Successful Strategies for Onboarding New Cybersecurity Talent
When a candidate accepts an offer, the recruitment process has reached its sixth and final phase, as discussed in the CISO Hiring Guide Series, published by The CISO Collective sponsor Fortinet. But those who think their process of recruiting ends when a candidate accepts an offer, they are mistaken. Recruiting is truly about attracting, optimizing job performance, and retaining top-quality candidates. To prepare new cybersecurity employees for success in their roles and to retain them for the long term, CISOs must collaborate with their HR leaders to carefully plan and diligently execute structured onboarding processes that cover everything from basic new employee paperwork to briefing them on processes and people critical to their long-term job role success.
For CISOs who doubt the importance of well-structured and well-executed onboarding processes, the employee engagement and retention rates speak volumes:
- Formal onboarding programs increase the long-term retention of employees by 25% and improve employee performance by 11%.
- 15% of employees who leave an organization for another role cite the lack of an onboarding program as a reason for doing so.
- Employees who participate in a formal onboarding process are 69% more likely to remain three years or more as compared to those who do not go through any onboarding.
- 17% of employees who quit abruptly do so in their first week on the job.
Employees who participate in formal onboarding programs are 69% more likely to remain three years with a company than those who do not.
In addition to improving retention rates, onboarding programs help employees achieve higher rates of productivity. Studies show it takes the average employee 8 to 12 months to achieve full productivity, and a solid onboarding program can help them shrink this window. For cybersecurity professionals, onboarding must take place at the organizational as well as the departmental levels. Simply assuming a new member of the security team understands the broader nuances of the organization does not mean they also have a solid grasp of the cybersecurity team. Cultures vary across organizations, and departmental charters and responsibilities are unique.
Only 12% of employees believe their companies do a great job of onboarding.
CISOs need to look to their HR department for assistance in building onboarding processes for their security staff. And if no onboarding program exists for the organization in general, CISOs need to become vocal advocates for the development and implementation of one. To kick-start the process, CISOs can offer up their cybersecurity organization as a beta group. An important rule of thumb business leaders need to remember when creating onboarding processes is that they should be an extension of recruiting and hiring processes.
Onboarding at Macro and Micro Scales
Onboarding takes place at both macro and micro scales. At the macro level, onboarding brings the new employee up to speed on success factors applicable to working across the hiring organization as a whole. This includes information about:
- Organization mission, vision, and values
- Who’s who within the company
- Organization history
- Business culture
- Accessing resources and benefits
Micro-onboarding narrows the focus to need-to-know information for a specific role and engaging with the new employee’s core team and line manager. In the case of cybersecurity roles, it is important for the CISO to ensure they have a well-documented micro-onboarding process in place. Simply because macro-onboarding occurs at the organizational level does not mean the HR organization has the CISO covered when it comes to role-specific information and processes.
Specifically, new hires for cybersecurity roles should receive briefings designed to build a common baseline understanding of the organization’s cybersecurity posture. This includes understanding what risk tolerance looks like and how that translates into service-level agreements. In the case of the latter, this includes individual departments, what should be reported, in what format, and to whom.
On this note, CISOs must remember that while cybersecurity staff may play very specific roles, it is critical that they understand the context in which they will support the hiring organization. Providing this information signals potential career growth areas and conveys to new staff that they are joining a collaborative team and not signing on as a cog in a tightly controlled machine.
New hires are 3.4x more likely to believe their onboarding experience was exceptional when managers take an active role.
Micro-onboarding topic areas are wide-ranging but should include baseline areas such as:
Architecture and Technologies
- IT infrastructure overview. More than inventory of deployed IT products and services, this should also cover the role of IT in the organization’s value-creation processes and the relationship the cybersecurity team plays in them.
- Cybersecurity technologies and architecture. Every incoming cybersecurity staff member needs a working knowledge of the security technologies and tools that are in place and the security architecture topology that is in place.
Security Strategy and Processes
- Cybersecurity objectives. Based on threat tolerance, a CISO should have a clear definition of an attainable security posture and how success and failure are defined. This includes what is entailed in each particular role and what responsibilities are assigned to each one.
