Kushner also says the poor economy has given many organizations the false impression that they can get talent for lower salaries.
"I'm not going to be as bold as to say there is no unemployment among security professionals, but there is negative unemployment for highly skilled security professionals. When people are starting to add to their team, they have this nirvana, Shangri-la profile they want to recruit for. It's kind of like having champagne tastes and beer budgets. You get what you pay for."
In other words, make sure you're paying your current talent, and any future talent, what they are worth -- or someone else will.
Provide training and education
"Training and education must be a continuous process for all security staff," according to Hord Tipton, executive director of information security education and certification firm ISC2. "Technology is changing so rapidly -- no one can keep up with everything that is changing and evolving. To a degree, a well-rounded security program must have specialization. Although organizations need people who understand the entire security process, they also need people who are specialized and totally up-to-date in the many areas that must be well understood before security can be implemented."
Offering your security team the chance to take professional development and education courses keeps them feeling refreshed and challenged. And it obviously benefits the organization, too. Well-rounded security professionals look forward to the opportunity to further hone their skills. If an organization neglects their need for frequent training, they will go elsewhere, says Tipton.
"For example, the amount of technologies that have emerged in the last year surrounding cloud-based applications, social media, virtual servers, and mobile devices has been overwhelming," says Tipton. "We must continually develop technical training that is specific to the jobs performed and matched to continuing professional education [CPE] requirements. Obtaining quality CPE [courses] is more important now than ever."
Offer opportunities for growth
Sure, everyone wants a raise and a promotion after proving themselves on the job, but that's not always easy, or even possible, says Zeltser. Organizational and financial constraints often put the brakes on desired title changes.
Instead, offering a security team member the chance to work with new technologies, or be exposed to new challenges, can provide a different kind of career growth that can also be satisfying and fulfilling, says Zeltser. It's really up to the individual to decide if they want to take on more responsibility without an actual promotion, but many will want to do it for the challenge.
"You might have a person who started as an entry-level help desk technician, became really good at trouble-shooting desktop-related problems, started dealing with malware in sections, and then gradually became interested in malware analysis and incident response."
Sign up for CIO Asia eNewsletters.