At a time when 60 percent of cybersecurity firms report difficulty retaining cyber talent, I would like to introduce a new method for increasing employee engagement and retention. In this article, you’ll learn to apply techniques from agile to guide your organization in connecting their work to the company’s overall purpose.
What’s keeping you up at night?
“I have 25 open cybersecurity positions that I can’t fill,” my friend Suresh, who is a CEO of a 250-person IT company, said to me recently. “But while talent acquisition is important, retention is our top priority. We don’t want 50 open seats.”
Suresh’s concerns echo ISACA’s State of Cybersecurity 2022 report, which surveyed more than 2,000 cybersecurity professionals. Findings include:
- 63 percent report unfilled cybersecurity positions
- 60 percent report difficulties retaining qualified cybersecurity professionals
- 59 percent report that the reason top reason cybersecurity professionals are leaving is that they were recruited by other companies
CEOs like Suresh are living it. But what can you do about it? How can you reduce the risk that your top cyber talent will leave you for another company?
The surprisingly least effective solution
The first solution people usually think of is money. Someone recently suggested that retention bonuses could make the problem go away. I think otherwise.
There’s a misconception that security people are tough because it’s a tough industry, and that tough people are best managed by the “carrot and stick” motivational approach.
That’s baloney. Security people are people, not mules. In his book Drive, Dan Pink backs this up by referencing the famous 1945 MIT study, “The Candle Problem” experiment, in which economists found that when a task calls for even rudimentary cognitive skill, a larger reward led to poorer performance. And he cites the 1949 experiment with rhesus monkeys, which found the monkeys made more errors and solved problems less frequently when rewards were added as motivators.
The financial package is certainly an important component of your talent acquisition strategy. But we’ve known for decades that things like retention bonuses don’t work. That’s because people are motivated by both intrinsic (internal) and extrinsic rewards.
Here’s the wake-up call: Companies need to find a way to cultivate intrinsic motivation, and fast. The CMMC mandate is expected in less than a year. Three hundred thousand defense contractors are going to be demanding help.
Cybersecurity organizations with open seats and retention issues will be unable to seize the opportunity.
A CEO’s story
My former client Maryanne is a CEO of a 90-person IT company. She was brought on to lead the organization’s expansion in the commercial sector.
Like many cybersecurity professionals, Maryanne is self-reliant and determined. She was accustomed to working long hours, expending incredible energy and flying all over the country at a moment’s notice to promote the business’s interests.
She thought nothing could slow her down. Even through her father’s battle with cancer, she was able to compartmentalize.
Then he died.
The funeral was in Alabama on Saturday, and she had to be in New York for a presentation to a Fortune 500 company on Monday. It seemed entirely doable.
There was just one problem:
“I got to the hotel after the funeral, and it hit me,” she said. “I literally could not stop crying. I knew I had to pull it together for my meeting, but I couldn’t.”
Come morning, it was worse.
Too shaky to leave the room, Maryanne called an executive, who was waiting for her at the client’s lobby, and said, “You all will have to do this on your own. I can’t be there.”
“Don’t worry, Maryanne,” her colleague said. “We’ve got your back.”
Engagement is the answer
Engagement is key to cultivating intrinsic motivation. People want to drill down, understand their work, and know how their work is connected to the organization’s purpose, and why the work matters. They want to feel passionate about what they do.
Because I’d been working with the company for some time, I knew there was frustration among the key executives who felt they weren’t fully trusted to take the lead in business development, even though Maryanne said that’s what she wanted. This was a chance to learn something.
As soon as Maryanne put down the phone, she began to feel better. When her team returned from the presentation, she was grateful for their comforting words and hugs. They briefed her on the detailed approach they had recommended to land the deal.
Maryanne was stunned. It was brilliant work. It showed a perfect alignment of values.
“I always thought I was the one holding the company’s purpose,” Maryanne told me afterward. “But here they were, during the toughest time of my life … they were holding it, too.”
I made an observation: When Maryanne acknowledged that she had both a personal and professional life, the heart of the company grew. There was room for everyone. That’s the kind of culture where people want to stay.
By the way, the customer said yes.
Creating an environment for engagement
A shared, meaningful experience is the best way to engage the team, heart and soul.
But you don’t have to wait for tragedy to strike. And while planned engagement may not be as dramatic as what Maryanne’s team went through, it can forge a similarly strong bond.
For example, try engaging the company in defining a purpose statement.
I also call them “why-phrases.” Like catchphrases, they should be intriguing, fun to share and almost impossible to forget.
There are two kinds of why-phrases: personal and professional.
“We’ve got your back” is a personal why.
A professional why that works, in my opinion, is ISACA’s “Digital Trust.”
ISACA’s official definition of digital trust is “the confidence in the integrity of relations, interactions and transactions among providers and consumers within an associated digital ecosystem.”
Digital trust is what the industry most wants. Confidence is everyone’s why. By leading with why, ISACA engages and inspires a community.