- Cybersecurity risk factors. Based on organizational risk tolerance, the cybersecurity organization should track baseline risk factors that are regularly—preferably in real time—tracked and reported. In this context, each member of the cybersecurity team should know the weakest links when it comes to security and what is being done to mitigate each one.
- Threat environment. Organizations need a consolidated threat-intelligence dashboard that tracks malware, risks associated with each, and current status of patching and updates. Thus, even if a specific cybersecurity role is not part of an organization’s security operations center (SOC), they should have a solid understanding of how it works and access to threat intelligence.
- Compliance mandates. Each organization and industry fall underneath specific industry and government regulations. Most CISOs today have also chosen to embrace one or more cybersecurity frameworks and standards as a means for tracking, measuring, and reporting their security posture.
Security Practices and Procedures
- Cybersecurity team roles, responsibilities, and relationships. Details on how the cybersecurity team is structured, new employee roles, plus lines of communications and responsibility beyond the immediate, in-house cybersecurity team.
- General processes and procedures. Day-to-day security processes, checklists, and dashboards with additional focus on patching, updating, and cyber hygiene.
- Incident response and event management. In the event of a successful intrusion or breach, there should be a codified set of processes in terms of roles and responsibilities. New security hires need to understand not only their role but those of their peers and even cross-functional organizational roles and responsibilities.
- Third-party provider roles and responsibilities. Nearly all CISOs and their IT and network counterparts rely on third-party providers. New hires need to know each of these providers and what technologies and services they deliver as well as what responsibilities they have in the event of an intrusion or breach.
It should go without saying that an onboarding program requires definitive markers and moreover should take place over a period of several months. Organizations that think onboarding is completed after the first week of a new hire are sadly mistaken and setting themselves up for failure. HR organizations and CISOs need to think in terms of 30-, 60-, and 90-day plans and sequences for onboarding.
New hires who strongly agree they have a clear path for professional development are 3.5x more likely to strongly agree that their onboarding process was exceptional.
CISOs must recognize that onboarding plays a critical role not only in getting new security staff up and running—in addition to engaged and productive—but also in managing risk. The risk of not having an onboarding program (macro and micro) in place has much broader implications than whether a CISO can retain top-quality talent. Rather, without the right onboarding processes, CISOs and their respective organizations have a higher security risk, and this applies across the prevention, detection, and response spectrums.
| Red Flags | Description |
|---|---|
| It is an HR thing | Socialization is critical and requires managers and team members |
| Onboarding Program is Too Short | Onboarding should be thought of as a journey rather than as a runway for new hires. It typically takes 12 months for new hires to reach their full potential. |
| Your Onboarding Program Does Not Express Your Culture | New hires want to know if they belong with you. Organizations need to provide immersive experiences that let employees feel their values rather than simply naming them. |
| New Employees See No Future with You | The demographics of today's workforce dictate that organizations demonstrate the value they see in each employee. Managers need to have conversations about employee goals and objectives--both short- and long-term--during the onboarding process. |
| Your Onboarding Program is Unremarkable | Organizations need to focus thei energies--both at the macro and micro levels (which means the SISO is included) -- on designing and executing an onboarding program that makes an impression. Programs need to deliver consistent, creative, and deeply engaging experiences. |
| You Have No Measurements | If there are no onboarding measurements in place, then organizations have no idea if the program is effective or failing. Organizations need to include onboarding data and connect it with the rest of their organization perforamance metrics--and this includes the micro-level onboarding pieces the SISO oversees. |
| Rentention Issues | If new hires are leaving an organization within six months of joining. It is a good sign that there are problems with the onboarding program. Recruiting, hiring, and training new workers is very costly, and such is an indication onboarding training and processes need to be reevaluated. |
Figure 1: Based on research by Ben Wigert and Ryan Pendell, “7 Problems With Your Onboarding Program,” Gallup, March 1, 2019.
For more information on onboarding cybersecurity talent, download the CISO Hiring Guide, “CISO Hiring Guide: Onboarding, Engaging, and Retaining High-Value Security Professionals.”
