on the the range of speakers that get accepted and so when

you do blind reviews we do double rounds of reviews those kind of things you start to get a different look at the very speakers that are coming in and I think that's really really important because there's a lot you know the unconscious bias to know who the speaker is we know they're gonna do a good job we've never heard of this speaker that one limits new people from coming in and so that limits their own professional of development but also ensures the same voice is heard every time and I've personally going to conference word their new speakers there I've never heard their opinions before I think that's a nice way to grow and learn from

new people another aspect is sponsorship and professional growth you know companies so you again can put their their you know all the companies are out there saying they're in favor of creating a more inclusive security environment you know sponsor some of those aspects then as well and use those per for professional growth because some companies are much more willing to send their people to conferences and others are and so I think again you saying that you're in favor professional growth and then enabling that is another aspect of it and again you know that the quote on the bottom I think kind drives home a la this the you know the impact of conferences I think really is sort of

those network effects with publishing work fine Co speakers you know from different companies all those kind of things help people stay within the community and really enjoy the community and then finally visual cues focusing on the structure the workplace environment in decor and this isn't one things I've heard so many times from leaders is well you know we bought a ping-pong table and beer fridge then why aren't they happy you know that's not really what I'm talking about what I'm talking about the workplace environment decor you know that that's and actually one of the things on the site for why people stick and put these perks not the benefits not health care in those contexts but perks

as far as you know the beer fridge and what other you know ping pong or foosball or whatnot people don't care about those and they're actually making their final decision so I'm not talking about that although that's what a lot of I think leaders may say there's throwing money at it that's what they've that's the easy thing that they do and I think that's I'll say many ways putting lipstick on a pig it doesn't necessarily work very well but the workplace environment the same time does need to be something that's not offensive needs to know these abuse somewhere where people who tend to like to work on their own have a private place to go people

develop well at the same time having places for people to work together as groups provides places for social gathering all those kind of things you to understand how people work in very different ways and while at the same time also ensuring that the decor matches the culture the company wants to have power swag and the one this one I think is actually really really important why you first started and game we in have any women's shirts that we gave out at conferences and that drove me nuts unfortunately that that has shifted a bit and I started seeing more if other companies are doing that but just little things like that just signal to various groups idea that okay you're welcome

here you're in but you have a place and you belong here not doing things along those lines really is impact once the same thing goes with you know if you're a de here for conference sponsor and all of your swag has to do with alcohol perhaps maybe want to consider doing something else as well like a notebook I mean who knows but you just started broadening it out to make it so make it a clue sip to a broader group of people and it then today when people first walk in this gets back to some of the recruiting that was talked about earlier people also make that quick minute decision when they're walking into your

office to decide whether they want to work with you and when they're looking around the decor if it looks like a welcoming and open place that might be doing cool work you know they're gonna be more prone to you know take that next step and consider that they walk in and all of a sudden they really don't feel like they belong there yeah that that's me that's up in 15 seconds and that's a very hard image to shake and so that's some of the structural aspects and I'll run through the leadership and personnel aspects now really quickly so we just did all the environmental aspects now what can people as individuals do so in aligning

and leadership is what's highlighted like this is a leadership issue it's not necessarily an issue for other people I don't believe that at all I think leadership is necessary but it's not sufficient and so leadership absolutely has to lead by example and so that's sort of the no-brainer and this is something that if all your all your leaders you either you know don't talk about any of these shifts they don't talk about professional development they don't talk about how they're handling burnout yes the end across leadership board it's a pretty homogeneous group you know that that that's setting the example so that's what I mean by that they also need to establish the policies those when talk

about those structural factors that occur the policies actually have to help promote that and you want two good examples is the professional development ensuring the policies are in place so that people can then leverage a lot of those professional development opportunities that are out there also you know it's just it's not all about the money and that's when you we see a lot of metrics for especially in the tech industry for oh and they through however millions of dollars that's a you know an inclusion or it and development and they find that nothing has shifted over a year or after two years after three years because just throwing money at the problem isn't the solution it has

to be smartly allocated and I'll see a lot of these solutions in my mind don't require much money at all some of them are actually you know almost free so it's not completely free and so just throwing money is not going to be the end-all and I think that's also getting a lazy way for leader they they're addressing an issue when they're not really the great representation and they can ensure that as far as you know helping with recruiting process and so forth in the metrics actually helping to work with the various technical teams to ensure the metrics are appropriate for the jobs at hand but for the rest of us that you may not be on the East c-suite

something I point cultural entreprenuer so policy entrepreneurs are people who kind of take it they see a gap in policy and they kind of go through and they help push through new changes in those policies and so I think cultural entrepreneurs can do the same thing so that's where you coming from the grassroots up and so it's not just a leadership issue for to have to address all these challenges that's on all of us as cultural entrepreneurs within our organizations to help you know be the change that you want to see other people aren't going to do it if you swell and sit back your nothing is going to change so it is on all of us

