Countering Cybersecurity Turnover: 57 Companies That Do It Best

SANS Institute founder and director of research

What does it take to keep highly skilled cybersecurity employees?

Salary and benefits are table-stakes. Challenging work, ongoing training, an opportunity to advance without having to become a manager, and a talented peer group all help companies recruit and retain these sought-after “ninjas”—the individuals who can do what artificial intelligence security tools can’t.

Research from the SANS Institute, a leading information security training provider, has identified 57 government contractors that do a better job of recruiting and retaining high-level cybersecurity professionals, based on the advanced technical certifications held by their employees. (See list below.)

Retaining talented infosec professionals is a major challenge. The non-profit Center for Strategic and International Studies (CSIS), a strategic security think tank in Washington D.C., found that rampant employee turnover has become so “institutionalized” among cybersecurity professionals in Silicon Valley that even companies like Facebook and Google don’t expect to keep their most-talented personnel longer than three or four years.

The SANS report, released Wednesday, builds on the findings of the CSIS study (which was funded by the SANS Institute). Taken together, the research offers some guidance for building IT security teams, whose essential value to businesses and governments grows with each new costly, disruptive, and damaging cyberattack.

Alan Paller, founder and director of research for the Bethesda, MD-based SANS Institute (his picture is at the top of the page), said the follow-up report focused solely on government IT systems integrators “because they compete for government business on the basis of the quality and number of ninjas they can deploy.”

A “ninja,” Paller explained in an e-mail., “is the person who can do the threat-hunting that eludes the [artificial intelligence] AI tools. She/he is the person who fights back against cyber weapons with rapid adjustments to defenses. The AI folks are doing well at replacing the ‘screen watchers’ but are not anywhere near the higher skills—yet.”

He described the report as a “first round,” and indicated the SANS Institute plans to evaluate other types of software companies as well. The 57 companies identified by the SANS Institute are:

Accenture Deloitte ManTech
ActioNet Dyncorp MAXIMUS
AECOM Engility Microsoft
Alion Science & Technology Fluor MCI
American Systems General Atomics Noblis
AT&T General Dynamics Northrop Grumman
BAE Systems General Electric Parsons
Battelle Memorial Institute Harris Corp. PriceWaterhouseCoopers
Boeing Hewlett Packard Enterprise Raytheon
Booz Allen Hamilton Honeywell SAIC
CACI IBM Salient Federal Solutions
CDW ICF International Serco
CenturyLink Intuitive Research and Technology Corp. Unisys
CGI Group Jacobs Engineering United Technologies
CH2M Hill John Snow Vectrus
Cisco KPMG Vencore
CSRA L-3 Communications Verizon
Cubic Corp. Leidos World Wide Technology
Dell Lockheed Martin Wyle

The CSIS report, released seven months ago, cited employment factors that elite cybersecurity experts value most—that is, once their threshold requirement for salary and benefits has been met. These factors also could serve more broadly as counter-measures against rampant turnover among high-level IT employees in general. They include:

—Challenging, high-impact work and a demonstrated commitment and continuing investment in training. (As a result, the most-skilled cybersecurity experts tend to have more professional certifications.)

—Flexible work schedule, and the ability to advance without having to assume management responsibilities.

—In what CSIS dubbed “the Kevin Durant effect,” highly skilled professionals want to work with others whose talent and work they respect. NBA basketball star Kevin Durant ostensibly left the Oklahoma City Thunder last year for the Golden State Warriors so he could play with better teammates and have a better shot at winning the NBA championship.

Author: Bruce V. Bigelow

In Memoriam: Our dear friend Bruce V. Bigelow passed away on June 29, 2018. He was the editor of Xconomy San Diego from 2008 to 2018. Read more about his life and work here. Bruce Bigelow joined Xconomy from the business desk of the San Diego Union-Tribune. He was a member of the team of reporters who were awarded the 2006 Pulitzer Prize in National Reporting for uncovering bribes paid to San Diego Republican Rep. Randy “Duke” Cunningham in exchange for special legislation earmarks. He also shared a 2006 award for enterprise reporting from the Society of Business Editors and Writers for “In Harm’s Way,” an article about the extraordinary casualty rate among employees working in Iraq for San Diego’s Titan Corp. He has written extensively about the 2002 corporate accounting scandal at software goliath Peregrine Systems. He also was a Gerald Loeb Award finalist and National Headline Award winner for “The Toymaker,” a 14-part chronicle of a San Diego start-up company. He takes special satisfaction, though, that the series was included in the library for nonfiction narrative journalism at the Nieman Foundation for Journalism at Harvard University. Bigelow graduated from U.C. Berkeley in 1977 with a degree in English Literature and from the Columbia University Graduate School of Journalism in 1979. Before joining the Union-Tribune in 1990, he worked for the Associated Press in Los Angeles and The Kansas City Times.