Purpose drives engagement. The business case is made by the Gallup Organization, which has been studying workforce issues for 50 years. Gallup found that employees engaged in the company’s purpose and values are 59 percent less likely to look for a different job within the next 12 months.
Focus on the why and you don’t need to know how to motivate people. When guided by a sense of purpose, people provide their own intrinsic motivation.
Is it hard?
Finding your why can be challenging. It’s all too easy to use jargon as a replacement. Most people are comfortable explaining the what-we-do and the how-we-do-it, but not why.
And that’s because they don’t know why. Never thought about it. Didn’t suppose it mattered.
But what if your why did matter? What if it inspired your top cyber talent to be 59 percent less likely to look for a different job within the next 12 months? What if it stirred a deep, abiding passion for your company that dramatically increased retention, performance and the bottom line?
How to find your why
As Maryanne learned, people can reach new levels of performance when driven by a personal and professional why that are connected. My company helps organizations like Maryanne’s with this process.
Your personal why
Since agile is a “why are we doing this?” approach to software development, we’ll borrow one of its tools, the scrum user stories. Scrum teams use these stories as a way to summarize things that customers need delivered to them. We’ll use them to find out what value our people want to contribute to (and draw from) the organization.
A typical template for user stories is as follows:
- As a
- I want
- So that
Before you drill down with each employee on this exercise, your top priority is to create an environment for them to feel like a person, not a function.
I recommend starting by adding time at staff meetings for connecting with each other as human beings. It takes only five minutes to pair up and answer questions like: “When did you first begin to care about cybersecurity? And why does it matter to you?”
Taking time to listen to each other brings forth that shared connection to both the personal and the professional why, and creates an environment where people feel that they are heard and known. That’s the kind of culture that you can continually build. It leads to deeper work, stronger ties and less turnover.
Your professional why
We use another scrum technique when helping organizations find their professional why. Like the user story exercise, the epic story exercise is designed to engage the entire organization in a shared why-finding experience.
The result: people feel connected, aligned and engaged in their work and the mission of the company.
An epic-writing template
Why do this exercise? To bring your professional and personal why together and get better results.
Assignment: fill in the blanks
- For _________ (customer) with _________ (problem)
- the _________ (solution) is a _________ (something – the “how”)
- that _________ (provides this value).
- Unlike _________ (competitor),
- our solution _________ (does something better – the professional why)
- and that matters to me because _________ (the personal why).
Having a why that inspires
The user story-writing exercise gives your team their personal why.
The epic story-writing process synthesizes the personal and professional why.
Combined, they contribute to a culture that is stronger, more resilient and more passionately focused on winning together, like Maryanne’s team in New York.
Once you have a why that everyone has contributed to in a meaningful way, you’ll see more people connected, aligned and engaged in their work.
But isn’t this what I’m paying my recruiter for?
In recent years the job description of a recruiter has changed. Today, a recruiter must be a gifted writer as well as a hiring expert. To write your job posting, they need a description that captures the company culture and vision so they can get people excited about your company and why they should join. So, they ask for a purpose statement, a professional why.
Typically, the hiring party won’t have one. Recruiters either have to take the time to gain a deep understanding of your business and its overall purpose—and craft an elegant purpose statement—or just make something up.
Recruiters are busy. Even if they had the time and knack for writing unique purpose statements for each of their many accounts, the value of having them write yours will be limited, for four reasons:
- New employees arrive to find the company culture is not as advertised
- The recruiter’s purpose statement is not part of the onboarding process
- No one in the company can recite the recruiter’s purpose statement
- No system exists for aligning the recruiter’s purpose statement with performance improvement and employee retention programs
The better path is to develop your purpose statement internally, with outside help if necessary, and give it to recruiters.
Keep asking why
In this article, you’ve seen why retention should be your top priority. You’ve read an example of what can happen when a company makes room for both personal and professional lives, and the culture transforms. And you’ve learned a new way to apply familiar techniques from Agile to increase engagement and retention: the user story and epic story.
What’s next?
Engaging the company in the experience of finding your why together is the first step in long-term employee engagement. Changing company culture takes time. You need a feedback loop to collect data, analyze and adjust.
To give a broad enough overview of the entire change management process, I’ve laid out six milestones. Finding your purpose was the first milestone. Future articles will cover the remaining milestones.
In the end, know this: when all employees clearly understand their work and see the connection between their work and the overall organizational purpose, you will have transformed your company culture.
About the author: Rob Macdonald is president of PlumDIBs (plumdibs.com) a content marketing integrator offering events and support for cybersecurity organizations that are having challenges engaging employees or potential buyers. Rob is the author of the book Targeting CMMC Leads. He is past president of the American Marketing Association, Baltimore Chapter and has been an award-winning columnist for the Baltimore Business Journal. He started his career as a writing instructor at Columbia College Chicago.