helps foster social capital and social capital are basically the linkages across and within teams that actually help lead to things like economic development more stable governments all those kind of things the same is true in organizations so it's this notion of leadership from below so summarize we run a couple minute or two for questions one there's no easy button this is the one thing that kills me on all these things for retention is like oh we're gonna throw some money at retention and it'll work that's not how it happens or we'll just again or we'll just get a ping-pong table people be happy and stay not how it works either so it's not easy it's actually quite hard it actually

requires a lot of human element combined with the technical element which i think is why so many organizations struggle with it so it's no easy button not all in my in the world it actually doesn't require a ton of money to a do a lot of these things are very very simple especially for small organizations it shouldn't require much money at all and so I actually have a lot more details on the results of the study and on the white paper itself what at the address below it's a it's a white paper that goes into a lot more detail eliciting some additional links and so forth on this research so thank you

we have time for one or two questions any phenomenal questions Margaret do you have any questions for calling you out yeah I saw something you had tweeted this morning about an article talking about stress in the cyber security workforce do you go into that at all in this white paper I do a little bit yeah not as the only time I hold papers not about that and it could be right I do talk about it a bit more within the paper itself yep and and as part of the underlying you know leading into the burnout aspect gotcha thank you and and just out of curiosity do you see a of the the respondents to the survey and

some of the data and the research that you've done do you see a difference between smaller companies and larger corporations in and how how this manifests itself from a retention perspective yeah so since why I asked about sectors but not the company size so quantitatively I can't answer that qualitatively and go totally from talking to left side this activeness talk a couple different times and the first time I gave it I got from JP Morgan Chase basically said this is gray I'm going to implement it and it works very well with how we're thinking about addressing retention and you following up to him like that it seems like good strategies for companies I'm that's a

pretty large company then we've applied some of these at my company where were you when we were 60 70 people so I think at a high level I think there enough commonalities it gets to the notion of customization per organization so I think I don't necessarily think it's the size of the organization I think it's kept making sure to adhere to that the business and cultural objectives within the companies that itself seem that the large companies get they're gonna if something like JP Morgan Chase something to be very different from the security of an Exxon right and how they're gonna be fitting in with the rest of the companies so I think that's probably that's probably more

than who wants that I would think about but then today I think the overarching strategies I think can work and the reversion findings probably are pretty consistent it's going to keep getting to the details of the companies themselves where we start tweaking it one more question okay and for our friends in cyberspace if you could speak into the mic so we can hear your questions and then her answer how do you how do you address you know at the requirements section of of job postings where it can you know we're on one hand HR wants to not have a deluge of of applicants work but you don't want to make it so intimidating and that

people perhaps with intuitive knowledge or on the on the work knowledge are too intimidated to apply yes I think that's a great question I've stated that elsewhere within this I focused more on the retention I view that as pipeline but I've done enough research and into that that Tilly's have some thoughts on it I do I think the way that we write our job descriptions generally it's really harmful to what organizations are looking for and that's sort of on the one side of the different tweets about you know we want to do here you know professional with you know twenty years of you know some language or something on those lines like there's that like

it's written as a joke but there still are way too many along those lines or we want someone oh you will hire you as a junior but you have to have like five different certs and maybe those sorts aren't even relevant for the job they're gonna be doing a hand so we do very I think also the talk before did a really great job talking about how we do start doing a better job making the job descriptions matched what the jobs are actually doing and as an industry thinking about you know how important the certs are house for the various educational tracks are I mean that's for me know I've worked on teams that have

someone who didn't graduate from high school with a PhD on the same team working side by side and both are phenomenal both contributed enormous ly to our company and I would not weigh the value of one or the other so we have to understand that there's so many different career trajectories into security I think I only acted in Twitter a little while but they did sort of like tell us where you're tracking it into security and everyone's story is so very very different in the JavaScript something need to better grasp that better grasp in the nuances especially when we're seeing that the all the technologies are changing so so fast if what people actually stay longer than

that that detect that technology life cycle when you look at more of the things as far as you know curiosity and teamwork and critical thinking in addition just their technical technical skills so I think we've a long way to go with industry that's the that's my I think that we're acknowledging that that's a problem but I haven't seen a ton of change coming in that area yet so the the Twitter handle that or the Twitter hashtag she's referring to as my weird path into InfoSec actually several well-known people have sort of outlined threaded on Twitter what their career path has been and I've actually done two or three presentations on that Andrea thank you for finally coming and presenting at

higher ground let's give her a round of applause [Applause]