The 18 Months and Out Theory – 10 Things I Hate About Cybersecurity: A Love Story

Cyber threats are real

Subscribe newsletter

Hi! I am Nick Gipson, the Director of Cyber Operations here at Pareto Cyber. This is Part 8 of my 10-Part series on “10 Things I Hate About Cybersecurity: A Love Story” where I dissect the problems within this industry and my personal encounters with them. You can find the other parts of this series here.

The Issue

In cybersecurity, there’s a known trend: most analysts only stay in one position for up to 18 months.

When the whole industry is struggling to find and retain qualified professionals, this 18 month expiration date is bad news. Finding talent is expensive, onboarding them takes time, and losing them so quickly is simply a waste of company resources.

I think that there are two reasons why people change jobs so often:

  1. No opportunity for growth. In most companies analysts can only progress and be promoted if they enter a leadership role. But management is not what many talented analysts like and wish to be doing.
  2. Boredom. Doing the same things over and over again is not particularly intellectually stimulating. Good analysts are good because they love cybersecurity and constantly challenge themselves to improve. If you aren’t providing them with the space to do so, you’re practically begging for them to transfer out.

Why It Matters

For any business it’s always cheaper to keep current employees rather than hire new ones.

Additionally, in cybersecurity specifically, the longer an analyst has been on the job, the better service they can provide to clients. Over time, analysts can learn the ins and out of client systems and processes. This way, they can detect threats and remediate against them more and more efficiently.

Yet most organizations in our field are failing to keep people around.

I understand the impulse to bounce from one position to another – in fact, I did exactly that for most of my career.

I first started as a low-level analyst at a startup which asked me to physically build out their security center, assembling chairs and servers. After that, I worked at a managed security services provider (MSSP) but a culture change in the company had me looking elsewhere. Then, I moved to an advertisement agency, who also asked me to build out a security operations center. 

My most recent position before Pareto was for the US military. I worked on a variety of Department of Defense (DoD) contracts and building out relevant security teams for the government. 

Pareto Cyber is the first company at which I beat the deadly 18 month mark. I have now been here for two years, and I do not see myself leaving anytime soon.

What Can We Do?

At Pareto, we address the issues with job satisfaction head on.

First, we set up specific promotion paths based on skills, rather than just assuming that everyone should be promoted into a management position. Our employees can get a raise just by developing their skills in a way that interests them.

Second, we provide our employees with the opportunity to learn exactly what they want to. Within cybersecurity, there are many varieties of skills that our analysts can pick up. Our analysts have decided to specialize in sub-field such as: 

  • Digital forensics
  • Engineering
  • Development (Coding)
  • Project Management
  • Leadership

Because we help our analysts pursue their passions…. They are never bored. And since they aren’t bored, they are constantly learning and pushing themselves to deliver a better service to our clients.

We treat our analysts with respect, and they tend to respect us back.