One year ago, a Texas A&M educator predicted a trend that now taxes nearly every third party risk management program, whether they know it or not. “The great resignation is coming,” Texas A&M Associate Professor of Management Anthony Klotz warned Bloomberg BusinessWeek last May. “When there’s uncertainty, people tend to stay put, so there are pent-up resignations that didn’t happen over the past year.”
Since then, the exit flood gates have opened across nearly every industry and in most areas of the organization, including IT, cybersecurity, internal audit, and risk management groups. These departures have forced many teams to reconfigure job roles and responsibilities.
During a recent meeting of the Forbes Technology Council he serves on, Shared Assessments Vice President Tom Garrubba learned from technology and human resources experts that recruiters are offering salary increases of 50-70% to lure IT experts away from their current employers. Many organizations are handing their tech professionals double-digit salary increases to try to keep them in the fold.
How has the Great Resignation affected Risk Management?
Third party risk management (TPRM) teams face the twofold challenge of recruiting and retaining sufficient staff in a tight-as-drum labor market while responding to new risks that can arise due to staffing shortages among key vendors. Addressing both issues requires an understanding of the magnitude and nature of the talent crunch along with a consideration of actions that can reduce the negative impacts of skills shortages.
Cybersecurity teams have been especially hard hit: 94% of security teams have been affected by the labor shortage, and 84% of those groups have lost at least one member of their team in the past six months, according to Cobalt’s State of Pentesting 2022 survey report. The results also suggest that talent management challenges have troubling implications on security programs:
- 79% of security teams struggle to consistently monitor for vulnerabilities;
- 69% struggle to monitor for, and respond to, security incidents; and
- 66% struggle to maintain high-quality security standards.
Skills shortages in cybersecurity teams, development teams, and related IT and risk management groups also have knock-on effects. When technology and risk professionals are lured to another organization, their former colleagues often take on additional responsibilities until a replacement can be hired and onboarded. Nine out of 10 of the more than 600 security and development professionals surveyed by Cobalt report that they are having difficulty fulfilling their assigned responsibilities and work due to resource shortages. Combine this struggle with the burden of keeping pace with ever-changing security threats, and it’s no surprise that burnout is a major risk.
“Leadership should take a hard look at what is causing burnout and disillusionment, take stock of their go-to-market priorities versus their teams’ capacity, and consider the daily interactions they have with their colleagues,” the Cobalt report concludes.
Steps Risk Management leaders can take to address talent shortages
“Leadership should take a hard look at what is causing burnout and disillusionment, take stock of their go-to-market priorities versus their teams’ capacity, and consider the daily interactions they have with their colleagues,” the Cobalt report concludes.
There are other actions and approaches that can help TPRM leaders address talent shortages in their domains, including:
- Developing bench strength: “Companies should consider managing security talent much like the way a sports team is managed,” Garrubba recently told ClearanceJobs in an article on cybersecurity workforce burnout risks. “…You need to have depth and balance on your security bench along with the right amount of members to play the game effectively. Employing such a methodology can greatly decrease the burnout rate amongst cybersecurity professionals and allow them to focus on the particular item(s) they’re best at.”
- Looking beyond traditional labor pools: Garrubba’s work with the Forbes Technology Council indicates that rates of unemployment vary significantly across different demographic groups. Enhancing recruiting efforts in talent segments with higher levels of unemployment can produce higher numbers of candidates. Haystack Solutions CEO Doug Britton tells ClearanceJobs that he advocates “looking at populations that aren’t the typical recruiting hot spots” by focusing more on the underlying cognitive abilities that correlate with success in cybersecurity roles.
- Redesigning business processes: The last thing that under-staffed and over-taxed cybersecurity and TPRM teams want to deal with is inefficiency. “If an organization is being attacked, security pros do not have the time or luxury to do effective analysis and countermeasures if there is a burdensome amount of administrative overhead that needs to first take place,” Shared Assessments Senior Advisor Nasser Fattah tells ClearanceJobs. Managers and leaders should seize opportunities to streamline processes in a risk-intelligent way, based on input from their top performers.
- Leverage technology for efficiency improvements: Technology tools can help time-pressed technology and risk teams do more with less. “Technology can be a friend with the automation of timely detection of anomalies and proactive countermeasures to secure the environment, and/or provide relevant information for a security pro to conduct further investigation,” says Fattah. He points to security orchestration and automation response (SOAR) solutions as a tool “that can greatly assist security professionals with performing triage and upfront analysis, as well as helping them to take appropriate countermeasures, permitting security professionals to focus on more complicated security risks.”
The availability of advanced technologies also can deliver recruiting and retention advantages, given that high-performing technology, security, and risk professionals are hungry to expand their skills to advance their careers. While the talent crunch is likely to linger, risk managers don’t need to resign themselves to the trend’s negative implications.
