Get Help Now



Cultivating CISO Retention During The Great Resignation

Posted May 24, 2022

The Great Resignation has exacerbated an already problematic talent shortage in the cybersecurity field.

The impacts of COVID-19 on the economy and the ensuing workforce trend dubbed the “Great Resignation” have caused many business challenges.

“In the cybersecurity field, they compounded a skills shortage that has plagued the industry for quite some time,”

said Mike Stamas, co-founder and vice president of GreyCastle Security, in a May 5 webinar on the topic.

Recruitment of cybersecurity professionals faces several challenges:

  • Saturation: There are not enough qualified candidates – particularly talented and experienced execs such as chief security information officers or CISOs. At all skill levels, growth of the industry workforce has not kept pace with demand. “The deficit of cybersecurity workers has more than doubled since 2014,” said Randy Waterman, solutions engineer at GreyCastle Security. According to the latest research by (ISC)², an estimated 8 million cybersecurity jobs will go unfilled by 2022.
  • Expectation: The new generation of workers has high entry-level salary expectations and prioritizes the quality of work life. “New college graduates expect to make $100k+ coming out of college, while in reality the average mean is about $50k,” Stamas said. “Organizations looking to hire [entry-level] cybersecurity professionals need to offer attractive benefits coupled with learning and development opportunities to encourage younger generations to choose cybersecurity as a career path,” said Amit Doshi, founder at MyTurn.
  • Competition: With virtually every company feeling the strain of COVID-19 shortages and the Great Resignation (or perhaps more aptly called the Great Reshuffle) it is a job-seekers market. Potential employees can afford to be choosy.

Retaining existing cybersecurity employees is also challenging due to issues with:

  • Burnout: The nature of the work often involves taxing workloads and a “fire drill every minute” environment, Stamas acknowledged. According to a 2021 Forrester survey, over 50% of cybersecurity professionals experience severe stress or burnout, and 65% consider leaving their job. GreyCastle Security CEO Dan Kalil added to the webinar discussion, “Burnout isn’t all about hours, it’s about the mental switching that comes into play when employees deal with many different things being thrown at them.”
  • Compensation: Particularly since COVID-19 upended the economy, employees can feel that the salary is not enough, or better offers are available elsewhere – particularly for highly sought-after CISOs.
  • Fit: Sometimes a company’s direction changes or the employee or employer’s values may change and are no longer a good match. As an example, Kalil said of GreyCastle Security, historically “we made a conscious decision to become a holistic provider of cybersecurity, rather than limiting ourselves to a consulting role.” This was not necessarily a great fit for all employees and the company respected the decision of the individual.

It is much less expensive and disruptive to business to keep the employees you have rather than search for and recruit new talent. Let’s focus on several measures to retain your most valuable assets: your employees.

Embrace the perspective of creating opportunities

“Several years ago, I learned that people aren’t looking for careers, they’re looking for opportunities,” CEO Kalil said. “It changed my approach to recruiting and retention: we create opportunities, and we live our values every day.”

Talk to employees about a professional development plan for their growth. “Show an employee where they could be in three years if they put themselves forward,” Waterman recommended.

Cultivate a healthy company culture

Work with your HR department to incorporate what the workforce is looking for today, Stamas advised. For example, facilitate the flexible work environment so many people desire. The pandemic opened up opportunities to work remotely or migrate to a hybrid work environment.

Combat burnout by exploring a shared services model rather than overloading already-taxed teams. “You don’t need a specialist in every area of expertise on staff,” Stamas said. “Finding a shared services model that gives you access to those cyber specialists may be more efficient than trying to develop a Swiss Army knife-type employee or fill all those positions.”

Establish a solid cybersecurity foundation

Start at the ground level of your cybersecurity program; make sure you understand where your most sensitive data resides and have the appropriate controls in place, Stamas said. Do a comprehensive risk assessment of your assets and develop your strategies for addressing identified risks. “Once we’ve got that security foundation – we understand where we are and where we need to go, what we need to do to get there, have a clear plan and follow it,” Stamas said. “The result will be less fires to put out.”  Having a solid, proven foundation for your cybersecurity program will promote less burnout and greater retention among cybersecurity talent.

If you need a risk assessment or help developing a plan, GreyCastle Security can help.

Protect yourself from key talent leaving

Sometimes good people leave great places, and it would be foolhardy not to be prepared for such an eventuality. If a key person leaves, all their knowledge and procedures leave with them – unless thoroughly documented, Waterman said. Rather than all the knowledge residing with one person in IT or with the CISO alone, Waterman advised forming a steering committee.

Stamas elaborated, “Elevate the conversation about information security up to the business decision-making level. This visibility with finance, legal, even marketing and HR departments will enable you to more appropriately budget, as well as give you a legally defensible position from a compliance or regulatory standpoint.”  Traditionally, organizations that work to impower the CSO will retain them longer.

Even if you have established repeatable processes and thoroughly documented the plan’s procedures, it still takes people to manage and execute that plan. “You can implement as many tools as you want, but you need people to support those tools and provide insight on their output in order to have a successful cybersecurity program,” Waterman said.

Consider enlisting the help of a partner. GreyCastle Security offers a unique variation on the standard CISO model. Through our virtual CISO, or vCISO solution, you are provided not just an individual, but a team to expertly manage all aspects of your cybersecurity. Learn more about our vCISO solution.

Not sure what help you need? We’re here to answer your questions.



The Great Resignation and the Impact on Cybersecurity


Bridging the Gap: How to Win the Cybersecurity Skills Shortage


Let’s Discuss Your Cybersecurity Needs

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us