We’ve said before that it’s incredibly challenging to measure and assess performance management in cybersecurity, but it is crucial if you are to improve team effectiveness and retain your top talent. As part of that, with a global shortage of skilled cybersecurity experts – the workforce needs to grow by 145% to meet demands – there are steps you can take to not only retain top talent today but also ensure you have a skilled team in place for years to come. The key is addressing employee progression and succession planning.
Succession planning is where you identify individuals who you believe could step into a more significant role should it become available due to the person currently in place retiring, leaving or being promoted. By identifying who could fill a future role gap, you will be able to act quickly to minimise disruption to the team and its operations and prepare the “next-in-line” for the step-up by equipping them with the training and knowledge they need in advance. Internal promotions also mean that you may only need to go externally to recruit for junior roles and recruitment costs are much cheaper at this level.
Employee progression is the term used to describe how an employee should move up the ranks within a business, acquire more knowledge and skills, and greater responsibility.
By ensuring you have a progression plan in place for every member of your team, you’ll find succession planning reasonably straightforward to do.
The answer is yes. Without one, employees could leave. According to research. 76% of employees will seek other job opportunities if they feel they’ve been passed over for a promotion at work. Furthermore, 59% of millennials say that progression opportunities are extremely important when applying for a job.
Set up a plan and keep your team happy, or leave it too late and you could be facing multiple gaps in your team as well as recruitment and onboarding costs amounting to nearly $42,000 (£30,000) per employee.
At some companies, the senior leadership teams (SLT) even share their succession plans with each other and their direct reports to aid more effective planning and collaboration. Some also encourage listing multiple names as potential successors for each role to ensure several options are in place. You may find you need to change your plans quickly, and having backups is always a good idea.
The first step is to look at your team’s roles and how this could change over time.
Unfortunately, there is no typical structure for a cybersecurity team, and with many cyber roles, progression is very much based on time served. For example, many businesses will go on a grade model of Junior, Consultant, Senior, Managing etc. We believe this model only works provided that the individuals acquire new skills and knowledge during the time served, making them worthy of a promotion. This is another reason why progression plans are so important.
There are also many niches within cybersecurity to factor in to ensure your team has everything covered.
A good guide for developing your workforce and building job roles for each level is from NICE (National Initiative for Cybersecurity Education). It provides a set of building blocks for describing the tasks, knowledge and skills individuals and teams need to perform cybersecurity work.
Next, consider the marketplace. We already know there is a skills shortage within the cybersecurity industry, but which specific skills are rarest? Which of these are essential for your industry? This could be the area that you solve internally with training for your team.
Also, look at the support services available to you. Which elements of cybersecurity are being automated? Perhaps this will affect future headcount or the need for specific skills. For example, at RankedRight, we take your team’s admin away – automating the vulnerability triage process based on their rules so they can get on with the critical work of addressing the IT threats to the business.
With an idea of what your team should look like in terms of headcount and skills in the long term, you can then make sure that the progression plans you build align.
If you read our guide on how to measure performance management, you should have a clear idea of the strengths and weaknesses within your team. Next, you should talk to each team member about their career aspirations. Find out what’s driving them. Do they love learning new things? Do they crave managerial responsibility? Do they feel they’ve reached their perfect place and are happy as they are? Is their dream role out of reach within your company?
Asking these questions will enable you to identify who has one foot out the door and who is primed to take on more. Those keen to acquire more skills could be given training in the areas you’ve identified as weak areas on your plan. Those you’ve marked as at risk of leaving become the priority roles for succession planning.
It might help to feedback your thoughts to the SLT at this stage as they may present challenges you have not considered, which will inform your thinking.
Not only that but when it comes to the point when your succession plan needs to become a reality and you need approval to promote someone, having the SLT’s sign off at the planning stage should prevent any delays or obstructions.
Finally, it’s time to document the plan for each employee. At RankedRight, our goal is to help drive efficiency, which is why we’re not going to recommend you waste time creating your own employee development plan template. There’s a ready-made one by Process Street that will give you everything you need.
Of course, nothing is guaranteed even when plans are documented, and your team must understand this. Perhaps, if you cannot give them exactly what is set out in the plan, you can reward their efforts some other way.
This may feel like a lot of work, but when the cybersecurity industry is renowned for high stress and burnout, it will be one of the most important steps you can take to increase and futureproof your team’s value to the business. It’ll mean a great deal to your team too.
Want more help with your performance management? Read how RankedRight can help.
By using RankedRight, teams save hours each day on manual triage, enabling them to get to critical remediation more quickly. You simply create users and assign them rules. Here's how it works.
Find out how to effectively set the service level agreement (SLA) for vulnerability management activities. Learn about the steps that are involved when setting levels of assurance and why these metrics matter.
While some risks can be mitigated with the right precautions, others are simply impossible to avoid. That is where risk acceptance comes in and RankedRight can help.
Are your vulnerability management services as good as you think they are? Try our checklist to find out.
Give your business the opportunity to engage with clients all year round by adding vulnerability management to your portfolio.