When a candidate accepts an offer, the recruitment process has reached its sixth and final phase, as discussed in the CISO Hiring Guide Series, published by The CISO Collective sponsor Fortinet. But those who think their process of recruiting ends when a candidate accepts an offer, they are mistaken. Recruiting is truly about attracting, optimizing job performance, and retaining top-quality candidates. To prepare new cybersecurity employees for success in their roles and to retain them for the long term, CISOs must collaborate with their HR leaders to carefully plan and diligently execute structured onboarding processes that cover everything from basic new employee paperwork to briefing them on processes and people critical to their long-term job role success.
For CISOs who doubt the importance of well-structured and well-executed onboarding processes, the employee engagement and retention rates speak volumes:
Employees who participate in formal onboarding programs are 69% more likely to remain three years with a company than those who do not.
In addition to improving retention rates, onboarding programs help employees achieve higher rates of productivity. Studies show it takes the average employee 8 to 12 months to achieve full productivity, and a solid onboarding program can help them shrink this window. For cybersecurity professionals, onboarding must take place at the organizational as well as the departmental levels. Simply assuming a new member of the security team understands the broader nuances of the organization does not mean they also have a solid grasp of the cybersecurity team. Cultures vary across organizations, and departmental charters and responsibilities are unique.
Only 12% of employees believe their companies do a great job of onboarding.
CISOs need to look to their HR department for assistance in building onboarding processes for their security staff. And if no onboarding program exists for the organization in general, CISOs need to become vocal advocates for the development and implementation of one. To kick-start the process, CISOs can offer up their cybersecurity organization as a beta group. An important rule of thumb business leaders need to remember when creating onboarding processes is that they should be an extension of recruiting and hiring processes.
Onboarding takes place at both macro and micro scales. At the macro level, onboarding brings the new employee up to speed on success factors applicable to working across the hiring organization as a whole. This includes information about:
Micro-onboarding narrows the focus to need-to-know information for a specific role and engaging with the new employee’s core team and line manager. In the case of cybersecurity roles, it is important for the CISO to ensure they have a well-documented micro-onboarding process in place. Simply because macro-onboarding occurs at the organizational level does not mean the HR organization has the CISO covered when it comes to role-specific information and processes.
Specifically, new hires for cybersecurity roles should receive briefings designed to build a common baseline understanding of the organization’s cybersecurity posture. This includes understanding what risk tolerance looks like and how that translates into service-level agreements. In the case of the latter, this includes individual departments, what should be reported, in what format, and to whom.
On this note, CISOs must remember that while cybersecurity staff may play very specific roles, it is critical that they understand the context in which they will support the hiring organization. Providing this information signals potential career growth areas and conveys to new staff that they are joining a collaborative team and not signing on as a cog in a tightly controlled machine.
New hires are 3.4x more likely to believe their onboarding experience was exceptional when managers take an active role.
Micro-onboarding topic areas are wide-ranging but should include baseline areas such as:
It should go without saying that an onboarding program requires definitive markers and moreover should take place over a period of several months. Organizations that think onboarding is completed after the first week of a new hire are sadly mistaken and setting themselves up for failure. HR organizations and CISOs need to think in terms of 30-, 60-, and 90-day plans and sequences for onboarding.
New hires who strongly agree they have a clear path for professional development are 3.5x more likely to strongly agree that their onboarding process was exceptional.
CISOs must recognize that onboarding plays a critical role not only in getting new security staff up and running—in addition to engaged and productive—but also in managing risk. The risk of not having an onboarding program (macro and micro) in place has much broader implications than whether a CISO can retain top-quality talent. Rather, without the right onboarding processes, CISOs and their respective organizations have a higher security risk, and this applies across the prevention, detection, and response spectrums.
|It is an HR thing||Socialization is critical and requires managers and team members|
|Onboarding Program is Too Short||Onboarding should be thought of as a journey rather than as a runway for new hires. It typically takes 12 months for new hires to reach their full potential.|
|Your Onboarding Program Does Not Express Your Culture||New hires want to know if they belong with you. Organizations need to provide immersive experiences that let employees feel their values rather than simply naming them.|
|New Employees See No Future with You||The demographics of today's workforce dictate that organizations demonstrate the value they see in each employee. Managers need to have conversations about employee goals and objectives--both short- and long-term--during the onboarding process.|
|Your Onboarding Program is Unremarkable||Organizations need to focus thei energies--both at the macro and micro levels (which means the SISO is included) -- on designing and executing an onboarding program that makes an impression. Programs need to deliver consistent, creative, and deeply engaging experiences.|
|You Have No Measurements||If there are no onboarding measurements in place, then organizations have no idea if the program is effective or failing. Organizations need to include onboarding data and connect it with the rest of their organization perforamance metrics--and this includes the micro-level onboarding pieces the SISO oversees.|
|Rentention Issues||If new hires are leaving an organization within six months of joining. It is a good sign that there are problems with the onboarding program. Recruiting, hiring, and training new workers is very costly, and such is an indication onboarding training and processes need to be reevaluated.|
Figure 1: Based on research by Ben Wigert and Ryan Pendell, “7 Problems With Your Onboarding Program,” Gallup, March 1, 2019.
For more information on onboarding cybersecurity talent, download the CISO Hiring Guide, “CISO Hiring Guide: Onboarding, Engaging, and Retaining High-Value Security Professionals.”